Globbing - sgml/signature GitHub Wiki

Risks

Intent

Globbing patterns should be auditable, predictable, and scoped to their operational intent. This section outlines how to analyze, detect, and remediate glob-related vulnerabilities using CVE/NIST guidance.

Risk Categories

Overmatch Risk: Globs like * or **/* may unintentionally include sensitive files (e.g., .env, secrets/, config.prod.json)
Privilege Escalation: Improper glob expansion in scripts may allow attackers to inject malicious filenames (e.g., --flag.sh)
Denial of Service: Recursive globs (**) over large trees can exhaust memory or CPU
Unescaped Expansion: Patterns passed to shell commands without quoting may lead to command injection

CVE Examples

CVE-2021-33624: Bash glob() mishandling of GLOB_TILDE and GLOB_BRACE caused unexpected expansion and potential file leakage
CVE-2022-25845: Node.js minimatch vulnerable to ReDoS via crafted glob patterns
CVE-2019-10744: glob-parent package allowed directory traversal due to improper sanitization

Sources: CVE Details, NVD Glossary

NIST Guidance

NIST IR 8286A: Emphasizes documenting threat scenarios involving pattern-based file access
Vulnerability Management Process (GSA): Recommends scheduled scans and remediation timelines for glob-based misconfigurations
Risk-Based Remediation: Prioritize glob-related vulnerabilities based on exposure, exploitability, and asset criticality

Remediation Strategies

Strategy	Description
Pattern Scoping	Replace `` with explicit extensions (e.g., `.js`, `src/*/.ts`)
Quoting in Shell Scripts	Always quote glob patterns: `"$pattern"` to prevent unintended expansion
Use `.dockerignore`/`.gitignore`	Explicitly exclude sensitive files from glob-based operations
Limit Recursion	Avoid `**` unless `globstar` is explicitly enabled and scoped
Static Analysis	Scan for unsafe glob usage in CI/CD pipelines and build scripts
Dependency Hygiene	Audit glob-related packages (`minimatch`, `glob-parent`) for known CVEs
Environment Filtering Discipline	Avoid `env