anthropics
Security Bug: Chained commands bypass permission check
Security Bug: Chained commands bypass permission check
Summary
When using && to chain multiple bash commands, if any command in the chain is in the allowed list (e.g., git), commands that should require approval (e.g., rm) are executed without user confirmation.
Environment
- Claude Code version: Latest (as of 2025-12-28)
- OS: Ubuntu Linux
Steps to Reproduce
- Configure
.claude/settings.jsonwith allowed commands that do NOT includerm:
{
"permissions": {
"allow": [
"Bash(git:*)",
"Bash(docker:*)"
],
"deny": []
}
}
- Ask Claude to execute a chained command where
rmcomes first:
rm /path/to/file && git add -A && git commit -m "message" && git push
- Observe that no approval popup appears and the
rmcommand executes successfully.
Expected Behavior
Claude Code should detect that rm is not in the allowed list and prompt the user for approval before executing the command.
Actual Behavior
The entire chained command executes without any approval prompt, even though rm is not in the allowed list.
Security Impact
High - This bypass allows potentially destructive commands (rm, rm -rf, etc.) to execute without user consent, as long as they are chained with an allowed command.
An attacker or misconfigured prompt could exploit this to:
- Delete files without user knowledge
- Execute arbitrary commands by chaining with allowed ones
Suggested Fix
When parsing chained commands (&&, ;, ||), each individual command should be checked against the permission list separately. If ANY command in the chain requires approval, the entire chain should require approval.
Additional Notes
The command that triggered this discovery:
rm /home/user/project/Dockerfile && git add -A && git commit -m "message" && git push origin branch
This was executed without any approval popup despite rm not being in the allowed list.
