Permission and sandbox bypass: destructive operations executed without user consent

Resolved 💬 1 comment Opened Mar 2, 2026 by zarak Closed Mar 2, 2026

Bug Category

Permission/sandbox bypass is the #4 bug category (~10 issues). The agent executes destructive operations that the permission system should have blocked.

Representative issues

  • rm -rf executed without permission prompt (#29984) — despite not being in the allow list
  • Agent overwrote staged files + ran git stash without permission (#29809) — destructive git operations bypassed confirmation
  • Plugin install clears sandbox.filesystem config (#30109) — plugin marketplace silently disables sandbox
  • Seatbelt allowWrite has no effect on macOS (#30067) — sandbox policy not enforced
  • Bash tool loses HOME/PATH env vars (#30068) — environment inconsistency
  • Bedrock credentials inherited by child processes (#29765) — secrets leak to subprocesses
  • ExitPlanMode auto-approved without user interaction (#30090) — bypasses consent gate
  • Model ran find on home directory without consent (#30125)

Root cause patterns

  1. Permission pattern matching gaps: Bash(mkdir:*) doesn't match mkdir -p foo && cd foo because the pattern matcher doesn't parse shell pipelines
  2. Sandbox configuration ignored: settings are read but not enforced (macOS Seatbelt allowWrite)
  3. Environment leakage: child processes inherit secrets from parent environment
  4. Plugin-level bypass: plugin installation modifies the sandbox config itself, creating a self-defeating security boundary
  5. Consent gate bypass: tools that should block for user input auto-complete under certain permission modes

Proposed mitigations

1. Defense-in-depth for destructive commands:
Maintain a hard-coded blocklist of destructive patterns (rm -rf, git reset --hard, git stash, DROP TABLE) that always require confirmation regardless of permission mode. This is a safety net below the configurable permission layer.

2. Sandbox immutability:
Plugin installation should never modify sandbox configuration. Sandbox config should be treated as a security boundary that only the user can modify directly.

3. Environment allowlisting:
Default to EnvClear or EnvAllowlist for all subprocess spawning. Only pass through explicitly allowed env vars (PATH, HOME, TERM, LANG). This prevents credential leakage.

4. Property-based testing for permission patterns:
Generate adversarial shell commands (pipes, subshells, heredocs, command substitution) and verify the permission matcher correctly classifies them. The current pattern matching has gaps because shell syntax is complex.

Related issues

#29984, #29809, #30109, #30067, #30068, #29765, #30090, #30125

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗