Recommend expanding certain short -f flags to --long versions #3281
Description
For new checks and feature suggestions
- https://www.shellcheck.net/ (i.e. the latest commit) currently gives no useful warnings about this
- I searched through https://github.com/koalaman/shellcheck/issues and
didn't find anything relatednew checks: short (-d "") and long (--date="") option formatting #2435 looks related, not exactly what I was after
I have adopted the opinion that long (e.g. --verbose) flags are better than short flags (e.g. -v) in scripts since they are more readable. Short flags are better used in interactive mode where you know what they mean and the shell or command knows what they mean and nobody else is involved. In scripts used and read by more than one person the risk is higher that someone doesn't know all the short flags used, so using the longer versions usually being more descriptive words makes the code more readable.
While I don't think it's feasible to enforce this for all commands, given that argument parsing is not perfectly consistent everywhere and some commands don't even have long versions of some or all flags, a shorter list commands and arguments could be warned about and recommended to be expanded to their long forms. Especially commands and arguments that have a security or destructive impact.
My example here is curl -k which is short for curl --insecure, i.e. disabling certificate validation. Overlooking the -k in code review is much easier than --insecure and could lead to introducing vulnerabilities.
Here's a snippet or screenshot that shows a potential problem:
#!/bin/sh
curl -k https://www.example.com/Here's what shellcheck currently says:
No issues detected!
Here's what I wanted to see:
curl -k https://www.example.com/
^-- SXXXX (warning): Expand this flag to --insecure (and then reconsider whether you need it)