opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 13 hours ago verified publisher icon anomalyco

[Security Bug] Subagent permissions not enforced - configured restrictions ignored

Open randomm opened this issue 6 days ago • 4 comments

Description

Subagents spawned via the task tool completely ignore agent permission configurations in > v1.0.200. Regardless of what restrictions are defined in opencode.json, subagents have unrestricted access to all tools.

Example

Agent configured with restricted bash access:

"permission": {
  "bash": {
    "git*": "allow",
    "*": "deny"
  }
}

Expected: Subagent can only run git commands Actual: Subagent can run ANY bash command - restrictions ignored entirely

Root Cause

  1. SessionPrompt.prompt() tools parameter replaces session permissions instead of merging
  2. ToolRegistry.tools() doesn't filter tools by agent permission rules
  3. Subagents inherit no permission restrictions from parent agent config

Impact

Security - All agent permission configurations are effectively useless. Any subagent has full unrestricted access.

Fix

PR #7473 addresses this by:

  • Removing tools parameter override in task.ts
  • Adding permission filtering to ToolRegistry
  • Ensuring proper permission merge order

Related

Related to #6527, #5894, #3808

randomm avatar Jan 09 '26 12:01 randomm