From a6e65ea70f2c4ec26cc38cf6137e80f4c596e7cc Mon Sep 17 00:00:00 2001 From: nsfisis Date: Fri, 27 Jun 2025 01:14:29 +0900 Subject: claude-code: prevent claude from running `find` or `fd` with dangerous actions --- home-manager/config/bash/.bashrc | 44 ++++++++++++++++++++++++++++++++++++++++ home-manager/modules/common.nix | 2 ++ 2 files changed, 46 insertions(+) create mode 100644 home-manager/config/bash/.bashrc (limited to 'home-manager') diff --git a/home-manager/config/bash/.bashrc b/home-manager/config/bash/.bashrc new file mode 100644 index 0000000..39d2837 --- /dev/null +++ b/home-manager/config/bash/.bashrc @@ -0,0 +1,44 @@ +# Safe wrappers for Claude Code +if [[ -n "$CLAUDECODE" ]]; then + # Safe wrapper for find command + find() { + local has_dangerous=0 + + for arg in "$@"; do + case "$arg" in + -delete|-exec|-execdir|-fls|-fprint|-fprint0|-fprintf|-ok|-okdir) + has_dangerous=1 + break + ;; + esac + done + + if [[ $has_dangerous == 1 ]]; then + echo "Error: dangerous actions, -delete/-exec/-execdir/-fls/-fprint/-fprint0/-fprintf/-ok/-okdir, are not allowed in Claude Code environment" >&2 + return 1 + fi + + command find "$@" + } + + # Safe wrapper for fd command + fd() { + local has_dangerous=0 + + for arg in "$@"; do + case "$arg" in + -x|--exec|-X|--exec-batch) + has_dangerous=1 + break + ;; + esac + done + + if [[ $has_dangerous == 1 ]]; then + echo "Error: dangerous actions, -x/--exec/-X/--exec-batch, are not allowed in Claude Code environment" >&2 + return 1 + fi + + command fd "$@" + } +fi diff --git a/home-manager/modules/common.nix b/home-manager/modules/common.nix index e5ef2cb..887fb5d 100644 --- a/home-manager/modules/common.nix +++ b/home-manager/modules/common.nix @@ -168,6 +168,8 @@ in programs.bash = { enable = true; + + bashrcExtra = builtins.readFile ../config/bash/.bashrc; }; programs.fish = { -- cgit v1.2.3-70-g09d2