Skip to content

fix: enforce denied commands regardless of auto-approval settings#12293

Draft
roomote-v0[bot] wants to merge 1 commit intomainfrom
fix/denied-commands-always-enforced
Draft

fix: enforce denied commands regardless of auto-approval settings#12293
roomote-v0[bot] wants to merge 1 commit intomainfrom
fix/denied-commands-always-enforced

Conversation

@roomote-v0
Copy link
Copy Markdown
Contributor

@roomote-v0 roomote-v0 Bot commented May 8, 2026
edited
Loading

Related GitHub Issue

Closes: #12292

Description

This PR attempts to address Issue #12292. Feedback and guidance are welcome.

Problem: The denied commands list was only checked inside the alwaysAllowExecute === true guard in checkAutoApproval(). This meant:

  1. When alwaysAllowExecute was false, the deny list was completely ignored
  2. Agents could bypass the deny list by wrapping denied commands inside chains (&&, ||, ;) or multi-line scripts (heredocs)

Fix: Moved the denied commands check to run before the autoApprovalEnabled guard in checkAutoApproval(). Now denied commands are always blocked regardless of whether auto-approval or alwaysAllowExecute is enabled. The existing getCommandDecision() function already handles command chain parsing and longest-prefix-match conflict resolution, so the fix is minimal -- just calling it earlier in the flow.

The longest-prefix-match logic is preserved, so more specific allow entries (e.g., rm -i) can still override a broader deny entry (e.g., rm).

Test Procedure

  • Added 8 new tests in checkAutoApproval.spec.ts covering:
    • Denied commands blocked when autoApprovalEnabled is false
    • Denied commands blocked when alwaysAllowExecute is false
    • Denied commands inside && chains are caught
    • The exact heredoc bypass scenario from the issue
    • Non-denied commands still get "ask" decision
    • Empty deny list does not block
    • Longest-prefix-match override still works
    • Undefined state returns "ask"
  • Added 9 new tests in commands.spec.ts for getCommandDecision covering chained/wrapped command denial scenarios
  • All 49 tests pass (3 test files)

Run tests: cd src && pnpm vitest run core/auto-approval/

Pre-Submission Checklist

  • Issue Linked: This PR is linked to an approved GitHub Issue.
  • Scope: Changes are focused on the linked issue.
  • Self-Review: I have performed a thorough self-review of my code.
  • Testing: New tests added to cover the changes.
  • Documentation Impact: No documentation updates required.
  • Contribution Guidelines: I have read and agree to the Contributor Guidelines.

Documentation Updates

  • No documentation updates are required.

Additional Notes

The core change is a single 8-line block added to src/core/auto-approval/index.ts that checks denied commands before the auto-approval guard. The rest is test coverage.

Interactively review PR in Roo Code Cloud

@roomote
fix: enforce denied commands regardless of auto-approval settings
0f9198e 
Previously, the denied commands list was only checked when
alwaysAllowExecute was true. This meant agents could bypass
the deny list by wrapping denied commands inside chains (&&,
||, ;) or multi-line scripts like heredocs.

Now the deny list check runs before the autoApprovalEnabled
guard, so denied commands are always blocked regardless of
whether auto-approval or alwaysAllowExecute is enabled.

Fixes #12292
@roomote-v0 roomote-v0 Bot mentioned this pull request May 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrubens mrubens Awaiting requested review from mrubens mrubens will be requested when the pull request is marked ready for review mrubens is a code owner

@cte cte Awaiting requested review from cte cte will be requested when the pull request is marked ready for review cte is a code owner

@jr jr Awaiting requested review from jr jr will be requested when the pull request is marked ready for review jr is a code owner

@hannesrudolph hannesrudolph Awaiting requested review from hannesrudolph hannesrudolph will be requested when the pull request is marked ready for review hannesrudolph is a code owner

@daniel-lxs daniel-lxs Awaiting requested review from daniel-lxs daniel-lxs will be requested when the pull request is marked ready for review daniel-lxs is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] [CRITICAL] Auto Approve: Denied commands did not work

1 participant

@roomote