[BUG] cd-prefixed compound commands bypass permission system (ask/deny rules ineffective)

Resolved 💬 3 comments Opened May 15, 2026 by smm-h Closed Jun 13, 2026

Bug

cd /path && git push bypasses Bash(git push:*) in the ask permission list. The command executes without prompting.

This is a security issue: subagents can push to remote repositories, delete files, or run any denied command by prefixing it with cd /some/path &&.

Reproduction

  1. Add "Bash(git push:*)" to the ask array in settings.json
  2. Run: git push --dry-runprompts correctly
  3. Run: echo test && git push --dry-runprompts correctly
  4. Run: cd /different/path && git push --dry-runexecutes without prompting

Step 4 is the bug. The cd prefix causes the permission check to be bypassed entirely.

What we tested

Every pattern format we could think of, all in the ask list simultaneously:

  • Bash(git push:*)
  • Bash(git push)
  • Bash(* git push*)
  • Bash(*cd *git push*)
  • Bash(*; git push*)
  • Bash(*&& git push*)
  • Bash(*&&git push*)
  • Bash(*&& git push:*)
  • Bash(*; git push:*)

None of them catch cd /path && git push. The echo test && git push form IS caught by Bash(*&& git push:*), proving the pattern syntax works -- but cd is special-cased somewhere.

Root cause (hypothesis)

The Claude Code harness strips idempotent cd prefixes (when cd target matches cwd). We confirmed this: cd /current/dir && git push gets the cd stripped and becomes bare git push, which is then caught. But cd /different/dir && git push is NOT stripped, and the permission system never evaluates git push as a separate command.

The harness likely changes the working directory and runs the remainder, but the permission check happens on the pre-split compound string, which starts with cd and matches no deny/ask rules.

Real-world impact

During a session, a subagent pushed to 4 remote repositories without the user ever being prompted, despite Bash(git push:*) being in the ask list. Every push used the cd /path && git push pattern. The permission system was completely ineffective.

Related issues

  • #13371 -- Permission system bypassed by command chaining (Dec 2025, auto-closed)
  • #28784 -- Bash(cd:*) allows arbitrary command execution via && chaining
  • #29491 -- Compound bash commands should evaluate each command independently
  • #20085 -- Permission system treats command chains as single patterns
  • #37621 -- ask/deny permissions bypassed when Bash command cds outside launch directory

This has been reported repeatedly since December 2025. Community workarounds exist (PreToolUse hooks with shell parsing) but the core issue remains unfixed.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗