SQL style injection with bash input?

Command separators are processed before expansions, therefore there is no way that \n, ;, &, &&, or || in a variable will ever have an effect unless the variable contents are evaled.

In 2014, there was a exploit in the wild for a Bash vulnerability nicknamed Shellshock. Like most vulnerabilities in common software, a Common Vulnerabilities and Exposures (CVE) Bulletin was released, CVE-2014-6278. Shellshock is a remote exploit for Bash which allowed arbitrary code execution on the remote host via several attack vectors in common server software stacks including Apache's cgi modules as well as OpenSSH.

The vulnerability affects all versions of Bash from 1989 until 2014 when it was patched once easily created exploits were widely demonstrated.

For further reading:

OWASP Shellshock Presentation, PDF

NIST CVE-2014-6278

ServerFault Shellshock Question, 2014

I believe most versions available in Distro Repos have been patched.

Correction: Shellshock is a family of vulnerabilities... CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

And, it's good to remember that these can easily affect a LAN if there exists port forwarding for things like Apache web servers or SSH... as well as any unpatched (and probably unpatchable) Internet of Things devices.

It seems like globbing is a vulnerability:

$ echo 'echo $1' > injection.sh
$ bash injection.sh '/*'
/bin /boot /dev /etc /home /lib /lib64 /media /mnt /opt /proc /root /run /sbin /srv /sys /tmp /usr /var

This is why you always quote vars:

$ echo 'echo "$1"' > injection.sh
$ bash injection.sh '/*'
/*