Agents
Claude Code Deny Rule Bypass: Shell Security Rules Silently Disabled After 50 Subcommands in Compound Commands
Adversa AI disclosed that Claude Code's deny-rule enforcement silently stops working when a shell command contains more than 50 subcommands (joined by &&, ||, or ;). The root cause: internal ticket CC-643 capped security analysis at 50 subcommands to prevent UI freezes from token costs, falling back to a generic auto-allowable prompt. A secure tree-sitter parser existed in the same repo but was never deployed to the legacy regex parser shipping to customers. Practical attack: a malicious CLAUDE.md with 50 benign build steps and an exfiltration command at position 51. Patched in v2.1.90.
Source
↳ Follow the thread