[DOCS] Misleading security recommendation for URL filtering in Bash permission patterns
Documentation Type
Unclear/confusing documentation
Documentation Location
https://code.claude.com/docs/en/iam
Section/Topic
The Tool-specific permission rules section, specifically the Bash subsection regarding URL filtering limitations.
Current Documentation
"Patterns likeBash(curl http://github.com/:*)can be bypassed in many ways... For more reliable URL filtering, consider: Using the WebFetch tool withWebFetch(domain:github.com)permission"
What's Wrong or Missing?
The documentation identifies a valid security concern (that prefix matching for curl in Bash is easily bypassed) but suggests a flawed solution.
The flaw is as follows: If a user follows this advice and configures strict rules for WebFetch while still allowing the Bash tool, the model can simply ignore the WebFetch tool entirely. If the model wants to exfiltrate data or reach a disallowed domain, it can just use curl, wget, or python -c via the Bash tool.
Suggesting WebFetch as a "more reliable" workaround creates a false sense of security because it doesn't address the fact that the Bash tool remains an open vector for the same activity. A "reliable" solution must involve restricting the Bash tool itself or using a middleware-style validation.
Suggested Improvement
The documentation should be updated to clarify that WebFetch is only a replacement if Bash is also restricted, and it should point toward Hooks as the actual architectural solution for validating Bash commands.
Suggested replacement text:
"Patterns likeBash(curl http://github.com/:*)can be bypassed in many ways (redirection, variables, different protocols, etc.). To implement reliable URL filtering: 1. Restrict the Bash tool: Usepermissions.denyto block tools likecurlorwgetentirely. 2. Use PreToolUse Hooks: Implement a hook that parses thecommandstring in thetool_inputand exits with code 2 if it detects disallowed domains or patterns. 3. Prefer WebFetch with restricted Bash: Use theWebFetchtool for authorized domains while ensuring the model cannot use theBashtool as an alternative network vector."
Impact
High - Prevents users from using a feature
Additional Context
- Related Documentation: [Hooks Guide](/en/hooks-guide) and [PreToolUse Hook Input](/en/hooks#pretooluse-input).
- Example of Logic Bypass: If a user sets
WebFetch(domain:internal.com)to "Allow" andWebFetchgenerally to "Deny", a model encountering a "Permission Denied" on aWebFetchcall tomalicious.comwill simply attempt! curl malicious.comif theBashtool is permitted. The documentation should warn users that the model is clever enough to switch tools to find the path of least resistance.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗