Chained bash commands may bypass individual command permission checks
Resolved 💬 3 comments Opened Dec 30, 2025 by clthorpe Closed Dec 30, 2025
Description
When using chained bash commands with &&, destructive commands that are NOT in the permissions.allow list appear to execute without user approval.
Steps to Reproduce
- Configure
~/.claude/settings.jsonwith explicit permissions:
{
"permissions": {
"allow": [
"Bash(ls:*)",
"Bash(cat:*)",
"Bash(cd:*)",
"Bash(ln:*)"
]
}
}
- Note that
rmis NOT in the allow list
- Ask Claude to run a chained command like:
rm -rf /some/path && ln -s /other/path /some/path && ls -la /some/path
- Expected: Claude should prompt for approval since
rmis not in the allow list - Actual: The entire command chain executes without approval
Environment
- Claude Code CLI version: v2.0.74
- OS: Linux (Ubuntu)
- Shell: bash
Analysis
The permission check appears to either:
- Only evaluate the last command in a chain (
lswhich is allowed) - Evaluate the chain as a whole rather than individual commands
- Have some other bypass mechanism for
&&chained commands
Security Impact
This allows destructive commands (rm -rf, chmod, etc.) to bypass permission checks if chained with an allowed command. Users who have configured explicit allow lists for safety may have a false sense of security.
Suggested Fix
Permission validation should parse chained commands (&&, ||, ;) and check each individual command against the allow/deny list before execution.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗