Security: Deny rules can be bypassed by flag reordering/insertion

Open 💬 4 comments Opened Jan 16, 2026 by dpebtn

Summary

The permission system's prefix matching for Bash commands can be trivially bypassed by reordering flags or inserting additional flags.

Example

If a user configures:

{
  "permissions": {
    "deny": ["Bash(rm -rf /:*)"]
  }
}

The following commands bypass the deny rule:

  • rm -fr / (reordered flags)
  • rm -rfi / (additional flag inserted)
  • rm -rfv / (verbose flag added)
  • rm --recursive --force / (long form)

Impact

Users who configure deny rules for dangerous commands may have a false sense of security. The prefix matching is too literal to catch common command variations.

Suggested Fix

Consider one of:

  1. Semantic parsing - Understand that -rf and -fr are equivalent flag combinations
  2. Regex support - Allow deny rules to use regex patterns like Bash(rm.*-r.*/:*)
  3. Documentation - Clearly document this limitation and recommend adding multiple variants

Workaround

Users must manually add all common flag permutations:

{
  "deny": [
    "Bash(rm -rf /:*)",
    "Bash(rm -fr /:*)",
    "Bash(rm -r /:*)",
    "Bash(rm --recursive /:*)"
  ]
}

This is error-prone and doesn't cover all possible combinations.

Environment

  • Claude Code CLI
  • macOS / Darwin 23.6.0

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗