Security: dangerouslyDisableSandbox bypasses permission prompts when tool is auto-approved
Security Issue: dangerouslyDisableSandbox bypasses permission prompts when tool is auto-approved
Summary
When dangerouslyDisableSandbox: true is used with the Bash tool, and Bash is in the user's auto-approved tools list, the sandbox bypass executes without any user confirmation. This allows file operations outside the project directory without user awareness.
Environment
- Claude Code CLI
- Bash tool in auto-approved list
Steps to Reproduce
- Configure Bash as an auto-approved tool (common setup for reduced friction)
- Create a test file outside project directory:
touch ~/test1 - Have Claude attempt to delete it with sandbox enabled:
``text``
Bash(rm ~/test1)
→ Error: Operation not permitted (sandbox blocked correctly)
- Have Claude retry with sandbox disabled:
``text``
Bash(rm ~/test1, dangerouslyDisableSandbox: true)
→ File deleted, no user prompt
Expected Behavior
dangerouslyDisableSandbox: true should trigger an independent permission confirmation, regardless of whether the tool itself is auto-approved. The sandbox bypass is a separate security decision from tool approval.
Suggested flow:
Claude wants to run: rm ~/test1
⚠️ Sandbox bypass requested - this command will run without filesystem restrictions
[Allow once] [Allow for session] [Deny]
Actual Behavior
Command executes immediately without any user confirmation because Bash is auto-approved. The dangerouslyDisableSandbox flag silently bypasses the sandbox.
Security Impact
- Medium severity: Requires Claude to intentionally set the flag, but user has no visibility
- Files outside project directory can be read/modified/deleted without user awareness
- User's trust model assumes sandbox protects against operations outside allowed paths
- Auto-approving Bash (common for workflow efficiency) inadvertently grants sandbox bypass
Suggested Fix
Decouple sandbox bypass authorization from tool authorization:
dangerouslyDisableSandbox: trueshould always require explicit user confirmation- This confirmation should be separate from the tool's auto-approval status
- Consider adding a session-level or project-level setting: "Allow sandbox bypass for this project"
Related
- Sandbox configuration documentation
- Tool auto-approval settings
This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗