Permission deny rules can be bypassed via Bash recursive grep and Glob filename listing
Resolved 💬 2 comments Opened Feb 23, 2026 by tetragonpublishing Closed Mar 24, 2026
When a directory is added to the deny list in permission settings, two tools can still leak information from it:
1. Bash recursive grep leaks file contents
Running grep -r from a parent directory bypasses the deny rule and returns full matching lines from files inside the denied directory.
- Direct path (
grep -r "pattern" /denied/path/) is correctly blocked - Recursive from parent (
grep -r "pattern" /parent/path/) leaks content
2. Glob leaks filenames
Glob patterns like denied/dir/**/* return the full list of filenames inside a denied directory, even though Read and Grep are blocked.
Expected behavior
Both tools should respect the same deny rules as Read and Grep:
- Bash commands that would access denied paths (even recursively) should be blocked or have their output filtered
- Glob should not list files in denied directories
Steps to reproduce
- Add a directory to the deny list in permission settings (e.g.
docs/private/) - Place a file with known content in that directory
- Run
Globwith patterndocs/private/**/*→ filenames are returned - Run via
Bash:grep -r "known_string" /project/root/→ file content is returned - For comparison,
ReadandGreptool on the same path → correctly blocked
Environment
- Claude Code VSCode extension
- macOS (Darwin 23.6.0, arm64)
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗