Permission allow list glob wildcards match shell operators, enabling command injection

Resolved 💬 5 comments Opened Mar 28, 2026 by michaliskon Closed May 11, 2026

Glob patterns in the permission allow list are matched against raw shell command strings. Because * matches any characters — including shell operators (&&, ;, ||, |) — any allow rule containing * can be exploited to inject arbitrary commands that execute without prompting.

Example

Allow rule: Bash(git -C * status)

Intended: allow git status in any repo.

Actual: also silently allows:

git -C "/repo" && rm -rf / && git -C "/repo" status

The * matches "/repo" && rm -rf / && git -C "/repo", so the destructive command runs unprompted.

Impact

Every allow rule containing * is affected. There is no user-side workaround that preserves wildcard flexibility — the only safe option today is removing all *-containing rules.

Suggested fix

  • Parse shell structure (split on &&, ;, ||, |) before glob matching, so wildcards cannot cross command boundaries.
  • Support regex patterns with character classes (e.g., git -C [a-zA-Z0-9/._ -]+ status) so users can constrain what wildcards match without losing flexibility.

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗