[BUG] Heredoc as first argument bypasses pipe target permission checks
Bug
When a heredoc marker (<<EOF or <<'EOF') is the first token after the command name, the permission system fails to evaluate pipe targets. An ask-listed command silently auto-allows when it appears after |.
Reproduction
Given these permission rules:
{
"permissions": {
"allow": ["Bash(cat:*)", "Bash(sort:*)", "Bash(head:*)"],
"ask": ["Bash(some-script:*)"]
}
}
Prompted (correct behavior)
echo test | some-script # pipe target evaluated
cat /dev/null | some-script # pipe target evaluated
cat --number <<'EOF' | some-script # args before heredoc — pipe target evaluated
head -1 <<'EOF' | some-script # args before heredoc — pipe target evaluated
sort --reverse <<'EOF' | some-script # args before heredoc — pipe target evaluated
Auto-allowed (bug — ask rule on pipe target skipped)
cat <<'EOF' | some-script # heredoc is first arg — pipe target NOT evaluated
sort <<'EOF' | some-script # heredoc is first arg — pipe target NOT evaluated
head <<'EOF' | some-script # heredoc is first arg — pipe target NOT evaluated
Both quoted (<<'EOF') and unquoted (<<EOF) heredoc delimiters trigger the bug.
Expected behavior
The pipe target should be evaluated against permission rules regardless of whether the source command uses a heredoc.
Likely cause
The permission parser appears to stop analyzing the command at << when it is the first argument, treating everything after it (including | some-script) as heredoc content rather than continuing to parse the pipeline.
Impact
Any ask- or deny-listed command can be silently auto-allowed by piping from an allow-listed command with an immediate heredoc. This is a permission bypass — the user configured ask specifically to be prompted before execution, but never sees the prompt.
Related issues
- #42426 — heredoc bypassing
git commitpermission checks (closed, same class) - #47752 — "Unhandled node type: pipeline" in permission prompt
- #11932 — auto-approve patterns not matching heredoc commands
- #30519 — meta-issue on permission matching
Environment
- Claude Code on Linux (WSL2 Ubuntu 24.04)
- Permissions configured in managed-settings.json (system-level)
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗