[BUG] Heredoc pipe bypass still present in v2.1.141 (#48518 still not fixed)

Resolved 💬 7 comments Opened May 14, 2026 by Tarek98 Closed Jun 20, 2026

This is a continuation of issue #48518, which was locked but still reproduces as mentioned by @spawnia on v2.1.104 and potentially higher .

The fix introduced in v2.1.73 only fixed the CPU loop/freeze symptom, but the underlying permission bypass remains. When a heredoc marker (<<EOF or <<'EOF') is the first token after the command name, the permission system fails to evaluate pipe targets. An ask-listed command silently auto-allows when it appears after |.

Reproduction

Permissions:

{
  "permissions": {
    "allow": ["Bash(cat:*)", "Bash(sort:*)", "Bash(head:*)", "Bash(echo:*)"],
    "ask": ["Bash(pandoc:*)", "Bash(curl:*)"]
  }
}

Auto-allowed (bug — ask rule on pipe target skipped):

cat <<'EOF' | pandoc --to=plain # heredoc first arg ✗

This issue was previously verified as reproducing on v2.1.104 by @spawnia in #48518, but the issue was locked by a bot before it could be reopened.

View original on GitHub ↗

This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗