Permission and sandbox bypass: destructive operations executed without user consent
Bug Category
Permission/sandbox bypass is the #4 bug category (~10 issues). The agent executes destructive operations that the permission system should have blocked.
Representative issues
- rm -rf executed without permission prompt (#29984) — despite not being in the allow list
- Agent overwrote staged files + ran git stash without permission (#29809) — destructive git operations bypassed confirmation
- Plugin install clears sandbox.filesystem config (#30109) — plugin marketplace silently disables sandbox
- Seatbelt allowWrite has no effect on macOS (#30067) — sandbox policy not enforced
- Bash tool loses HOME/PATH env vars (#30068) — environment inconsistency
- Bedrock credentials inherited by child processes (#29765) — secrets leak to subprocesses
- ExitPlanMode auto-approved without user interaction (#30090) — bypasses consent gate
- Model ran find on home directory without consent (#30125)
Root cause patterns
- Permission pattern matching gaps:
Bash(mkdir:*)doesn't matchmkdir -p foo && cd foobecause the pattern matcher doesn't parse shell pipelines - Sandbox configuration ignored: settings are read but not enforced (macOS Seatbelt
allowWrite) - Environment leakage: child processes inherit secrets from parent environment
- Plugin-level bypass: plugin installation modifies the sandbox config itself, creating a self-defeating security boundary
- Consent gate bypass: tools that should block for user input auto-complete under certain permission modes
Proposed mitigations
1. Defense-in-depth for destructive commands:
Maintain a hard-coded blocklist of destructive patterns (rm -rf, git reset --hard, git stash, DROP TABLE) that always require confirmation regardless of permission mode. This is a safety net below the configurable permission layer.
2. Sandbox immutability:
Plugin installation should never modify sandbox configuration. Sandbox config should be treated as a security boundary that only the user can modify directly.
3. Environment allowlisting:
Default to EnvClear or EnvAllowlist for all subprocess spawning. Only pass through explicitly allowed env vars (PATH, HOME, TERM, LANG). This prevents credential leakage.
4. Property-based testing for permission patterns:
Generate adversarial shell commands (pipes, subshells, heredocs, command substitution) and verify the permission matcher correctly classifies them. The current pattern matching has gaps because shell syntax is complex.
Related issues
#29984, #29809, #30109, #30067, #30068, #29765, #30090, #30125
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗