Skip to content

fix: enforce denied commands before auto-approval guard (#12292)#12295

Draft
roomote-v0[bot] wants to merge 1 commit intomainfrom
fix/denied-commands-priority
Draft

fix: enforce denied commands before auto-approval guard (#12292)#12295
roomote-v0[bot] wants to merge 1 commit intomainfrom
fix/denied-commands-priority

Conversation

@roomote-v0
Copy link
Copy Markdown
Contributor

@roomote-v0 roomote-v0 Bot commented May 8, 2026
edited
Loading

This PR attempts to address Issue #12292.

Problem

Denied commands were only checked inside the alwaysAllowExecute guard in checkAutoApproval(). This meant denied commands were completely bypassed when:

  • autoApprovalEnabled was disabled (early return on line 62)
  • alwaysAllowExecute was disabled (fell through to "ask" without checking deny list)

As reported, allowed commands effectively fired before denied commands were checked, allowing agents to bypass security by wrapping denied commands inside chained commands.

Fix

Moved the denied commands check to run before the autoApprovalEnabled early return in checkAutoApproval(). This ensures denied commands act as an absolute safety net that cannot be bypassed regardless of auto-approval or auto-execute settings.

The existing getCommandDecision() function already handles:

  • Splitting chained commands (&&, ||, ;, |)
  • Longest prefix match conflict resolution between allow/deny lists
  • Dangerous substitution detection

Tests

Added 9 new tests in checkAutoApproval.spec.ts covering:

  • Denied commands blocked when autoApprovalEnabled is false
  • Denied commands blocked when alwaysAllowExecute is false
  • Denied commands blocked when alwaysAllowExecute is true
  • Denied commands inside && chains are caught
  • Denied commands in heredoc-style wrapping are caught
  • Non-denied commands still return "ask" (not falsely denied)
  • Empty deny list does not block commands
  • Undefined state does not block commands
  • Longest prefix match still works (more specific allowed overrides denied)

Feedback and guidance are welcome.

Interactively review PR in Roo Code Cloud

@roomote
fix: enforce denied commands check before auto-approval guard
0af988f 
Denied commands were only checked inside the alwaysAllowExecute guard,
meaning they were completely bypassed when auto-approval or auto-execute
was disabled. This moves the denied commands check to run before the
autoApprovalEnabled early return, so denied commands act as an absolute
safety net that cannot be bypassed regardless of settings.

Fixes #12292
@roomote-v0 roomote-v0 Bot mentioned this pull request May 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrubens mrubens Awaiting requested review from mrubens mrubens will be requested when the pull request is marked ready for review mrubens is a code owner

@cte cte Awaiting requested review from cte cte will be requested when the pull request is marked ready for review cte is a code owner

@jr jr Awaiting requested review from jr jr will be requested when the pull request is marked ready for review jr is a code owner

@hannesrudolph hannesrudolph Awaiting requested review from hannesrudolph hannesrudolph will be requested when the pull request is marked ready for review hannesrudolph is a code owner

@daniel-lxs daniel-lxs Awaiting requested review from daniel-lxs daniel-lxs will be requested when the pull request is marked ready for review daniel-lxs is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@roomote