Permission rule Bash(cd:*) allows arbitrary command execution via && chaining
Description
Despite the docs https://code.claude.com/docs/en/permissions
saying
Claude Code is aware of shell operators (like &&) so a prefix match rule like Bash(safe-cmd *) won’t give it permission to run the command safe-cmd && other-cmd.
I still had this happen.
A Bash(cd:*) permission rule in settings allows arbitrary command execution when the AI chains commands with &&. The cd:* pattern matches the entire compound command, bypassing permission checks for subsequent commands.
Steps to Reproduce
- Add the following to
.claude/settings.local.json:
{
"permissions": {
"allow": [
"Bash(cd:*)"
]
}
}
- Ask Claude to run a Python script (or any command) in a different directory. Claude will construct:
cd /some/path && python3 script.py
- The entire compound command is allowed without prompting, because it matches
Bash(cd:*).
Expected Behavior
The cd:* permission rule should only match standalone cd commands. Compound commands chained with &&, ||, or ; should be evaluated against permissions for each individual command in the chain.
Actual Behavior
The entire compound command cd /path && python3 script.py matches Bash(cd:*) and executes without prompting the user.
Security Impact
Any Bash(prefix:*) allow rule can be used as a backdoor to execute arbitrary commands by chaining them after the allowed prefix with &&. This effectively turns Bash(cd:*) into Bash(*).
Environment
- Claude Code CLI 2.1.51
- macOS / Darwin 25.3.0
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗