[BUG] Permissions Bypass

Resolved 💬 2 comments Opened Jun 16, 2025 by KaiZenSpace Closed Jun 23, 2025

Bug Report: Permissions Bypass in Claude Code

Summary

Claude Code fails to respect file access permissions defined in .claude/settings.local.json, allowing access to files explicitly listed in the deny array.

Steps to Reproduce

  1. Create a .claude/settings.local.json file with the following content:
{
  "permissions": {
    "allow": [],
    "deny": ["./.env"]
  }
}
  1. Create a .env file in the project root
  2. Use Claude Code's Read tool to access the .env file
  3. Claude Code successfully reads the file despite it being in the deny list
  4. The /permissions command correctly shows the permission settings
  5. Testing with absolute path also fails to block access

Expected Behavior

Claude Code should refuse access to ./.env and return an error message indicating that the file is denied by permissions.

Actual Behavior

Claude Code successfully reads the contents of ./.env file, bypassing the permission restriction.

Environment

  • Platform: Linux 6.8.0-60-generic
  • Working directory: /home/user/Documents/Programmieren/webeditor
  • Git repo: Yes
  • Date: 2025-06-16

Configuration

.claude/settings.local.json:

{
  "permissions": {
    "allow": [],
    "deny": ["./.env"]
  }
}

Additional Issues & Improvements

  1. Both relative and absolute paths fail: Tested with both ./env and absolute path - neither blocks access
  2. Permissions visible but not enforced: The /permissions command shows the correct settings, but they're not enforced
  3. Settings file accessibility: Claude Code can access ./.claude/settings.local.json itself, which could be restricted for better UX
  4. User experience: Users expect denied files to be completely inaccessible when explicitly configured

Security Impact

This is a security issue as it allows access to potentially sensitive files (like .env files containing secrets) that users have explicitly denied access to.

Possible Causes

  1. Permission checking not implemented for Read tool
  2. Bug in permission enforcement logic
  3. Path matching issues in deny list processing

I ALSO TRIED TO RESTART CLAUDE CODE

Thank you for understanding.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗