Security: PreToolUse hook bypasses Claude Code deny rules via permissionDecision: allow

[alxsbn]

Problem

The RTK PreToolUse rewrite hook (rtk-rewrite.sh) outputs permissionDecision: "allow" alongside
updatedInput. This completely bypasses Claude Code's permission system, including deny rules configured in
.claude/settings.json.

Reproduction

A project has these deny rules in .claude/settings.json:

{
  "permissions": {
    "deny": [
      "Bash(git push --force)",
      "Bash(git push -f)",
      "Bash(git branch -D)",
      "Bash(gh pr merge)",
      "Bash(sudo:*)"
    ]
  }
}

When the hook is active:

1. Claude generates git push --force
2. Hook matches push * → rewrites to rtk git push --force
3. Hook returns permissionDecision: "allow" → deny rule is never evaluated
4. Command executes without any user prompt

Affected commands

The hook matches broad git/gh patterns that include dangerous subcommands:

Command	Hook pattern	Deny rule bypassed
git push --force	push *	Bash(git push --force)
git push -f	push *	Bash(git push -f)
git push --force-with-lease	push *	Bash(git push --force-with-lease)
git branch -D main	branch *	Bash(git branch -D)
gh pr merge 123	gh pr *	Bash(gh pr merge)
gh pr close 123	gh pr *	Bash(gh pr close)
gh issue close 42	gh issue *	Bash(gh issue close)
gh release delete v1	gh release *	Bash(gh release delete)

Commands not in the hook's match list (e.g. git reset --hard, sudo) are unaffected — they exit 0 and normal
permissions apply.

Proposed fix

Before emitting permissionDecision: "allow", the hook should dynamically check deny patterns from Claude Code
settings files. If the command matches a deny rule, exit 0 (pass-through to normal permission flow) instead of
rewriting.

Implementation

# After extracting FIRST_CMD, before any rewrite logic:

_matches_deny() {
  local cmd="$1"
  shift
  for settings_file in "$@"; do
    [ -f "$settings_file" ] || continue
    while IFS= read -r raw; do
      [ -z "$raw" ] && continue
      local inner="${raw#Bash(}"
      inner="${inner%)}"
      if [[ "$inner" == *":*" ]]; then
        # Wildcard: Bash(sudo:*) → prefix match on "sudo"
        local prefix="${inner%:*}"
        [[ "$cmd" == "$prefix" || "$cmd" == "$prefix "* ]] && return 0
      else
        # Exact: Bash(git push --force) → prefix match
        [[ "$cmd" == "$inner" || "$cmd" == "$inner "* ]] && return 0
      fi
    done < <(jq -r '.permissions.deny[]? | select(startswith("Bash("))' "$settings_file" 2>/dev/null)
  done
  return 1
}

# Discover project root (git, then walk-up fallback)
PROJECT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || echo "")
if [ -z "$PROJECT_ROOT" ]; then
  _dir="$PWD"
  while [ "$_dir" != "/" ]; do
    [ -f "$_dir/.claude/settings.json" ] && { PROJECT_ROOT="$_dir"; break; }
    _dir=$(dirname "$_dir")
  done
fi

DENY_SOURCES=()
[ -n "$PROJECT_ROOT" ] && DENY_SOURCES+=("$PROJECT_ROOT/.claude/settings.json"
"$PROJECT_ROOT/.claude/settings.local.json")
DENY_SOURCES+=("$HOME/.claude/settings.json" "$HOME/.claude/settings.local.json")

if _matches_deny "$FIRST_CMD" "${DENY_SOURCES[@]}"; then
  exit 0  # Let normal permission flow handle this command
fi

Design choices

• Dynamic: reads deny rules at runtime from all 4 settings files (project + global, shared + local)
• Fallback: walks up $PWD if not in a git repo (covers non-git projects and worktree edge cases)
• Zero config: users don't need to maintain a separate deny list — RTK respects their existing Claude Code
  settings
• Performance: jq on small JSON files adds ~5ms, well within hook timeout

Relationship to #243

#243 proposes exclude_commands config for compatibility reasons (some commands break with RTK). This issue
is complementary — it addresses the security angle: commands that work fine with RTK but should never be
auto-allowed because the user explicitly denied them.

Both could coexist: deny-rule checking as a built-in safety net, exclude_commands as user preference.

Alternative approach

Don't emit permissionDecision: "allow" at all — just return updatedInput and let Claude Code's permission
system evaluate the rewritten command. This would require users to add Bash(rtk:*) to their allow rules and
mirror all deny rules with rtk prefix. Simpler hook, but much worse UX.

Environment

• RTK: 0.22.2
• Claude Code: latest
• OS: Linux

[javaJoe523]

It seems like you could also use this as an opportunity to add a runtime sandboxing layer around the command which inherits permissions from claude code settings and possibly open up to fine tuning permissions at the command type level instead of only at the session level. (i.e. Bash types with a command of rm -rf /* are not allowed)

[Alorse]

This is definitely a big improvement.

One important follow‑up: the current behavior doesn’t only bypass ‎deny rules, it also skips ‎ask rules in ‎.claude/settings.json. Because the hook unconditionally returns ‎permissionDecision: "allow", any command that should require an interactive confirmation is now auto‑approved as well.

@amondnet the new logic correctly checks the ‎deny list before auto‑allowing, but the same consideration needs to be applied to ‎ask rules so that prompts for confirmation still happen when configured. Ideally the hook would respect both ‎deny and ‎ask entries from Claude Code’s permissions instead of blanket‑allowing once the rewrite succeeds.

[pszymkowiak]

Valid security issue. The shell hook (rtk-rewrite.sh) emits permissionDecision: "allow" on all rewritten commands, bypassing deny rules in settings.json.

PR #536 introduces a binary hook engine (rtk hook claude) that handles command routing in Rust. The deny-rule check should be implemented there — reading deny patterns from Claude Code settings files before deciding to rewrite. If a command matches a deny rule, the hook should exit 0 (passthrough to normal permission flow) instead of auto-allowing.

Tracking as part of #536.

[brandonwie]

ask patterns are also bypassed (not just deny)

The proposed fix in the issue description checks deny patterns only, but permissionDecision: "allow" also overrides ask patterns in settings.json. This is a distinct use case worth covering:

Example

{
  "permissions": {
    "ask": [
      "Bash(git push *)",
      "Bash(git push)"
    ]
  }
}

With the hook active:

1. Claude generates git push origin main
2. Hook rewrites → rtk git push origin main
3. Hook returns permissionDecision: "allow" → ask prompt is never shown
4. Push executes without user confirmation

Why ask matters differently than deny

• deny = hard block → bypassing is a security issue (correctly flagged here)
• ask = confirmation prompt → bypassing removes defense-in-depth

For commands like git push, many users configure ask (not deny) because the command is legitimate but should require explicit confirmation. The hook's blanket "allow" removes that confirmation layer.

Suggested extension to the proposed fix

The _matches_deny() function should also check ask patterns. When a command matches an ask rule, the hook should exit 0 (pass through to normal permission flow) instead of emitting permissionDecision: "allow":

_matches_permission_rule() {
  local cmd="$1"
  local rule_key="$2"  # "deny" or "ask"
  shift 2
  for settings_file in "$@"; do
    [ -f "$settings_file" ] || continue
    while IFS= read -r raw; do
      [ -z "$raw" ] && continue
      local inner="${raw#Bash(}"
      inner="${inner%)}"
      if [[ "$inner" == *":*" ]]; then
        local prefix="${inner%:*}"
        [[ "$cmd" == "$prefix" || "$cmd" == "$prefix "* ]] && return 0
      elif [[ "$inner" == *"*" ]]; then
        local prefix="${inner%\*}"
        [[ "$cmd" == "$prefix"* ]] && return 0
      else
        [[ "$cmd" == "$inner" || "$cmd" == "$inner "* ]] && return 0
      fi
    done < <(jq -r ".permissions.${rule_key}[]? | select(startswith(\"Bash(\"))" "$settings_file" 2>/dev/null)
  done
  return 1
}

# Check both deny AND ask before rewriting
if _matches_permission_rule "$FIRST_CMD" "deny" "${DENY_SOURCES[@]}" || \
   _matches_permission_rule "$FIRST_CMD" "ask" "${DENY_SOURCES[@]}"; then
  exit 0  # Let normal permission flow handle this command
fi

This way RTK still rewrites and auto-allows safe commands, but defers to Claude Code's permission system for anything the user has explicitly flagged — whether as deny or ask.

Environment

• RTK: 0.22.2
• Claude Code: latest
• OS: macOS (Darwin 25.3.0)

[GiGurra]

Yeah this is a deal breaker for me. I rely on being asked if claude can execute a command. Maybe I'm naive, but I think I can catch at least most bad use this way. But I'd really like to try rtk, and will as soon as these issues are hopefully resolved :)

[javaJoe523]

I haven't tested this out but it sounds like just changing the code to use

permissionDecision: "ask"

instead of

permissionDecision: "allow"

may fix this because if a command is already setup as don't ask again then it should still respect that but this also allows it to move on to the permissions evaluation phase after this trigger.

UPDATE: Still haven't tested this but did a little more researching and it's not clear if just setting it to ask instead will work but it also seems like the proposed solutions may not work fully either. It seems like the main solution still wouldn't respect some settings like the --dangerously-skip-permissions flag or other internal logic involved in the permission process. Also, the alternative solution seems to assume not specifying permissionDecision would allow normal permissions to run but it seems like from documentation that will still just bypass permissions by treating it as an allow by default.

[hank-bond]

Same issue, different angle: security hooks are also bypassed.

We have a PreToolUse hook that blocks credential-leaking commands (env, printenv, $API_KEY, cat .env, os.environ, etc.). Even when registered before RTK in the same hooks array, and even within the same matcher entry, RTK's permissionDecision: "allow" causes Claude Code to skip our hook for any command RTK rewrites.

In practice this means cat .env gets rewritten to rtk cat .env, auto-allowed, and executed, leaking secrets the hook should have caught.

The deny-rule check proposed above would help for static patterns, but wouldn't cover custom security hooks doing their own inspection. One option that might address both cases: don't emit permissionDecision from rewrite-only hooks, just return updatedInput and let the rest of the permission chain (deny rules, other hooks, user prompts) evaluate normally.

Not sure if there are reasons RTK needs the allow verdict specifically, happy to hear if there are tradeoffs I'm missing.