Permission rule Bash(cd:*) allows arbitrary command execution via && chaining

Resolved 💬 3 comments Opened Feb 26, 2026 by siladu Closed Mar 1, 2026

Description

Despite the docs https://code.claude.com/docs/en/permissions
saying

Claude Code is aware of shell operators (like &&) so a prefix match rule like Bash(safe-cmd *) won’t give it permission to run the command safe-cmd && other-cmd.

I still had this happen.

A Bash(cd:*) permission rule in settings allows arbitrary command execution when the AI chains commands with &&. The cd:* pattern matches the entire compound command, bypassing permission checks for subsequent commands.

Steps to Reproduce

  1. Add the following to .claude/settings.local.json:
{
  "permissions": {
    "allow": [
      "Bash(cd:*)"
    ]
  }
}
  1. Ask Claude to run a Python script (or any command) in a different directory. Claude will construct:
cd /some/path && python3 script.py
  1. The entire compound command is allowed without prompting, because it matches Bash(cd:*).

Expected Behavior

The cd:* permission rule should only match standalone cd commands. Compound commands chained with &&, ||, or ; should be evaluated against permissions for each individual command in the chain.

Actual Behavior

The entire compound command cd /path && python3 script.py matches Bash(cd:*) and executes without prompting the user.

Security Impact

Any Bash(prefix:*) allow rule can be used as a backdoor to execute arbitrary commands by chaining them after the allowed prefix with &&. This effectively turns Bash(cd:*) into Bash(*).

Environment

  • Claude Code CLI 2.1.51
  • macOS / Darwin 25.3.0

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗