Skip to content

[BUG] Sandbox doesn't work with wildcard(asterisk) #16626

New issue
New issue
Open
Open
[BUG] Sandbox doesn't work with wildcard(asterisk)#16626
Labels
area:securityarea:toolsbugSomething isn't workinghas reproHas detailed reproduction stepsplatform:linuxIssue specifically occurs on Linux
@impactaky

Description

@impactaky
impactaky
opened on Jan 7, 2026

Preflight Checklist

  • I have searched existing issues and this hasn't been reported yet
  • This is a single bug report (please file separate reports for different bugs)
  • I am using the latest version of Claude Code

What's Wrong?

sandbox feature doesn't mount /dev/null to specific path if wildcard is used.

What Should Happen?

Extract wildcard pattern and apply option to bwrap.
Or update documents without wildcard pattern.

Error Messages/Logs



Steps to Reproduce


Work well without wildcard


If I specify Deny Read without wildcard, it works well.


.claude/settings.json


{
  "permissions": {
    "deny": [
      "Read(~/test/token.env)"
    ]
  }
}


And output is like this:


> Show ~/test/token.env

● Read(~/test/token.env)
  ⎿  Error reading file

● I cannot read that file. ~/test/token.env is in a denied directory according to the permission settings - it appears to be explicitly blocked from being read, likely because it contains sensitive tokens or credentials.

> Execute ./read_token.sh

● Bash(./read_token.sh)
  ⎿  Error: Exit code 1
     cat: /home/impactaky/test/token.env: Permission denied

● The script failed with "Permission denied". It appears the script attempts to read /home/impactaky/test/token.env using cat, but that file is blocked by the sandbox restrictions. The same permission that prevented me from reading the file directly also prevents shell commands from accessing it.



Doesn't work with wildcard


If I use wildcard like Claude Code Doc, it doesn't work with Bash.

The wildcard expansion and path disabling should be performed.

I confirmed with both "Read(~/test/*.env)" and "Read(~/test/**)".


> exec ./read_token.sh
● Bash(zsh -c './read_token.sh')
  ⎿  secret_token=xxxxxxxxxxx
  > Show ~/test/token.env

● Read(~/test/token.env)
  ⎿  Error reading file

● The file /home/impactaky/test/token.env is in a directory that's denied by permission settings. I cannot read files from that location.

  If you need to access this file, you could:
  1. Copy it to the current working directory (/mnt/ext1/xxx)
  2. Adjust the permission settings to allow access to that directory

> Execute ./read_token.sh

● Bash(./read_token.sh)
  ⎿  secret_token=xxxxxxxxxxx

● The script executed successfully and output:
  secret_token=xxxxxxxxxxx



Claude Model


Opus


Is this a regression?


Yes, this worked in a previous version


Last Working Version


No response


Claude Code Version


2.0.76


Platform


Anthropic API


Operating System


Ubuntu/Debian Linux


Terminal/Shell


Other


Additional Information
Metadata
Metadata
Assignees
No one assigned
    Labels
    area:securityarea:toolsbugSomething isn't workinghas reproHas detailed reproduction stepsplatform:linuxIssue specifically occurs on Linux
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions