[SECURITY] SED Commands Can Damage Code Files Despite PreToolUse Hook Blocking Attempts

Resolved 💬 3 comments Opened Aug 30, 2025 by smeed652 Closed Sep 3, 2025

[SECURITY] SED Commands Can Damage Code Files Despite PreToolUse Hook Blocking Attempts

Summary

SED operations on critical code files (Python, JavaScript, JSON, etc.) execute successfully and can corrupt source code despite properly configured PreToolUse hooks that should block these dangerous operations. This represents a significant security vulnerability for developers using Claude Code.

Environment

  • Claude Code Version: Latest (as of January 2025)
  • Platform: macOS (also affects other platforms based on related issues)
  • Configuration: Proper PreToolUse hook setup in both user and project settings

Security Impact

  • HIGH: Accidental destruction/corruption of source code files
  • Risk: Loss of Python, JavaScript, TypeScript, JSON, YAML configuration files
  • Scope: Affects any developer using Claude Code for file operations
  • Data Loss Potential: Critical project files can be permanently damaged

Problem Description

Despite implementing PreToolUse hooks that correctly detect and attempt to block SED operations on code files, Claude Code ignores the blocking signals and executes the dangerous commands anyway. This creates a false sense of security where developers believe their code files are protected when they are actually vulnerable.

Steps to Reproduce

1. Create PreToolUse Hook

# Create hook directory
mkdir -p ~/.claude/hooks

# Create hook script at ~/.claude/hooks/PreToolUse
#!/bin/bash
json_input=$(cat)
command=$(echo "$json_input" | grep -o '"command"[[:space:]]*:[[:space:]]*"[^"]*"' | sed 's/.*"command"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')

if [[ "$command" == *"sed"* ]]; then
    if [[ "$command" =~ \.py ]] || [[ "$command" =~ \.js ]] || [[ "$command" =~ \.json ]]; then
        echo '{"continue": false, "stopReason": "🚫 SECURITY BLOCK: SED operations on code files are prohibited for safety. Use Edit, MultiEdit, or Write tools instead."}'
        exit 2
    fi
fi

echo "$json_input"
exit 0

# Make executable
chmod +x ~/.claude/hooks/PreToolUse

2. Configure Hook in Settings

// ~/.claude/settings.json
{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "/Users/username/.claude/hooks/PreToolUse"
          }
        ]
      }
    ]
  }
}

3. Test Hook Works Manually

echo '{"tool_name": "Bash", "tool_input": {"command": "sed s/import/# import/ test.py"}}' | ~/.claude/hooks/PreToolUse
# Expected: {"continue": false, "stopReason": "🚫 SECURITY BLOCK: SED operations..."}
# Actual: ✅ WORKS - Hook correctly blocks

4. Test Actual Claude Code Usage

# Create test file
echo 'import os\nprint("hello")' > /tmp/test.py

# Attempt SED operation through Claude Code
sed 's/import/# import/' /tmp/test.py

Expected Behavior

The PreToolUse hook should:

  1. Intercept the SED command
  2. Detect it targets a .py file
  3. Return {"continue": false} with appropriate error message
  4. Block the command execution
  5. Show the stopReason to the user

Actual Behavior

  1. ❌ Hook is NOT called by Claude Code
  2. ❌ SED command executes successfully
  3. ❌ Code file is modified/corrupted: # import os\nprint("hello")
  4. ❌ No security blocking occurs
  5. ❌ No error messages shown

Test Results - Security Vulnerabilities Confirmed

| Attack Vector | Status | Impact |
|---------------|---------|---------|
| sed 's/import/# import/' file.py | ❌ SUCCEEDS | Python imports commented out |
| sed 's/{/BROKEN/' file.json | ❌ SUCCEEDS | JSON syntax completely broken |
| sed -i 's/:/BROKEN/' file.yaml | ❌ SUCCEEDS | YAML structure destroyed |
| bash -c "sed 's/test/HACK/' file.js" | ❌ SUCCEEDS | JavaScript code modified |
| echo "evil" \| sed 's/e/E/' > file.py | ❌ SUCCEEDS | Complete file overwrite |

Root Cause Analysis

This issue is related to the broader PreToolUse hook system failures documented in:

  • Issue #3514: PreToolUse hooks with preventContinuation:true not blocking tool execution
  • Issue #2814: Tool operations proceed regardless of hook command exit status
  • Issue #2891: Hooks not executing despite following documentation

However, this specific case represents a critical security vulnerability because:

  1. Code files are irreplaceable assets - unlike configuration files, they contain unique business logic
  2. SED operations are particularly dangerous - they can silently corrupt syntax and logic
  3. Developers expect protection - the hook system gives false confidence in security

Related Issues

  • #3514 (PreToolUse blocking not working)
  • #2814 (Hook exit codes ignored)
  • #5505 (File system write issues including sed -i)
  • #669 (File write protection bypass)

Workarounds

Currently, the only viable workarounds are:

  1. Git-based safety net - Frequent commits before AI interactions
  2. Docker containerization - Isolate Claude Code in containers
  3. Manual vigilance - Careful review of all file operations
  4. Backup scripts - Automatic file snapshots before AI sessions

None of these address the core security vulnerability that hooks should work as documented.

Proposed Solutions

  1. Fix PreToolUse hook system - Ensure hooks actually block tool execution
  2. Built-in SED protection - Add native safeguards for code file operations
  3. Enhanced permission system - More granular control over file modification commands
  4. Default code file protection - Require explicit approval for destructive operations on source code

Additional Context

This bug report includes working test cases, properly implemented hooks, and documented security vulnerabilities. The PreToolUse hook code provided works correctly when tested manually but fails when integrated with Claude Code's actual tool execution pipeline.

Files and Configuration

  • Hook script: Provided above (tested and working in isolation)
  • Configuration: Standard settings.json format as documented
  • Test cases: Reproducible steps with concrete examples
  • Security impact: Documented with specific vulnerable file types

Request

This represents a critical security vulnerability that affects every developer using Claude Code with file operations. The PreToolUse hook system needs immediate attention to function as documented and protect users' source code from accidental damage.

Priority: HIGH - Security vulnerability affecting core developer workflows

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗