[BUG] Permission bypass: @ prefix allows reading denied files
Environment
- Platform (select one):
- [x] Anthropic API
- [ ] AWS Bedrock
- [ ] Google Vertex AI
- [ ] Other: <!-- specify -->
- Claude CLI version: 1.0.96 (Claude Code)
- Operating System: macOS (Darwin 24.6.0)
- Terminal: VS Code
Bug Description
The @ prefix bypasses file permission restrictions in Claude Code. When a file is explicitly denied read permissions, using read @filename allows Claude to access the file anyway, circumventing the intended security controls.
Steps to Reproduce
- Configure Claude Code to deny read permissions for a specific file (e.g., .env)
{
"permissions": {
"deny": [
"Read(.env)"
]
}
}
- Attempt to read the file normally: read .env - correctly returns "Permission denied"
- Use the @ prefix: read @.env - incorrectly allows file access and displays contents
Expected Behavior
The @ prefix should respect the same permission settings as direct file access. If a file is configured to be denied, it should remain inaccessible regardless of the syntax used to reference it.
Actual Behavior
The @ prefix bypasses permission restrictions and allows reading of explicitly denied files, potentially exposing sensitive information like environment variables and secrets.
Additional Context
This is a security-related permission bypass that could expose sensitive files containing secrets, API keys, or other confidential data that users have intentionally restricted.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗