Summary
When a Bash command contains compound operators (&&, |, ;, ||), the permission matcher evaluates the entire string as a single unit. This causes compound commands to require approval even when all individual components would be allowed by existing permission patterns.
Current Behavior
Given this permission configuration:
{
"allow": [
"Bash(git:*)",
"Bash(cd:*)",
"Bash(poetry:*)"
]
}The command cd /path && git status:
- Is evaluated as a single string
- Does not match
Bash(git:*) (starts with cd)
- Does not match
Bash(cd:*) (contains more than just cd)
- Result: Triggers approval dialog
Expected Behavior
The command cd /path && git status:
- Is parsed into components:
cd /path, git status
- Each component is matched against permission patterns:
cd /path → matches Bash(cd:*)git status → matches Bash(git:*)
- All components allowed → no approval dialog
Proposed Solution
Modify the permission matching logic for Bash commands to:
- Detect compound commands - Check for
&&, ||, |, ; outside of quoted strings
- Parse into components - Split on these operators
- Evaluate each component - Match each against allow/deny patterns
- Aggregate results:
- If ANY component matches a
deny pattern → deny
- If ALL components match
allow patterns → allow
- Otherwise → require approval
Implementation Considerations
Parsing Edge Cases
| Case |
Handling |
echo "foo && bar" |
Don't split inside quotes |
$(cd /tmp && ls) |
Parse subshell contents |
cmd1 || cmd2 |
Handle || (OR) same as && |
cmd1 | cmd2 |
Pipe - both sides must be allowed |
Nested: (a && b) | c |
Recursive parsing |
Security Considerations
- Deny patterns should be checked first and take precedence
- A compound command with ANY denied component should be denied
- Empty components (e.g.,
&& &&) should be rejected
Workaround
Currently, users must either:
- Avoid compound commands entirely (use separate Bash calls)
- Add broad permission patterns that may be overly permissive
Environment
- Claude Code CLI
- Affects all platforms
Summary
When a Bash command contains compound operators (
&&,|,;,||), the permission matcher evaluates the entire string as a single unit. This causes compound commands to require approval even when all individual components would be allowed by existing permission patterns.Current Behavior
Given this permission configuration:
{ "allow": [ "Bash(git:*)", "Bash(cd:*)", "Bash(poetry:*)" ] }The command
cd /path && git status:Bash(git:*)(starts withcd)Bash(cd:*)(contains more than justcd)Expected Behavior
The command
cd /path && git status:cd /path,git statuscd /path→ matchesBash(cd:*)git status→ matchesBash(git:*)Proposed Solution
Modify the permission matching logic for Bash commands to:
&&,||,|,;outside of quoted stringsdenypattern → denyallowpatterns → allowImplementation Considerations
Parsing Edge Cases
echo "foo && bar"$(cd /tmp && ls)cmd1 || cmd2||(OR) same as&&cmd1 | cmd2(a && b) | cSecurity Considerations
&& &&) should be rejectedWorkaround
Currently, users must either:
Environment