[BUG] Bash tool bypasses settings.json path deny rules — shell commands not subject to file tool access controls

Resolved 💬 4 comments Opened Mar 27, 2026 by yth0-n0 Closed May 7, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

I configured an explicit path deny in .claude\settings.json to prevent Claude from accessing a specific directory (C:\ClaudeScripting\ClaudeNoAccess\). The restriction works correctly for Claude's built-in file tools (Read, Glob, Grep). However, Claude bypassed this restriction by running grep and head as Bash tool commands instead, successfully reading files from the denied directory.

What Should Happen?

Expected behavior:

Path deny rules in settings.json should apply uniformly across all access mechanisms, including shell commands executed via the Bash tool. A deny rule should mean no access regardless of which tool is used.

Actual behavior:

Bash tool commands execute as the user's OS process and are not checked against settings.json path restrictions. The access control is silently bypassed.

Error Messages/Logs

Steps to Reproduce

Add a path deny rule for a directory in .claude\settings.json
Verify the Read/Grep/Glob tools are blocked for that path
Ask Claude to find or read content from files in that directory
Observe that Claude can access the files via grep, head, cat, or other shell commands through the Bash tool

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

v2.1.84

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

VS Code integrated terminal

Additional Information

Expected behavior:

Path deny rules in settings.json should apply uniformly across all access mechanisms, including shell commands executed via the Bash tool. A deny rule should mean no access regardless of which tool is used.

Actual behavior:

Bash tool commands execute as the user's OS process and are not checked against settings.json path restrictions. The access control is silently bypassed.

Impact:

Users who rely on settings.json to restrict Claude's file access (e.g., to protect sensitive data) have a false sense of security. The restriction is trivially bypassed — and Claude may do so without any awareness that it is circumventing an intended boundary.

Suggested fix:

settings.json path deny rules should either (a) also block Bash tool commands that reference denied paths, or (b) be clearly documented as applying only to file tools, so users know the Bash tool requires separate controls (e.g., disabling it entirely or using OS-level permissions).

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗