Skip to content
Flows
Tier 1 · Claude Code internals Claude Code internals · fetched 2026-07-08

Deep Dive: Code-Layer Security - 20+ Validators Behind BashTool

Walks the layered validation pipeline that backs up the prompt when the model ignores its 'suggestions': control-character checks, multi-view quote extraction, obfuscated-flag detection (ANSI-C quoting, empty-quote concatenation, quote chains, triple quotes), brace-expansion and backslash-escaped-operator traps, hard path constraints, a whitelist-plus-denylist sed validator, and per-tool exit-code semantics. Every validator returns allow/ask/deny/passthrough, and misparsing-class findings outrank informational ones.

View source on GitHub

Key takeaways

  • 01

    Security analysis needs multiple views of a command: double quotes kept, fully unquoted, and quote characters preserved

  • 02

    Each validator does exactly one job and returns allow / ask / deny / passthrough - failures stay isolated and fixable

  • 03

    Parser-vs-bash disagreements (brace expansion, backslash-escaped operators) are the most dangerous bug class

  • 04

    Path validation is the hardest constraint: system directories stay off-limits regardless of prompts or permission rules

  • 05

    Exit-code semantics differ per tool: grep/diff/test returning 1 is signal, not error

  • 06

    Warn on destructive patterns (git reset --hard, rm -rf) without blocking - transparency over obstruction

Flows built on this research