Permission deny rules can be bypassed via Bash recursive grep and Glob filename listing

Resolved 💬 2 comments Opened Feb 23, 2026 by tetragonpublishing Closed Mar 24, 2026

When a directory is added to the deny list in permission settings, two tools can still leak information from it:

1. Bash recursive grep leaks file contents

Running grep -r from a parent directory bypasses the deny rule and returns full matching lines from files inside the denied directory.

  • Direct path (grep -r "pattern" /denied/path/) is correctly blocked
  • Recursive from parent (grep -r "pattern" /parent/path/) leaks content

2. Glob leaks filenames

Glob patterns like denied/dir/**/* return the full list of filenames inside a denied directory, even though Read and Grep are blocked.

Expected behavior

Both tools should respect the same deny rules as Read and Grep:

  • Bash commands that would access denied paths (even recursively) should be blocked or have their output filtered
  • Glob should not list files in denied directories

Steps to reproduce

  1. Add a directory to the deny list in permission settings (e.g. docs/private/)
  2. Place a file with known content in that directory
  3. Run Glob with pattern docs/private/**/* → filenames are returned
  4. Run via Bash: grep -r "known_string" /project/root/ → file content is returned
  5. For comparison, Read and Grep tool on the same path → correctly blocked

Environment

  • Claude Code VSCode extension
  • macOS (Darwin 23.6.0, arm64)

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗