[SECURITY] SED Commands Can Damage Code Files Despite PreToolUse Hook Blocking Attempts
[SECURITY] SED Commands Can Damage Code Files Despite PreToolUse Hook Blocking Attempts
Summary
SED operations on critical code files (Python, JavaScript, JSON, etc.) execute successfully and can corrupt source code despite properly configured PreToolUse hooks that should block these dangerous operations. This represents a significant security vulnerability for developers using Claude Code.
Environment
- Claude Code Version: Latest (as of January 2025)
- Platform: macOS (also affects other platforms based on related issues)
- Configuration: Proper PreToolUse hook setup in both user and project settings
Security Impact
- HIGH: Accidental destruction/corruption of source code files
- Risk: Loss of Python, JavaScript, TypeScript, JSON, YAML configuration files
- Scope: Affects any developer using Claude Code for file operations
- Data Loss Potential: Critical project files can be permanently damaged
Problem Description
Despite implementing PreToolUse hooks that correctly detect and attempt to block SED operations on code files, Claude Code ignores the blocking signals and executes the dangerous commands anyway. This creates a false sense of security where developers believe their code files are protected when they are actually vulnerable.
Steps to Reproduce
1. Create PreToolUse Hook
# Create hook directory
mkdir -p ~/.claude/hooks
# Create hook script at ~/.claude/hooks/PreToolUse
#!/bin/bash
json_input=$(cat)
command=$(echo "$json_input" | grep -o '"command"[[:space:]]*:[[:space:]]*"[^"]*"' | sed 's/.*"command"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
if [[ "$command" == *"sed"* ]]; then
if [[ "$command" =~ \.py ]] || [[ "$command" =~ \.js ]] || [[ "$command" =~ \.json ]]; then
echo '{"continue": false, "stopReason": "🚫 SECURITY BLOCK: SED operations on code files are prohibited for safety. Use Edit, MultiEdit, or Write tools instead."}'
exit 2
fi
fi
echo "$json_input"
exit 0
# Make executable
chmod +x ~/.claude/hooks/PreToolUse
2. Configure Hook in Settings
// ~/.claude/settings.json
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "/Users/username/.claude/hooks/PreToolUse"
}
]
}
]
}
}
3. Test Hook Works Manually
echo '{"tool_name": "Bash", "tool_input": {"command": "sed s/import/# import/ test.py"}}' | ~/.claude/hooks/PreToolUse
# Expected: {"continue": false, "stopReason": "🚫 SECURITY BLOCK: SED operations..."}
# Actual: ✅ WORKS - Hook correctly blocks
4. Test Actual Claude Code Usage
# Create test file
echo 'import os\nprint("hello")' > /tmp/test.py
# Attempt SED operation through Claude Code
sed 's/import/# import/' /tmp/test.py
Expected Behavior
The PreToolUse hook should:
- Intercept the SED command
- Detect it targets a .py file
- Return
{"continue": false}with appropriate error message - Block the command execution
- Show the stopReason to the user
Actual Behavior
- ❌ Hook is NOT called by Claude Code
- ❌ SED command executes successfully
- ❌ Code file is modified/corrupted:
# import os\nprint("hello") - ❌ No security blocking occurs
- ❌ No error messages shown
Test Results - Security Vulnerabilities Confirmed
| Attack Vector | Status | Impact |
|---------------|---------|---------|
| sed 's/import/# import/' file.py | ❌ SUCCEEDS | Python imports commented out |
| sed 's/{/BROKEN/' file.json | ❌ SUCCEEDS | JSON syntax completely broken |
| sed -i 's/:/BROKEN/' file.yaml | ❌ SUCCEEDS | YAML structure destroyed |
| bash -c "sed 's/test/HACK/' file.js" | ❌ SUCCEEDS | JavaScript code modified |
| echo "evil" \| sed 's/e/E/' > file.py | ❌ SUCCEEDS | Complete file overwrite |
Root Cause Analysis
This issue is related to the broader PreToolUse hook system failures documented in:
- Issue #3514: PreToolUse hooks with
preventContinuation:truenot blocking tool execution - Issue #2814: Tool operations proceed regardless of hook command exit status
- Issue #2891: Hooks not executing despite following documentation
However, this specific case represents a critical security vulnerability because:
- Code files are irreplaceable assets - unlike configuration files, they contain unique business logic
- SED operations are particularly dangerous - they can silently corrupt syntax and logic
- Developers expect protection - the hook system gives false confidence in security
Related Issues
- #3514 (PreToolUse blocking not working)
- #2814 (Hook exit codes ignored)
- #5505 (File system write issues including sed -i)
- #669 (File write protection bypass)
Workarounds
Currently, the only viable workarounds are:
- Git-based safety net - Frequent commits before AI interactions
- Docker containerization - Isolate Claude Code in containers
- Manual vigilance - Careful review of all file operations
- Backup scripts - Automatic file snapshots before AI sessions
None of these address the core security vulnerability that hooks should work as documented.
Proposed Solutions
- Fix PreToolUse hook system - Ensure hooks actually block tool execution
- Built-in SED protection - Add native safeguards for code file operations
- Enhanced permission system - More granular control over file modification commands
- Default code file protection - Require explicit approval for destructive operations on source code
Additional Context
This bug report includes working test cases, properly implemented hooks, and documented security vulnerabilities. The PreToolUse hook code provided works correctly when tested manually but fails when integrated with Claude Code's actual tool execution pipeline.
Files and Configuration
- Hook script: Provided above (tested and working in isolation)
- Configuration: Standard settings.json format as documented
- Test cases: Reproducible steps with concrete examples
- Security impact: Documented with specific vulnerable file types
Request
This represents a critical security vulnerability that affects every developer using Claude Code with file operations. The PreToolUse hook system needs immediate attention to function as documented and protect users' source code from accidental damage.
Priority: HIGH - Security vulnerability affecting core developer workflows
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗