Protecting Codebases from Compound Command Vulnerabilities in Claude Code

A critical flaw in Claude Code's permission system allows dangerous commands to bypass deny lists when chained with other operations. The article explains the vulnerability and provides a working fix as well as an immediate protection solution.

Details

The article describes a critical flaw in Claude Code's permission system that allows dangerous commands to bypass deny lists when chained with other operations. The deny rule evaluator only checks the first token of a Bash command, so if 'git clean' is on the deny list, it will block 'git clean -fd' but allow 'git fetch && git pull && git clean -fd'. This is not a theoretical issue, as it has been documented in multiple GitHub reports. The problem affects both deny lists and allow lists, as the parser evaluates only the initial command token and permits or blocks the entire compound expression based on that single check. While this is not about adversarial prompts, it is a significant vulnerability that can lead to unintended consequences, such as the working tree being deleted. The article presents a community-submitted fix (PR #36645) that adds proper compound command parsing to Claude Code's PreToolUse hooks, as well as an immediate protection solution in the form of a Bash guard script that can be used while waiting for the official fix.