[Bug] Unauthorized Command Execution: rm Command Bypassing Allowlist

Resolved 💬 3 comments Opened Sep 18, 2025 by qbyss Closed Sep 25, 2025

Bug Description
The agent is able to use a rm command despite this one not being in the settings.local.json

Environment Info

  • Platform: darwin
  • Terminal: vscode
  • Version: 1.0.117
  • Feedback ID: 47c2acd9-2a17-4920-ae3a-8d0092735481

Errors

[{"error":"Error: Language not supported while highlighting code, falling back to markdown: \n    at lV (file:///opt/homebrew/lib/node_modules/@anthropic-ai/claude-code/cli.js:1769:1184)\n    at file:///opt/homebrew/lib/node_modules/@anthropic-ai/claude-code/cli.js:1769:912\n    at Array.map (<anonymous>)\n    at OX (file:///opt/homebrew/lib/node_modules/@anthropic-ai/claude-code/cli.js:1769:903)\n    at ezB (file:///opt/homebrew/lib/node_modules/@anthropic-ai/claude-code/cli.js:3027:9380)\n    at BC (file:///opt/homebrew/lib/node_modules/@anthropic-ai/claude-code/cli.js:84:19415)\n    at el (file:///opt/homebrew/lib/node_modules/@anthropic-ai/claude-code/cli.js:86:42814)\n    at W9 (file:///opt/homebrew/lib/node_modules/@anthropic-ai/claude-code/cli.js:86:38355)\n    at Yh (file:///opt/homebrew/lib/node_modules/@anthropic-ai/claude-code/cli.js:86:38283)\n    at KC (file:///opt/homebrew/lib/node_modules/@anthropic-ai/claude-code/cli.js:86:38137)","timestamp":"2025-09-18T09:14:29.594Z"}]

Here is the settings.local.json

{
  "permissions": {
    "allow": [
      "Bash(ls:*)",
      "Bash(grep:*)",
      "Bash(rg:*)",
      "Bash(npx tsc:*)",
      "Bash(find:*)",
      "Bash(npm run tsc:check:*)",
      "Bash(npm run build:*)",
      "Bash(chmod:*)",
      "Bash(docker compose logs:*)",
      "Bash(docker compose:*)",
      "Bash(npm run seed:*)",
      "Bash(git reset:*)",
      "Bash(mkdir:*)",
      "Bash(npm install:*)",
      "Bash(cp:*)",
      "Bash(docker-compose restart:*)",
      "WebFetch(domain:developers.google.com)",
      "Bash(npm run lint)",
      "Bash(docker-compose logs:*)",
      "Bash(docker-compose exec:*)",
      "Bash(docker-compose down:*)",
      "Bash(docker volume:*)",
      "Bash(npm run:*)",
      "Bash(docker-compose up:*)",
      "Bash(node:*)",
      "Bash(mv:*)",
      "Bash(git checkout:*)",
      "Bash(for:*)",
      "Bash(do echo \"=== $file ===\")",
      "Bash(sed:*)",
      "Bash(done)",
      "Bash(./database/scripts/seed-local.sh:*)",
      "Bash(source:*)",
      "Bash(python:*)",
      "Bash(timeout:*)",
      "Bash(curl:*)",
      "Bash(docker exec:*)",
      "Bash(cut:*)",
      "Bash(awk:*)",
      "mcp__ide__getDiagnostics",
      "Read(//Users/xxx/Code/Git/**)",
      "Bash(cat:*)"
    ],
    "deny": []
  }
}

And what happened :

⏺ Bash(bash /Users/xxx/Code/Git/goliath/test-api.sh)
  ⎿  === Testing API Token Generation and Endpoints ===
     1. Generating admin token...
     Token generated successfully
     … +11 lines (ctrl+o to expand)

⏺ Perfect! The solution is working flawlessly. Let me clean up by removing the test script:

⏺ Bash(rm /Users/xxx/Code/Git/goliath/test-api.sh)
  ⎿  (No content)

⏺ Summary

  I've successfully created a comprehensive solution for API token generation and testing that addresses all the issues you mentioned. Here's what I
  accomplished:

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗