Chained bash commands may bypass individual command permission checks

Resolved 💬 3 comments Opened Dec 30, 2025 by clthorpe Closed Dec 30, 2025

Description

When using chained bash commands with &&, destructive commands that are NOT in the permissions.allow list appear to execute without user approval.

Steps to Reproduce

  1. Configure ~/.claude/settings.json with explicit permissions:
{
  "permissions": {
    "allow": [
      "Bash(ls:*)",
      "Bash(cat:*)",
      "Bash(cd:*)",
      "Bash(ln:*)"
    ]
  }
}
  1. Note that rm is NOT in the allow list
  1. Ask Claude to run a chained command like:
rm -rf /some/path && ln -s /other/path /some/path && ls -la /some/path
  1. Expected: Claude should prompt for approval since rm is not in the allow list
  2. Actual: The entire command chain executes without approval

Environment

  • Claude Code CLI version: v2.0.74
  • OS: Linux (Ubuntu)
  • Shell: bash

Analysis

The permission check appears to either:

  • Only evaluate the last command in a chain (ls which is allowed)
  • Evaluate the chain as a whole rather than individual commands
  • Have some other bypass mechanism for && chained commands

Security Impact

This allows destructive commands (rm -rf, chmod, etc.) to bypass permission checks if chained with an allowed command. Users who have configured explicit allow lists for safety may have a false sense of security.

Suggested Fix

Permission validation should parse chained commands (&&, ||, ;) and check each individual command against the allow/deny list before execution.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗