[BUG] cd-prefixed compound commands bypass permission system (ask/deny rules ineffective)
Bug
cd /path && git push bypasses Bash(git push:*) in the ask permission list. The command executes without prompting.
This is a security issue: subagents can push to remote repositories, delete files, or run any denied command by prefixing it with cd /some/path &&.
Reproduction
- Add
"Bash(git push:*)"to theaskarray insettings.json - Run:
git push --dry-run→ prompts correctly - Run:
echo test && git push --dry-run→ prompts correctly - Run:
cd /different/path && git push --dry-run→ executes without prompting
Step 4 is the bug. The cd prefix causes the permission check to be bypassed entirely.
What we tested
Every pattern format we could think of, all in the ask list simultaneously:
Bash(git push:*)Bash(git push)Bash(* git push*)Bash(*cd *git push*)Bash(*; git push*)Bash(*&& git push*)Bash(*&&git push*)Bash(*&& git push:*)Bash(*; git push:*)
None of them catch cd /path && git push. The echo test && git push form IS caught by Bash(*&& git push:*), proving the pattern syntax works -- but cd is special-cased somewhere.
Root cause (hypothesis)
The Claude Code harness strips idempotent cd prefixes (when cd target matches cwd). We confirmed this: cd /current/dir && git push gets the cd stripped and becomes bare git push, which is then caught. But cd /different/dir && git push is NOT stripped, and the permission system never evaluates git push as a separate command.
The harness likely changes the working directory and runs the remainder, but the permission check happens on the pre-split compound string, which starts with cd and matches no deny/ask rules.
Real-world impact
During a session, a subagent pushed to 4 remote repositories without the user ever being prompted, despite Bash(git push:*) being in the ask list. Every push used the cd /path && git push pattern. The permission system was completely ineffective.
Related issues
- #13371 -- Permission system bypassed by command chaining (Dec 2025, auto-closed)
- #28784 -- Bash(cd:*) allows arbitrary command execution via && chaining
- #29491 -- Compound bash commands should evaluate each command independently
- #20085 -- Permission system treats command chains as single patterns
- #37621 -- ask/deny permissions bypassed when Bash command cds outside launch directory
This has been reported repeatedly since December 2025. Community workarounds exist (PreToolUse hooks with shell parsing) but the core issue remains unfixed.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗