[BUG] File permission deny rules not enforced on Windows native version with Git Bash (works correctly on WSL)

Resolved 💬 2 comments Opened Jul 29, 2025 by qn1btd Closed Aug 6, 2025

Environment

  • Claude CLI version: 1.0.62
  • Operating System: Windows 11 (native with Git Bash) and WSL Ubuntu
  • Terminal: Windows Terminal

Bug Description

File permission deny rules configured in ~/.claude/settings.json are not being enforced when running Claude Code natively on Windows. The same settings configuration works correctly when running Claude Code through WSL, properly denying access to protected files like .env.

Steps to Reproduce

  1. Create ~/.claude/settings.json with the following content:

{
"permissions": {
"deny": [
"Read(**/.env*)",
"Read(**/*.pem)",
"Read(**/*.key)",
"Read(/secrets/)",
"Read(/credentials/)"
]
}
}

  1. Create a .env file in a project directory with sensitive content (e.g., API keys)
  2. Run Claude Code natively on Windows: claude
  3. Ask Claude to read the .env file using the Read tool
  4. Repeat steps 3-4 using Claude Code through WSL

Expected Behavior

Claude Code should refuse to read the .env file and return an error message indicating that access to this file is denied by the permissions configuration on both Windows native and WSL.

Actual Behavior

  • Windows Native: Claude Code successfully reads the entire contents of the .env file, exposing all sensitive API keys and secrets
  • WSL: Claude Code correctly denies access with an appropriate error message (working as expected)

Additional Context

  • The exact same settings.json file is used in both environments
  • This suggests a Windows-specific issue with path matching or permission checking
  • The vulnerability exposes sensitive data including API keys, webhooks, and other credentials
  • This is a security vulnerability as it bypasses intended access controls on Windows systems
  • The hooks settings in the settings.json are being applied properly

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗