security: lockdown template ships Bash git catch-all + drops interpreter denies #115

New issue

Open

opened 2026-05-27 07:07:52 +00:00 by coilysiren · 0 comments

coilysiren commented

2026-05-27 07:07:52 +00:00

Owner

Source: background security review on coilysiren/agent-guard@ed3bbb1 (.claude/settings.json).

Finding (HIGH, Agent/Subprocess Permission Bypass): The lockdown output narrowed deny: and replaced the per-subcommand git allowlist (Bash(git blame:*), Bash(git diff:*), Bash(git log:*), Bash(git show:*), Bash(git status:*), Bash(git rev-parse:*), Bash(git ls-files:*), Bash(git config --get:*), Bash(git branch:*), Bash(git remote:*)) with a catch-all Bash(git:*). Plus the deny list dropped entries for bash, sh, zsh, dash, ksh, fish, python, python3, node, deno, ruby, perl, powershell, pwsh, cmd, cscript, wscript, mshta, rundll32, regsvr32, osascript, exec, env, xargs, echo*$*, printf*$*.

Reviewer's concern: Bash(git:*) permits dangerous flags like git -c core.sshCommand=... and git fetch --upload-pack=... that yield command execution. The dropped interpreter denies expand the shell-out surface.

Question for triage:

Is this intentional, with the runtime PreToolUse hook (agent-guard hook pre-tool-use / coily hook pre-tool-use) covering risky git invocations + interpreter shells dynamically, making the static deny list redundant?
Or is it drift in the lockdown template that should be reverted to the verbose per-subcommand git allow + interpreter deny list?

Affected output: every coily lockdown --apply --replace consumer. Visible in coilysiren/agent-guard at the post-merge regen.

**Source:** background security review on coilysiren/agent-guard@ed3bbb1 (`.claude/settings.json`). **Finding (HIGH, Agent/Subprocess Permission Bypass):** The lockdown output narrowed `deny:` and replaced the per-subcommand git allowlist (`Bash(git blame:*)`, `Bash(git diff:*)`, `Bash(git log:*)`, `Bash(git show:*)`, `Bash(git status:*)`, `Bash(git rev-parse:*)`, `Bash(git ls-files:*)`, `Bash(git config --get:*)`, `Bash(git branch:*)`, `Bash(git remote:*)`) with a catch-all `Bash(git:*)`. Plus the deny list dropped entries for `bash`, `sh`, `zsh`, `dash`, `ksh`, `fish`, `python`, `python3`, `node`, `deno`, `ruby`, `perl`, `powershell`, `pwsh`, `cmd`, `cscript`, `wscript`, `mshta`, `rundll32`, `regsvr32`, `osascript`, `exec`, `env`, `xargs`, `echo*$*`, `printf*$*`. **Reviewer's concern:** `Bash(git:*)` permits dangerous flags like `git -c core.sshCommand=...` and `git fetch --upload-pack=...` that yield command execution. The dropped interpreter denies expand the shell-out surface. **Question for triage:** 1. Is this intentional, with the runtime PreToolUse hook (`agent-guard hook pre-tool-use` / `coily hook pre-tool-use`) covering risky git invocations + interpreter shells dynamically, making the static deny list redundant? 2. Or is it drift in the lockdown template that should be reverted to the verbose per-subcommand git allow + interpreter deny list? **Affected output:** every `coily lockdown --apply --replace` consumer. Visible in coilysiren/agent-guard at the post-merge regen.

coilysiren referenced this issue

2026-05-30 05:43:13 +00:00

canonical lockdown allow-list for git is narrower than what 8/30 repos actually use #125

coilysiren referenced this issue

2026-05-30 05:43:13 +00:00

lockdown v2.45.0 render loosens .claude/settings.json (drops shell/interpreter denylist, widens git allow to Bash(git:*)) #155

coilysiren added the

label

2026-05-31 01:52:38 +00:00