[BUG] Heredoc as first argument bypasses pipe target permission checks

Resolved 💬 5 comments Opened Apr 15, 2026 by spawnia Closed Apr 18, 2026

Bug

When a heredoc marker (<<EOF or <<'EOF') is the first token after the command name, the permission system fails to evaluate pipe targets. An ask-listed command silently auto-allows when it appears after |.

Reproduction

Given these permission rules:

{
  "permissions": {
    "allow": ["Bash(cat:*)", "Bash(sort:*)", "Bash(head:*)"],
    "ask": ["Bash(some-script:*)"]
  }
}

Prompted (correct behavior)

echo test | some-script              # pipe target evaluated
cat /dev/null | some-script          # pipe target evaluated
cat --number <<'EOF' | some-script   # args before heredoc — pipe target evaluated
head -1 <<'EOF' | some-script        # args before heredoc — pipe target evaluated
sort --reverse <<'EOF' | some-script # args before heredoc — pipe target evaluated

Auto-allowed (bug — ask rule on pipe target skipped)

cat <<'EOF' | some-script            # heredoc is first arg — pipe target NOT evaluated
sort <<'EOF' | some-script           # heredoc is first arg — pipe target NOT evaluated
head <<'EOF' | some-script           # heredoc is first arg — pipe target NOT evaluated

Both quoted (<<'EOF') and unquoted (<<EOF) heredoc delimiters trigger the bug.

Expected behavior

The pipe target should be evaluated against permission rules regardless of whether the source command uses a heredoc.

Likely cause

The permission parser appears to stop analyzing the command at << when it is the first argument, treating everything after it (including | some-script) as heredoc content rather than continuing to parse the pipeline.

Impact

Any ask- or deny-listed command can be silently auto-allowed by piping from an allow-listed command with an immediate heredoc. This is a permission bypass — the user configured ask specifically to be prompted before execution, but never sees the prompt.

Related issues

  • #42426 — heredoc bypassing git commit permission checks (closed, same class)
  • #47752 — "Unhandled node type: pipeline" in permission prompt
  • #11932 — auto-approve patterns not matching heredoc commands
  • #30519 — meta-issue on permission matching

Environment

  • Claude Code on Linux (WSL2 Ubuntu 24.04)
  • Permissions configured in managed-settings.json (system-level)

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗