Hardcoded UNC path block cannot be bypassed, even with --dangerously-skip-permissions / bypassPermissions mode
Summary
When the working directory is a UNC path (e.g. \\tsclient\C\..., which is legitimate for Hyper-V VMs using Terminal Services drive redirection), Claude Code prompts for every tool invocation and subdirectory access. bypassPermissions mode, --allow-dangerously-skip-permissions, additionalDirectories, and VSCode's security.allowedUNCHosts all have no effect. The CLI contains a hardcoded check:
if (f.startsWith("//") || /DavWWWRoot/i.test(f) || /@SSL@/i.test(f))
return { allowed: false,
decisionReason: { type: "other",
reason: "UNC paths are blocked because they can trigger network requests and credential leakage" }};
and a companion check for Bash commands:
if (FB(q)) return { behavior: "ask",
message: "Command contains Windows UNC path that could be vulnerable to WebDAV attacks" };
Environment
- VSCode extension
anthropic.claude-code-2.1.116-win32-x64 - Windows 10 guest inside Hyper-V, project accessed via
\\tsclient\C\...drive redirect from Windows 11 host - VSCode setting
security.allowedUNCHosts: ["tsclient"]set (no effect on Claude Code)
Why this is a real use case
The UNC mount is intentional: the project is also mounted via SMB on a Linux server (Oracle EBS r12) so that binary files (Oracle Forms .fmb) can be compiled directly on the server without transfer. Working from a local copy would break that workflow.
Attempted workarounds (all failed)
- Directory symlink (
mklink /D C:\bz \\tsclient\C\...) — Node/VSCode callrealpathbefore handing CWD to the CLI, so UNC path is restored net use Z: \\tsclient\C— rejected, tsclient isn't an SMB sharesubst Z: \\tsclient\C— refuses UNC paths by designNew-PSDrive -Persist— requires a "remote computer" target- Searched the binary for env vars / flags / feature flags to disable the check: none exist
Request
Provide an opt-in escape hatch for trusted UNC hosts — e.g. a CLAUDE_CODE_ALLOW_UNC_HOSTS env var, a permissions.allowedUNCHosts settings entry mirroring VSCode's security.allowedUNCHosts, or a CLI flag. The WebDAV-attack mitigation is reasonable as a default, but should be overridable for users who understand the risk (same pattern as --dangerously-skip-permissions).
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗