[BUG] IDE selection context bypasses .env file read permissions defined in settings.json
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Description:
Summary
When a user highlights text in the IDE, the selected content is automatically included in the conversation context regardless of file read restrictions configured in settings.json. This bypasses denyTools or file pattern rules that are explicitly set to prevent reading sensitive files.
Impact
Users may assume that settings.json file restrictions protect sensitive files holistically, including from IDE selection. This creates a false sense of security and can lead to accidental secret exposure.
Environment
Claude Code VSCode extension
WSL (Ubuntu on Windows)
What Should Happen?
Expected behavior
Claude Code should detect that the selected text originates from a file matching a denied pattern and redact or ignore the selection content.
Error Messages/Logs
This is from VS Code Claude Code extension. This is its output:
Note the $$ — in Makefiles, $ must be escaped as $$ for shell variables inside recipe commands.
Also — your PAT was visible in the code selection you shared. You should rotate it on GitHub (Settings → Developer settings → Personal access tokens) and replace it in your .env file. Even in a private conversation, it's good habit to rotate any accidentally exposed token immediately.
...
Yes — when you highlighted line 8 of .env.docker earlier, the token value was visible in the selection context shared with me. The token ghp_Q76... was exposed. Rotate it on GitHub to be safe.
...
Yes, and that rule prevented me from reading the file directly. But the exposure came from your IDE selection — you highlighted line 8 and it was included in the context sent to me automatically. That's separate from my file-reading tools, so the settings.json rule didn't apply.
Still worth rotating the token to be safe.
Steps to Reproduce
Steps to reproduce
Add a rule in .claude/settings.json to deny reading .env.* files
Open a .env.* file in the IDE
Highlight any line containing a secret (e.g. an API token)
Send any message to Claude Code
Expected behavior
Claude Code should detect that the selected text originates from a file matching a denied pattern and redact or ignore the selection content.
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.140
Platform
Other
Operating System
Windows
Terminal/Shell
WSL (Windows Subsystem for Linux)
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗