claude-code icon indicating copy to clipboard operation
claude-code copied to clipboard
Published 1 week ago verified publisher icon anthropics

Security Permissions Bypass in Bash File Access Restrictions

Open unwnu opened this issue 4 months ago • 4 comments

Bug Description Bug Report: Claude Code Security Permissions Bypass

Summary: Security permissions configured in .claude/settings.json can be bypassed when using indirect file access through Bash commands, allowing access to restricted files that should be denied.

Steps to Reproduce:

  1. Configure .claude/settings.json with deny permissions: { "permissions": { "deny": [ "Read(appsettings)", "Edit(appsettings)", "Write(appsettings)", "Bash(appsettings)" ] } }
  2. Attempt direct file access using Read tool - correctly denied
  3. Use indirect Bash commands that access the same restricted files: - find /path -name "*.json" -exec grep -l "pattern" {} ; - grep -A5 -B2 "pattern" /path/to/appsettings.json

Expected Behavior: All Bash commands accessing files matching the appsettings pattern should be blocked according to the "Bash(appsettings)" rule.

Actual Behavior: Bash commands successfully execute and return content from restricted files, bypassing the security permissions.

Security Impact: This allows Claude to access sensitive configuration files (like database connections, API keys, etc.) that users explicitly intended to restrict, potentially exposing confidential information.

Environment:

  • Claude Code CLI
  • Model: claude-opus-4-1-20250805
  • Platform: macOS (Darwin 24.6.0)

Environment Info

  • Platform: darwin
  • Terminal: tmux
  • Version: 1.0.83
  • Feedback ID: 2ba205a2-08b0-49b8-8b5b-29c6ab956cd5

unwnu avatar Aug 18 '25 12:08 unwnu

Found 3 possible duplicate issues:

  1. https://github.com/anthropics/claude-code/issues/4956
  2. https://github.com/anthropics/claude-code/issues/3501
  3. https://github.com/anthropics/claude-code/issues/4768

This issue will be automatically closed as a duplicate in 3 days.

  • If your issue is a duplicate, please close it and 👍 the existing issue instead
  • To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

github-actions[bot] avatar Aug 18 '25 12:08 github-actions[bot]

#4956 is not a duplicate because the find and grep examples given don't require command chaining. #3501 and #4768 are not duplicates because they're about deny not working as documented.

aspiers avatar Aug 18 '25 16:08 aspiers

This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.

github-actions[bot] avatar Dec 05 '25 10:12 github-actions[bot]

No reason to believe this is not still occurring.

aspiers avatar Dec 10 '25 22:12 aspiers