[BUG] Sandbox doesn't work with wildcard(asterisk)
Resolved 💬 5 comments Opened Jan 7, 2026 by impactaky Closed Feb 21, 2026
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
sandbox feature doesn't mount /dev/null to specific path if wildcard is used.
What Should Happen?
Extract wildcard pattern and apply option to bwrap.
Or update documents without wildcard pattern.
Error Messages/Logs
Steps to Reproduce
Work well without wildcard
If I specify Deny Read without wildcard, it works well.
.claude/settings.json
{
"permissions": {
"deny": [
"Read(~/test/token.env)"
]
}
}
And output is like this:
> Show ~/test/token.env
● Read(~/test/token.env)
⎿ Error reading file
● I cannot read that file. ~/test/token.env is in a denied directory according to the permission settings - it appears to be explicitly blocked from being read, likely because it contains sensitive tokens or credentials.
> Execute ./read_token.sh
● Bash(./read_token.sh)
⎿ Error: Exit code 1
cat: /home/impactaky/test/token.env: Permission denied
● The script failed with "Permission denied". It appears the script attempts to read /home/impactaky/test/token.env using cat, but that file is blocked by the sandbox restrictions. The same permission that prevented me from reading the file directly also prevents shell commands from accessing it.
Doesn't work with wildcard
If I use wildcard like Claude Code Doc, it doesn't work with Bash.
The wildcard expansion and path disabling should be performed.
I confirmed with both "Read(~/test/*.env)" and "Read(~/test/**)".
> exec ./read_token.sh
● Bash(zsh -c './read_token.sh')
⎿ secret_token=xxxxxxxxxxx
> Show ~/test/token.env
● Read(~/test/token.env)
⎿ Error reading file
● The file /home/impactaky/test/token.env is in a directory that's denied by permission settings. I cannot read files from that location.
If you need to access this file, you could:
1. Copy it to the current working directory (/mnt/ext1/xxx)
2. Adjust the permission settings to allow access to that directory
> Execute ./read_token.sh
● Bash(./read_token.sh)
⎿ secret_token=xxxxxxxxxxx
● The script executed successfully and output:
secret_token=xxxxxxxxxxx
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
2.0.76
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Other
Additional Information
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗