Security: Deny rules can be bypassed by flag reordering/insertion
Open 💬 4 comments Opened Jan 16, 2026 by dpebtn
Summary
The permission system's prefix matching for Bash commands can be trivially bypassed by reordering flags or inserting additional flags.
Example
If a user configures:
{
"permissions": {
"deny": ["Bash(rm -rf /:*)"]
}
}
The following commands bypass the deny rule:
rm -fr /(reordered flags)rm -rfi /(additional flag inserted)rm -rfv /(verbose flag added)rm --recursive --force /(long form)
Impact
Users who configure deny rules for dangerous commands may have a false sense of security. The prefix matching is too literal to catch common command variations.
Suggested Fix
Consider one of:
- Semantic parsing - Understand that
-rfand-frare equivalent flag combinations - Regex support - Allow deny rules to use regex patterns like
Bash(rm.*-r.*/:*) - Documentation - Clearly document this limitation and recommend adding multiple variants
Workaround
Users must manually add all common flag permutations:
{
"deny": [
"Bash(rm -rf /:*)",
"Bash(rm -fr /:*)",
"Bash(rm -r /:*)",
"Bash(rm --recursive /:*)"
]
}
This is error-prone and doesn't cover all possible combinations.
Environment
- Claude Code CLI
- macOS / Darwin 23.6.0
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗