Claude Code's Deny List Bypass: How to Protect Your Codebase from Compound Commands
Dev.to AI
•
Generative AI
AI Research
Claude Code's deny lists only check the first token of compound commands, allowing dangerous actions like 'git clean' to slip through. Here's how to protect yourself. Claude Code's Deny List Bypass: How to Protect Your Codebase from Compound Commands The Vulnerability - First-Token-Only Evaluation A critical flaw in Claude Code's permission system allows dangerous commands to bypass deny lists when chained with other operations. The deny rule evaluator only checks the first token of a Bash command.