π File detail
tools/BashTool/pathValidation.ts
𧩠.tsπ 1,304 linesπΎ 43,679 bytesπ text
β Back to All Filesπ― Use case
This module implements the βBashToolβ tool (Bash) β something the model can call at runtime alongside other agent tools. On the API surface it exposes PathCommand, PATH_EXTRACTORS, COMMAND_OPERATION_TYPE, createPathChecker, and checkPathConstraints (and more) β mainly functions, hooks, or classes. Dependencies touch Node OS/process metadata, Node path helpers, and schema validation. It composes internal code from Tool, utils, BashTool, bashPermissions, and sedValidation (relative imports).
Generated from folder role, exports, dependency roots, and inline comments β not hand-reviewed for every path.
π§ Inline summary
import { homedir } from 'os' import { isAbsolute, resolve } from 'path' import type { z } from 'zod/v4' import type { ToolPermissionContext } from '../../Tool.js' import type { Redirect, SimpleCommand } from '../../utils/bash/ast.js'
π€ Exports (heuristic)
PathCommandPATH_EXTRACTORSCOMMAND_OPERATION_TYPEcreatePathCheckercheckPathConstraintsstripWrappersFromArgv
π External import roots
Package roots from from "β¦" (relative paths omitted).
ospathzod
π₯οΈ Source preview
import { homedir } from 'os'
import { isAbsolute, resolve } from 'path'
import type { z } from 'zod/v4'
import type { ToolPermissionContext } from '../../Tool.js'
import type { Redirect, SimpleCommand } from '../../utils/bash/ast.js'
import {
extractOutputRedirections,
splitCommand_DEPRECATED,
} from '../../utils/bash/commands.js'
import { tryParseShellCommand } from '../../utils/bash/shellQuote.js'
import { getDirectoryForPath } from '../../utils/path.js'
import { allWorkingDirectories } from '../../utils/permissions/filesystem.js'
import type { PermissionResult } from '../../utils/permissions/PermissionResult.js'
import { createReadRuleSuggestion } from '../../utils/permissions/PermissionUpdate.js'
import type { PermissionUpdate } from '../../utils/permissions/PermissionUpdateSchema.js'
import {
expandTilde,
type FileOperationType,
formatDirectoryList,
isDangerousRemovalPath,
validatePath,
} from '../../utils/permissions/pathValidation.js'
import type { BashTool } from './BashTool.js'
import { stripSafeWrappers } from './bashPermissions.js'
import { sedCommandIsAllowedByAllowlist } from './sedValidation.js'
export type PathCommand =
| 'cd'
| 'ls'
| 'find'
| 'mkdir'
| 'touch'
| 'rm'
| 'rmdir'
| 'mv'
| 'cp'
| 'cat'
| 'head'
| 'tail'
| 'sort'
| 'uniq'
| 'wc'
| 'cut'
| 'paste'
| 'column'
| 'tr'
| 'file'
| 'stat'
| 'diff'
| 'awk'
| 'strings'
| 'hexdump'
| 'od'
| 'base64'
| 'nl'
| 'grep'
| 'rg'
| 'sed'
| 'git'
| 'jq'
| 'sha256sum'
| 'sha1sum'
| 'md5sum'
/**
* Checks if an rm/rmdir command targets dangerous paths that should always
* require explicit user approval, even if allowlist rules exist.
* This prevents catastrophic data loss from commands like `rm -rf /`.
*/
function checkDangerousRemovalPaths(
command: 'rm' | 'rmdir',
args: string[],
cwd: string,
): PermissionResult {
// Extract paths using the existing path extractor
const extractor = PATH_EXTRACTORS[command]
const paths = extractor(args)
for (const path of paths) {
// Expand tilde and resolve to absolute path
// NOTE: We check the path WITHOUT resolving symlinks, because dangerous paths
// like /tmp should be caught even though /tmp is a symlink to /private/tmp on macOS
const cleanPath = expandTilde(path.replace(/^['"]|['"]$/g, ''))
const absolutePath = isAbsolute(cleanPath)
? cleanPath
: resolve(cwd, cleanPath)
// Check if this is a dangerous path (using the non-symlink-resolved path)
if (isDangerousRemovalPath(absolutePath)) {
return {
behavior: 'ask',
message: `Dangerous ${command} operation detected: '${absolutePath}'\n\nThis command would remove a critical system directory. This requires explicit approval and cannot be auto-allowed by permission rules.`,
decisionReason: {
type: 'other',
reason: `Dangerous ${command} operation on critical path: ${absolutePath}`,
},
// Don't provide suggestions - we don't want to encourage saving dangerous commands
suggestions: [],
}
}
}
// No dangerous paths found
return {
behavior: 'passthrough',
message: `No dangerous removals detected for ${command} command`,
}
}
/**
* SECURITY: Extract positional (non-flag) arguments, correctly handling the
* POSIX `--` end-of-options delimiter.
*
* Most commands (rm, cat, touch, etc.) stop parsing options at `--` and treat
* ALL subsequent arguments as positional, even if they start with `-`. Naive
* `!arg.startsWith('-')` filtering drops these, causing path validation to be
* silently skipped for attack payloads like:
*
* rm -- -/../.claude/settings.local.json
*
* Here `-/../.claude/settings.local.json` starts with `-` so the naive filter
* drops it, validation sees zero paths, returns passthrough, and the file is
* deleted without a prompt. With `--` handling, the path IS extracted and
* validated (blocked by isClaudeConfigFilePath / pathInAllowedWorkingPath).
*/
function filterOutFlags(args: string[]): string[] {
const result: string[] = []
let afterDoubleDash = false
for (const arg of args) {
if (afterDoubleDash) {
result.push(arg)
} else if (arg === '--') {
afterDoubleDash = true
} else if (!arg?.startsWith('-')) {
result.push(arg)
}
}
return result
}
// Helper: Parse grep/rg style commands (pattern then paths)
function parsePatternCommand(
args: string[],
flagsWithArgs: Set<string>,
defaults: string[] = [],
): string[] {
const paths: string[] = []
let patternFound = false
// SECURITY: Track `--` end-of-options delimiter. After `--`, all args are
// positional regardless of leading `-`. See filterOutFlags() doc comment.
let afterDoubleDash = false
for (let i = 0; i < args.length; i++) {
const arg = args[i]
if (arg === undefined || arg === null) continue
if (!afterDoubleDash && arg === '--') {
afterDoubleDash = true
continue
}
if (!afterDoubleDash && arg.startsWith('-')) {
const flag = arg.split('=')[0]
// Pattern flags mark that we've found the pattern
if (flag && ['-e', '--regexp', '-f', '--file'].includes(flag)) {
patternFound = true
}
// Skip next arg if flag needs it
if (flag && flagsWithArgs.has(flag) && !arg.includes('=')) {
i++
}
continue
}
// First non-flag is pattern, rest are paths
if (!patternFound) {
patternFound = true
continue
}
paths.push(arg)
}
return paths.length > 0 ? paths : defaults
}
/**
* Extracts paths from command arguments for different path commands.
* Each command has specific logic for how it handles paths and flags.
*/
export const PATH_EXTRACTORS: Record<
PathCommand,
(args: string[]) => string[]
> = {
// cd: special case - all args form one path
cd: args => (args.length === 0 ? [homedir()] : [args.join(' ')]),
// ls: filter flags, default to current dir
ls: args => {
const paths = filterOutFlags(args)
return paths.length > 0 ? paths : ['.']
},
// find: collect paths until hitting a real flag, also check path-taking flags
// SECURITY: `find -- -path` makes `-path` a starting point (not a predicate).
// GNU find supports `--` to allow search roots starting with `-`. After `--`,
// we conservatively collect all remaining args as paths to validate. This
// over-includes predicates like `-name foo`, but find is a read-only op and
// predicates resolve to paths within cwd (allowed), so no false blocks for
// legitimate use. The over-inclusion ensures attack paths like
// `find -- -/../../etc` are caught.
find: args => {
const paths: string[] = []
const pathFlags = new Set([
'-newer',
'-anewer',
'-cnewer',
'-mnewer',
'-samefile',
'-path',
'-wholename',
'-ilname',
'-lname',
'-ipath',
'-iwholename',
])
const newerPattern = /^-newer[acmBt][acmtB]$/
let foundNonGlobalFlag = false
let afterDoubleDash = false
for (let i = 0; i < args.length; i++) {
const arg = args[i]
if (!arg) continue
if (afterDoubleDash) {
paths.push(arg)
continue
}
if (arg === '--') {
afterDoubleDash = true
continue
}
// Handle flags
if (arg.startsWith('-')) {
// Global options don't stop collection
if (['-H', '-L', '-P'].includes(arg)) continue
// Mark that we've seen a non-global flag
foundNonGlobalFlag = true
// Check if this flag takes a path argument
if (pathFlags.has(arg) || newerPattern.test(arg)) {
const nextArg = args[i + 1]
if (nextArg) {
paths.push(nextArg)
i++ // Skip the path we just processed
}
}
continue
}
// Only collect non-flag arguments before first non-global flag
if (!foundNonGlobalFlag) {
paths.push(arg)
}
}
return paths.length > 0 ? paths : ['.']
},
// All simple commands: just filter out flags
mkdir: filterOutFlags,
touch: filterOutFlags,
rm: filterOutFlags,
rmdir: filterOutFlags,
mv: filterOutFlags,
cp: filterOutFlags,
cat: filterOutFlags,
head: filterOutFlags,
tail: filterOutFlags,
sort: filterOutFlags,
uniq: filterOutFlags,
wc: filterOutFlags,
cut: filterOutFlags,
paste: filterOutFlags,
column: filterOutFlags,
file: filterOutFlags,
stat: filterOutFlags,
diff: filterOutFlags,
awk: filterOutFlags,
strings: filterOutFlags,
hexdump: filterOutFlags,
od: filterOutFlags,
base64: filterOutFlags,
nl: filterOutFlags,
sha256sum: filterOutFlags,
sha1sum: filterOutFlags,
md5sum: filterOutFlags,
// tr: special case - skip character sets
tr: args => {
const hasDelete = args.some(
a =>
a === '-d' ||
a === '--delete' ||
(a.startsWith('-') && a.includes('d')),
)
const nonFlags = filterOutFlags(args)
return nonFlags.slice(hasDelete ? 1 : 2) // Skip SET1 or SET1+SET2
},
// grep: pattern then paths, defaults to stdin
grep: args => {
const flags = new Set([
'-e',
'--regexp',
'-f',
'--file',
'--exclude',
'--include',
'--exclude-dir',
'--include-dir',
'-m',
'--max-count',
'-A',
'--after-context',
'-B',
'--before-context',
'-C',
'--context',
])
const paths = parsePatternCommand(args, flags)
// Special: if -r/-R flag present and no paths, use current dir
if (
paths.length === 0 &&
args.some(a => ['-r', '-R', '--recursive'].includes(a))
) {
return ['.']
}
return paths
},
// rg: pattern then paths, defaults to current dir
rg: args => {
const flags = new Set([
'-e',
'--regexp',
'-f',
'--file',
'-t',
'--type',
'-T',
'--type-not',
'-g',
'--glob',
'-m',
'--max-count',
'--max-depth',
'-r',
'--replace',
'-A',
'--after-context',
'-B',
'--before-context',
'-C',
'--context',
])
return parsePatternCommand(args, flags, ['.'])
},
// sed: processes files in-place or reads from stdin
sed: args => {
const paths: string[] = []
let skipNext = false
let scriptFound = false
// SECURITY: Track `--` end-of-options delimiter. After `--`, all args are
// positional regardless of leading `-`. See filterOutFlags() doc comment.
let afterDoubleDash = false
for (let i = 0; i < args.length; i++) {
if (skipNext) {
skipNext = false
continue
}
const arg = args[i]
if (!arg) continue
if (!afterDoubleDash && arg === '--') {
afterDoubleDash = true
continue
}
// Handle flags (only before `--`)
if (!afterDoubleDash && arg.startsWith('-')) {
// -f flag: next arg is a script file that needs validation
if (['-f', '--file'].includes(arg)) {
const scriptFile = args[i + 1]
if (scriptFile) {
paths.push(scriptFile) // Add script file to paths for validation
skipNext = true
}
scriptFound = true
}
// -e flag: next arg is expression, not a file
else if (['-e', '--expression'].includes(arg)) {
skipNext = true
scriptFound = true
}
// Combined flags like -ie or -nf
else if (arg.includes('e') || arg.includes('f')) {
scriptFound = true
}
continue
}
// First non-flag is the script (if not already found via -e/-f)
if (!scriptFound) {
scriptFound = true
continue
}
// Rest are file paths
paths.push(arg)
}
return paths
},
// jq: filter then file paths (similar to grep)
// The jq command structure is: jq [flags] filter [files...]
// If no files are provided, jq reads from stdin
jq: args => {
const paths: string[] = []
const flagsWithArgs = new Set([
'-e',
'--expression',
'-f',
'--from-file',
'--arg',
'--argjson',
'--slurpfile',
'--rawfile',
'--args',
'--jsonargs',
'-L',
'--library-path',
'--indent',
'--tab',
])
let filterFound = false
// SECURITY: Track `--` end-of-options delimiter. After `--`, all args are
// positional regardless of leading `-`. See filterOutFlags() doc comment.
let afterDoubleDash = false
for (let i = 0; i < args.length; i++) {
const arg = args[i]
if (arg === undefined || arg === null) continue
if (!afterDoubleDash && arg === '--') {
afterDoubleDash = true
continue
}
if (!afterDoubleDash && arg.startsWith('-')) {
const flag = arg.split('=')[0]
// Pattern flags mark that we've found the filter
if (flag && ['-e', '--expression'].includes(flag)) {
filterFound = true
}
// Skip next arg if flag needs it
if (flag && flagsWithArgs.has(flag) && !arg.includes('=')) {
i++
}
continue
}
// First non-flag is filter, rest are file paths
if (!filterFound) {
filterFound = true
continue
}
paths.push(arg)
}
// If no file paths, jq reads from stdin (no paths to validate)
return paths
},
// git: handle subcommands that access arbitrary files outside the repository
git: args => {
// git diff --no-index is special - it explicitly compares files outside git's control
// This flag allows git diff to compare any two files on the filesystem, not just
// files within the repository, which is why it needs path validation
if (args.length >= 1 && args[0] === 'diff') {
if (args.includes('--no-index')) {
// SECURITY: git diff --no-index accepts `--` before file paths.
// Use filterOutFlags which handles `--` correctly instead of naive
// startsWith('-') filtering, to catch paths like `-/../etc/passwd`.
const filePaths = filterOutFlags(args.slice(1))
return filePaths.slice(0, 2) // git diff --no-index expects exactly 2 paths
}
}
// Other git commands (add, rm, mv, show, etc.) operate within the repository context
// and are already constrained by git's own security model, so they don't need
// additional path validation
return []
},
}
const SUPPORTED_PATH_COMMANDS = Object.keys(PATH_EXTRACTORS) as PathCommand[]
const ACTION_VERBS: Record<PathCommand, string> = {
cd: 'change directories to',
ls: 'list files in',
find: 'search files in',
mkdir: 'create directories in',
touch: 'create or modify files in',
rm: 'remove files from',
rmdir: 'remove directories from',
mv: 'move files to/from',
cp: 'copy files to/from',
cat: 'concatenate files from',
head: 'read the beginning of files from',
tail: 'read the end of files from',
sort: 'sort contents of files from',
uniq: 'filter duplicate lines from files in',
wc: 'count lines/words/bytes in files from',
cut: 'extract columns from files in',
paste: 'merge files from',
column: 'format files from',
tr: 'transform text from files in',
file: 'examine file types in',
stat: 'read file stats from',
diff: 'compare files from',
awk: 'process text from files in',
strings: 'extract strings from files in',
hexdump: 'display hex dump of files from',
od: 'display octal dump of files from',
base64: 'encode/decode files from',
nl: 'number lines in files from',
grep: 'search for patterns in files from',
rg: 'search for patterns in files from',
sed: 'edit files in',
git: 'access files with git from',
jq: 'process JSON from files in',
sha256sum: 'compute SHA-256 checksums for files in',
sha1sum: 'compute SHA-1 checksums for files in',
md5sum: 'compute MD5 checksums for files in',
}
export const COMMAND_OPERATION_TYPE: Record<PathCommand, FileOperationType> = {
cd: 'read',
ls: 'read',
find: 'read',
mkdir: 'create',
touch: 'create',
rm: 'write',
rmdir: 'write',
mv: 'write',
cp: 'write',
cat: 'read',
head: 'read',
tail: 'read',
sort: 'read',
uniq: 'read',
wc: 'read',
cut: 'read',
paste: 'read',
column: 'read',
tr: 'read',
file: 'read',
stat: 'read',
diff: 'read',
awk: 'read',
strings: 'read',
hexdump: 'read',
od: 'read',
base64: 'read',
nl: 'read',
grep: 'read',
rg: 'read',
sed: 'write',
git: 'read',
jq: 'read',
sha256sum: 'read',
sha1sum: 'read',
md5sum: 'read',
}
/**
* Command-specific validators that run before path validation.
* Returns true if the command is valid, false if it should be rejected.
* Used to block commands with flags that could bypass path validation.
*/
const COMMAND_VALIDATOR: Partial<
Record<PathCommand, (args: string[]) => boolean>
> = {
mv: (args: string[]) => !args.some(arg => arg?.startsWith('-')),
cp: (args: string[]) => !args.some(arg => arg?.startsWith('-')),
}
function validateCommandPaths(
command: PathCommand,
args: string[],
cwd: string,
toolPermissionContext: ToolPermissionContext,
compoundCommandHasCd?: boolean,
operationTypeOverride?: FileOperationType,
): PermissionResult {
const extractor = PATH_EXTRACTORS[command]
const paths = extractor(args)
const operationType = operationTypeOverride ?? COMMAND_OPERATION_TYPE[command]
// SECURITY: Check command-specific validators (e.g., to block flags that could bypass path validation)
// Some commands like mv/cp have flags (--target-directory=PATH) that can bypass path extraction,
// so we block ALL flags for these commands to ensure security.
const validator = COMMAND_VALIDATOR[command]
if (validator && !validator(args)) {
return {
behavior: 'ask',
message: `${command} with flags requires manual approval to ensure path safety. For security, Claude Code cannot automatically validate ${command} commands that use flags, as some flags like --target-directory=PATH can bypass path validation.`,
decisionReason: {
type: 'other',
reason: `${command} command with flags requires manual approval`,
},
}
}
// SECURITY: Block write operations in compound commands containing 'cd'
// This prevents bypassing path safety checks via directory changes before operations.
// Example attack: cd .claude/ && mv test.txt settings.json
// This would bypass the check for .claude/settings.json because paths are resolved
// relative to the original CWD, not accounting for the cd's effect.
//
// ALTERNATIVE APPROACH: Instead of blocking all writes with cd, we could track the
// effective CWD through the command chain (e.g., after "cd .claude/", subsequent
// commands would be validated with CWD=".claude/"). This would be more permissive
// but requires careful handling of:
// - Relative paths (cd ../foo)
// - Special cd targets (cd ~, cd -, cd with no args)
// - Multiple cd commands in sequence
// - Error cases where cd target cannot be determined
// For now, we take the conservative approach of requiring manual approval.
if (compoundCommandHasCd && operationType !== 'read') {
return {
behavior: 'ask',
message: `Commands that change directories and perform write operations require explicit approval to ensure paths are evaluated correctly. For security, Claude Code cannot automatically determine the final working directory when 'cd' is used in compound commands.`,
decisionReason: {
type: 'other',
reason:
'Compound command contains cd with write operation - manual approval required to prevent path resolution bypass',
},
}
}
for (const path of paths) {
const { allowed, resolvedPath, decisionReason } = validatePath(
path,
cwd,
toolPermissionContext,
operationType,
)
if (!allowed) {
const workingDirs = Array.from(
allWorkingDirectories(toolPermissionContext),
)
const dirListStr = formatDirectoryList(workingDirs)
// Use security check's custom reason if available (type: 'other' or 'safetyCheck')
// Otherwise use the standard "was blocked" message
const message =
decisionReason?.type === 'other' ||
decisionReason?.type === 'safetyCheck'
? decisionReason.reason
: `${command} in '${resolvedPath}' was blocked. For security, Claude Code may only ${ACTION_VERBS[command]} the allowed working directories for this session: ${dirListStr}.`
if (decisionReason?.type === 'rule') {
return {
behavior: 'deny',
message,
decisionReason,
}
}
return {
behavior: 'ask',
message,
blockedPath: resolvedPath,
decisionReason,
}
}
}
// All paths are valid - return passthrough
return {
behavior: 'passthrough',
message: `Path validation passed for ${command} command`,
}
}
export function createPathChecker(
command: PathCommand,
operationTypeOverride?: FileOperationType,
) {
return (
args: string[],
cwd: string,
context: ToolPermissionContext,
compoundCommandHasCd?: boolean,
): PermissionResult => {
// First check normal path validation (which includes explicit deny rules)
const result = validateCommandPaths(
command,
args,
cwd,
context,
compoundCommandHasCd,
operationTypeOverride,
)
// If explicitly denied, respect that (don't override with dangerous path message)
if (result.behavior === 'deny') {
return result
}
// Check for dangerous removal paths AFTER explicit deny rules but BEFORE other results
// This ensures the check runs even if the user has allowlist rules or if glob patterns
// were rejected, but respects explicit deny rules. Dangerous patterns get a specific
// error message that overrides generic glob pattern rejection messages.
if (command === 'rm' || command === 'rmdir') {
const dangerousPathResult = checkDangerousRemovalPaths(command, args, cwd)
if (dangerousPathResult.behavior !== 'passthrough') {
return dangerousPathResult
}
}
// If it's a passthrough, return it directly
if (result.behavior === 'passthrough') {
return result
}
// If it's an ask decision, add suggestions based on the operation type
if (result.behavior === 'ask') {
const operationType =
operationTypeOverride ?? COMMAND_OPERATION_TYPE[command]
const suggestions: PermissionUpdate[] = []
// Only suggest adding directory/rules if we have a blocked path
if (result.blockedPath) {
if (operationType === 'read') {
// For read operations, suggest a Read rule for the directory (only if it exists)
const dirPath = getDirectoryForPath(result.blockedPath)
const suggestion = createReadRuleSuggestion(dirPath, 'session')
if (suggestion) {
suggestions.push(suggestion)
}
} else {
// For write/create operations, suggest adding the directory
suggestions.push({
type: 'addDirectories',
directories: [getDirectoryForPath(result.blockedPath)],
destination: 'session',
})
}
}
// For write operations, also suggest enabling accept-edits mode
if (operationType === 'write' || operationType === 'create') {
suggestions.push({
type: 'setMode',
mode: 'acceptEdits',
destination: 'session',
})
}
result.suggestions = suggestions
}
// Return the decision directly
return result
}
}
/**
* Parses command arguments using shell-quote, converting glob objects to strings.
* This is necessary because shell-quote parses patterns like *.txt as glob objects,
* but we need them as strings for path validation.
*/
function parseCommandArguments(cmd: string): string[] {
const parseResult = tryParseShellCommand(cmd, env => `$${env}`)
if (!parseResult.success) {
// Malformed shell syntax, return empty array
return []
}
const parsed = parseResult.tokens
const extractedArgs: string[] = []
for (const arg of parsed) {
if (typeof arg === 'string') {
// Include empty strings - they're valid arguments (e.g., grep "" /tmp/t)
extractedArgs.push(arg)
} else if (
typeof arg === 'object' &&
arg !== null &&
'op' in arg &&
arg.op === 'glob' &&
'pattern' in arg
) {
// shell-quote parses glob patterns as objects, but we need them as strings for validation
extractedArgs.push(String(arg.pattern))
}
}
return extractedArgs
}
/**
* Validates a single command for path constraints and shell safety.
*
* This function:
* 1. Parses the command arguments
* 2. Checks if it's a path command (cd, ls, find)
* 3. Validates for shell injection patterns
* 4. Validates all paths are within allowed directories
*
* @param cmd - The command string to validate
* @param cwd - Current working directory
* @param toolPermissionContext - Context containing allowed directories
* @param compoundCommandHasCd - Whether the full compound command contains a cd
* @returns PermissionResult - 'passthrough' if not a path command, otherwise validation result
*/
function validateSinglePathCommand(
cmd: string,
cwd: string,
toolPermissionContext: ToolPermissionContext,
compoundCommandHasCd?: boolean,
): PermissionResult {
// SECURITY: Strip wrapper commands (timeout, nice, nohup, time) before extracting
// the base command. Without this, dangerous commands wrapped with these utilities
// would bypass path validation since the wrapper command (e.g., 'timeout') would
// be checked instead of the actual command (e.g., 'rm').
// Example: 'timeout 10 rm -rf /' would otherwise see 'timeout' as the base command.
const strippedCmd = stripSafeWrappers(cmd)
// Parse command into arguments, handling quotes and globs
const extractedArgs = parseCommandArguments(strippedCmd)
if (extractedArgs.length === 0) {
return {
behavior: 'passthrough',
message: 'Empty command - no paths to validate',
}
}
// Check if this is a path command we need to validate
const [baseCmd, ...args] = extractedArgs
if (!baseCmd || !SUPPORTED_PATH_COMMANDS.includes(baseCmd as PathCommand)) {
return {
behavior: 'passthrough',
message: `Command '${baseCmd}' is not a path-restricted command`,
}
}
// For read-only sed commands (e.g., sed -n '1,10p' file.txt),
// validate file paths as read operations instead of write operations.
// sed is normally classified as 'write' for path validation, but when the
// command is purely reading (line printing with -n), file args are read-only.
const operationTypeOverride =
baseCmd === 'sed' && sedCommandIsAllowedByAllowlist(strippedCmd)
? ('read' as FileOperationType)
: undefined
// Validate all paths are within allowed directories
const pathChecker = createPathChecker(
baseCmd as PathCommand,
operationTypeOverride,
)
return pathChecker(args, cwd, toolPermissionContext, compoundCommandHasCd)
}
/**
* Like validateSinglePathCommand but operates on AST-derived argv directly
* instead of re-parsing the command string with shell-quote. Avoids the
* shell-quote single-quote backslash bug that causes parseCommandArguments
* to silently return [] and skip path validation.
*/
function validateSinglePathCommandArgv(
cmd: SimpleCommand,
cwd: string,
toolPermissionContext: ToolPermissionContext,
compoundCommandHasCd?: boolean,
): PermissionResult {
const argv = stripWrappersFromArgv(cmd.argv)
if (argv.length === 0) {
return {
behavior: 'passthrough',
message: 'Empty command - no paths to validate',
}
}
const [baseCmd, ...args] = argv
if (!baseCmd || !SUPPORTED_PATH_COMMANDS.includes(baseCmd as PathCommand)) {
return {
behavior: 'passthrough',
message: `Command '${baseCmd}' is not a path-restricted command`,
}
}
// sed read-only override: use .text for the allowlist check since
// sedCommandIsAllowedByAllowlist takes a string. argv is already
// wrapper-stripped but .text is raw tree-sitter span (includes
// `timeout 5 ` prefix), so strip here too.
const operationTypeOverride =
baseCmd === 'sed' &&
sedCommandIsAllowedByAllowlist(stripSafeWrappers(cmd.text))
? ('read' as FileOperationType)
: undefined
const pathChecker = createPathChecker(
baseCmd as PathCommand,
operationTypeOverride,
)
return pathChecker(args, cwd, toolPermissionContext, compoundCommandHasCd)
}
function validateOutputRedirections(
redirections: Array<{ target: string; operator: '>' | '>>' }>,
cwd: string,
toolPermissionContext: ToolPermissionContext,
compoundCommandHasCd?: boolean,
): PermissionResult {
// SECURITY: Block output redirections in compound commands containing 'cd'
// This prevents bypassing path safety checks via directory changes before redirections.
// Example attack: cd .claude/ && echo "malicious" > settings.json
// The redirection target would be validated relative to the original CWD, but the
// actual write happens in the changed directory after 'cd' executes.
if (compoundCommandHasCd && redirections.length > 0) {
return {
behavior: 'ask',
message: `Commands that change directories and write via output redirection require explicit approval to ensure paths are evaluated correctly. For security, Claude Code cannot automatically determine the final working directory when 'cd' is used in compound commands.`,
decisionReason: {
type: 'other',
reason:
'Compound command contains cd with output redirection - manual approval required to prevent path resolution bypass',
},
}
}
for (const { target } of redirections) {
// /dev/null is always safe - it discards output
if (target === '/dev/null') {
continue
}
const { allowed, resolvedPath, decisionReason } = validatePath(
target,
cwd,
toolPermissionContext,
'create', // Treat > and >> as create operations
)
if (!allowed) {
const workingDirs = Array.from(
allWorkingDirectories(toolPermissionContext),
)
const dirListStr = formatDirectoryList(workingDirs)
// Use security check's custom reason if available (type: 'other' or 'safetyCheck')
// Otherwise use the standard message for deny rules or working directory restrictions
const message =
decisionReason?.type === 'other' ||
decisionReason?.type === 'safetyCheck'
? decisionReason.reason
: decisionReason?.type === 'rule'
? `Output redirection to '${resolvedPath}' was blocked by a deny rule.`
: `Output redirection to '${resolvedPath}' was blocked. For security, Claude Code may only write to files in the allowed working directories for this session: ${dirListStr}.`
// If denied by a deny rule, return 'deny' behavior
if (decisionReason?.type === 'rule') {
return {
behavior: 'deny',
message,
decisionReason,
}
}
return {
behavior: 'ask',
message,
blockedPath: resolvedPath,
decisionReason,
suggestions: [
{
type: 'addDirectories',
directories: [getDirectoryForPath(resolvedPath)],
destination: 'session',
},
],
}
}
}
return {
behavior: 'passthrough',
message: 'No unsafe redirections found',
}
}
/**
* Checks path constraints for commands that access the filesystem (cd, ls, find).
* Also validates output redirections to ensure they're within allowed directories.
*
* @returns
* - 'ask' if any path command or redirection tries to access outside allowed directories
* - 'passthrough' if no path commands were found or if all are within allowed directories
*/
export function checkPathConstraints(
input: z.infer<typeof BashTool.inputSchema>,
cwd: string,
toolPermissionContext: ToolPermissionContext,
compoundCommandHasCd?: boolean,
astRedirects?: Redirect[],
astCommands?: SimpleCommand[],
): PermissionResult {
// SECURITY: Process substitution >(cmd) can execute commands that write to files
// without those files appearing as redirect targets. For example:
// echo secret > >(tee .git/config)
// The tee command writes to .git/config but it's not detected as a redirect.
// Require explicit approval for any command containing process substitution.
// Skip on AST path β process_substitution is in DANGEROUS_TYPES and
// already returned too-complex before reaching here.
if (!astCommands && />>\s*>\s*\(|>\s*>\s*\(|<\s*\(/.test(input.command)) {
return {
behavior: 'ask',
message:
'Process substitution (>(...) or <(...)) can execute arbitrary commands and requires manual approval',
decisionReason: {
type: 'other',
reason: 'Process substitution requires manual approval',
},
}
}
// SECURITY: When AST-derived redirects are available, use them directly
// instead of re-parsing with shell-quote. shell-quote has a known
// single-quote backslash bug that silently merges redirect operators into
// garbled tokens on a successful parse (not a parse failure, so the
// fail-closed guard doesn't help). The AST already resolved targets
// correctly and checkSemantics validated them.
const { redirections, hasDangerousRedirection } = astRedirects
? astRedirectsToOutputRedirections(astRedirects)
: extractOutputRedirections(input.command)
// SECURITY: If we found a redirection operator with a target containing shell expansion
// syntax ($VAR or %VAR%), require manual approval since the target can't be safely validated.
if (hasDangerousRedirection) {
return {
behavior: 'ask',
message: 'Shell expansion syntax in paths requires manual approval',
decisionReason: {
type: 'other',
reason: 'Shell expansion syntax in paths requires manual approval',
},
}
}
const redirectionResult = validateOutputRedirections(
redirections,
cwd,
toolPermissionContext,
compoundCommandHasCd,
)
if (redirectionResult.behavior !== 'passthrough') {
return redirectionResult
}
// SECURITY: When AST-derived commands are available, iterate them with
// pre-parsed argv instead of re-parsing via splitCommand_DEPRECATED + shell-quote.
// shell-quote has a single-quote backslash bug that causes
// parseCommandArguments to silently return [] and skip path validation
// (isDangerousRemovalPath etc). The AST already resolved argv correctly.
if (astCommands) {
for (const cmd of astCommands) {
const result = validateSinglePathCommandArgv(
cmd,
cwd,
toolPermissionContext,
compoundCommandHasCd,
)
if (result.behavior === 'ask' || result.behavior === 'deny') {
return result
}
}
} else {
const commands = splitCommand_DEPRECATED(input.command)
for (const cmd of commands) {
const result = validateSinglePathCommand(
cmd,
cwd,
toolPermissionContext,
compoundCommandHasCd,
)
if (result.behavior === 'ask' || result.behavior === 'deny') {
return result
}
}
}
// Always return passthrough to let other permission checks handle the command
return {
behavior: 'passthrough',
message: 'All path commands validated successfully',
}
}
/**
* Convert AST-derived Redirect[] to the format expected by
* validateOutputRedirections. Filters to output-only redirects (excluding
* fd duplications like 2>&1) and maps operators to '>' | '>>'.
*/
function astRedirectsToOutputRedirections(redirects: Redirect[]): {
redirections: Array<{ target: string; operator: '>' | '>>' }>
hasDangerousRedirection: boolean
} {
const redirections: Array<{ target: string; operator: '>' | '>>' }> = []
for (const r of redirects) {
switch (r.op) {
case '>':
case '>|':
case '&>':
redirections.push({ target: r.target, operator: '>' })
break
case '>>':
case '&>>':
redirections.push({ target: r.target, operator: '>>' })
break
case '>&':
// >&N (digits only) is fd duplication (e.g. 2>&1, >&10), not a file
// write. >&file is the deprecated form of &>file (redirect to file).
if (!/^\d+$/.test(r.target)) {
redirections.push({ target: r.target, operator: '>' })
}
break
case '<':
case '<<':
case '<&':
case '<<<':
// input redirects β skip
break
}
}
// AST targets are fully resolved (no shell expansion) β checkSemantics
// already validated them. No dangerous redirections are possible.
return { redirections, hasDangerousRedirection: false }
}
// βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
// Argv-level safe-wrapper stripping (timeout, nice, stdbuf, env, time, nohup)
//
// This is the CANONICAL stripWrappersFromArgv. bashPermissions.ts still
// exports an older narrower copy (timeout/nice-n-N only) that is DEAD CODE
// β no prod consumer β but CANNOT be removed: bashPermissions.ts is right
// at Bun's feature() DCE complexity threshold, and deleting ~80 lines from
// that module silently breaks feature('BASH_CLASSIFIER') evaluation (drops
// every pendingClassifierCheck spread). Verified in PR #21503 round 3:
// baseline classifier tests 30/30 pass, after deletion 22/30 fail. See
// team memory: bun-feature-dce-cliff.md. Hit 3Γ in PR #21075 + twice in
// #21503. The expanded version lives here (the only prod consumer) instead.
//
// KEEP IN SYNC with:
// - SAFE_WRAPPER_PATTERNS in bashPermissions.ts (text-based stripSafeWrappers)
// - the wrapper-stripping loop in checkSemantics (src/utils/bash/ast.ts ~1860)
// If you add a wrapper in either, add it here too. Asymmetry means
// checkSemantics exposes the wrapped command to semantic checks but path
// validation sees the wrapper name β passthrough β wrapped paths never
// validated (PR #21503 review comment 2907319120).
// βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
// SECURITY: allowlist for timeout flag VALUES (signals are TERM/KILL/9,
// durations are 5/5s/10.5). Rejects $ ( ) ` | ; & and newlines that
// previously matched via [^ \t]+ β `timeout -k$(id) 10 ls` must NOT strip.
const TIMEOUT_FLAG_VALUE_RE = /^[A-Za-z0-9_.+-]+$/
/**
* Parse timeout's GNU flags (long + short, fused + space-separated) and
* return the argv index of the DURATION token, or -1 if flags are unparseable.
*/
function skipTimeoutFlags(a: readonly string[]): number {
let i = 1
while (i < a.length) {
const arg = a[i]!
const next = a[i + 1]
if (
arg === '--foreground' ||
arg === '--preserve-status' ||
arg === '--verbose'
)
i++
else if (/^--(?:kill-after|signal)=[A-Za-z0-9_.+-]+$/.test(arg)) i++
else if (
(arg === '--kill-after' || arg === '--signal') &&
next &&
TIMEOUT_FLAG_VALUE_RE.test(next)
)
i += 2
else if (arg === '--') {
i++
break
} // end-of-options marker
else if (arg.startsWith('--')) return -1
else if (arg === '-v') i++
else if (
(arg === '-k' || arg === '-s') &&
next &&
TIMEOUT_FLAG_VALUE_RE.test(next)
)
i += 2
else if (/^-[ks][A-Za-z0-9_.+-]+$/.test(arg)) i++
else if (arg.startsWith('-')) return -1
else break
}
return i
}
/**
* Parse stdbuf's flags (-i/-o/-e in fused/space-separated/long-= forms).
* Returns argv index of wrapped COMMAND, or -1 if unparseable or no flags
* consumed (stdbuf without flags is inert). Mirrors checkSemantics (ast.ts).
*/
function skipStdbufFlags(a: readonly string[]): number {
let i = 1
while (i < a.length) {
const arg = a[i]!
if (/^-[ioe]$/.test(arg) && a[i + 1]) i += 2
else if (/^-[ioe]./.test(arg)) i++
else if (/^--(input|output|error)=/.test(arg)) i++
else if (arg.startsWith('-'))
return -1 // unknown flag: fail closed
else break
}
return i > 1 && i < a.length ? i : -1
}
/**
* Parse env's VAR=val and safe flags (-i/-0/-v/-u NAME). Returns argv index
* of wrapped COMMAND, or -1 if unparseable/no wrapped cmd. Rejects -S (argv
* splitter), -C/-P (altwd/altpath). Mirrors checkSemantics (ast.ts).
*/
function skipEnvFlags(a: readonly string[]): number {
let i = 1
while (i < a.length) {
const arg = a[i]!
if (arg.includes('=') && !arg.startsWith('-')) i++
else if (arg === '-i' || arg === '-0' || arg === '-v') i++
else if (arg === '-u' && a[i + 1]) i += 2
else if (arg.startsWith('-'))
return -1 // -S/-C/-P/unknown: fail closed
else break
}
return i < a.length ? i : -1
}
/**
* Argv-level counterpart to stripSafeWrappers (bashPermissions.ts). Strips
* wrapper commands from AST-derived argv. Env vars are already separated
* into SimpleCommand.envVars so no env-var stripping here.
*/
export function stripWrappersFromArgv(argv: string[]): string[] {
let a = argv
for (;;) {
if (a[0] === 'time' || a[0] === 'nohup') {
a = a.slice(a[1] === '--' ? 2 : 1)
} else if (a[0] === 'timeout') {
const i = skipTimeoutFlags(a)
// SECURITY (PR #21503 round 3): unrecognized duration (`.5`, `+5`,
// `inf` β strtod formats GNU timeout accepts) β return a unchanged.
// Safe because checkSemantics (ast.ts) fails CLOSED on the same input
// and runs first in bashToolHasPermission, so we never reach here.
if (i < 0 || !a[i] || !/^\d+(?:\.\d+)?[smhd]?$/.test(a[i]!)) return a
a = a.slice(i + 1)
} else if (a[0] === 'nice') {
// SECURITY (PR #21503 round 3): mirror checkSemantics β handle bare
// `nice cmd` and legacy `nice -N cmd`, not just `nice -n N cmd`.
// Previously only `-n N` was stripped: `nice rm /outside` β
// baseCmd='nice' β passthrough β /outside never path-validated.
if (a[1] === '-n' && a[2] && /^-?\d+$/.test(a[2]))
a = a.slice(a[3] === '--' ? 4 : 3)
else if (a[1] && /^-\d+$/.test(a[1])) a = a.slice(a[2] === '--' ? 3 : 2)
else a = a.slice(a[1] === '--' ? 2 : 1)
} else if (a[0] === 'stdbuf') {
// SECURITY (PR #21503 round 3): PR-WIDENED. Pre-PR, `stdbuf -o0 -eL rm`
// was rejected by fragment check (old checkSemantics slice(2) left
// name='-eL'). Post-PR, checkSemantics strips both flags β name='rm'
// β passes. But stripWrappersFromArgv returned unchanged β
// baseCmd='stdbuf' β not in SUPPORTED_PATH_COMMANDS β passthrough.
const i = skipStdbufFlags(a)
if (i < 0) return a
a = a.slice(i)
} else if (a[0] === 'env') {
// Same asymmetry: checkSemantics strips env, we didn't.
const i = skipEnvFlags(a)
if (i < 0) return a
a = a.slice(i)
} else {
return a
}
}
}