Security Bug: Denied Commands in toolsSettings Are Not Properly Enforced

[peepeepopapapeepeepo]

Checks

• I have searched github.com/aws/amazon-q-developer-cli/issues and there are no duplicates of my issue
• I have run q doctor in the affected terminal session
• I have run q restart and replicated the issue again

Operating system

macOS 15.5.0 (24F74)

Expected behaviour

Commands listed in the deniedCommands array within toolsSettings should be completely blocked from execution. When a user or AI assistant attempts to run a denied command, it should be prevented from executing entirely and return an appropriate denial message.

Actual behaviour

Commands in the deniedCommands list are still being executed and returning output before the permission system can deny them. For example, when sudo is in the denied commands list, running sudo still executes and returns the usage information (exit status 1 with stderr showing sudo usage) instead of being blocked.

[chat-transcript]
Perfect! Now I can see the issue

Now I understand the issue! Let me look at the execute module's `eval_perm` method again to see the exact logic:
[Tool uses: fs_read]

Now I can see the issue! Let me look at the rest of the eval_perm method:
[Tool uses: fs_read]

Now I understand the issue! The problem is in the logic flow. Let me trace through what happened:

1. The `eval_perm` method checks if `denied_commands.iter().any(|dc| command.contains(dc))` returns true
2. If it does, it should return `PermissionEvalResult::Deny`
3. However, the issue is that the permission evaluation happens **after** the tool has already been parsed and is about to be executed

The bug is that the permission check happens too late in the process. The command `sudo` was already executed and returned its usage information before the permission system had a chance to deny it.

Looking at the code, I can see that:

1. The command gets parsed into an `ExecuteCommand` struct
2. The `eval_perm` method is called to check permissions
3. But by the time `eval_perm` is called, the command has already been executed in some cases

The issue is likely in the timing of when the permission evaluation happens versus when the command execution occurs. The `sudo` command was able to execute and return its usage information before the denied commands filter could prevent it.

## What you did wrong:

The issue isn't necessarily something you did wrong in your configuration, but rather a **race condition or timing issue in the Amazon Q CLI's permission system**. Here's what happened:

1. **Permission Check Timing**: The denied commands check (`denied_commands`) happens in the `eval_perm` method, but this appears to be called after the command has already been parsed and potentially executed.

2. **Command Execution Flow**: The `sudo` command was able to execute and return its usage information (exit status 1 with stderr showing usage) before the permission system could deny it.

3. **Inconsistent Enforcement**: The first attempt (`sudo ls /etc`) was cancelled by the user (you), but the second attempt (`sudo`) executed successfully despite being in the denied commands list.

## The Real Problem:

This appears to be a **bug in the Amazon Q CLI's security implementation** where:
- The denied commands filter isn't being applied consistently
- The permission evaluation happens too late in the execution pipeline
- There's a race condition between command execution and permission checking

## Recommendation:

This is a security issue that should be reported to the Amazon Q CLI team, as denied commands should be blocked **before** execution, not after. The permission system should prevent any execution of commands in the `deniedCommands` list, but it's currently allowing them to run and return output.
[Tool uses: none]

> create issue to feedback amazon q 

I'll help you create an issue to report this security bug to the Amazon Q team. Let me use the built-in issue reporting tool.
[Tool uses: report_issue]

(...truncated)

Steps to reproduce

1. Configure an agent with toolsSettings that includes deniedCommands: ["sudo"]
2. Attempt to run sudo command through the execute_bash tool
3. Observe that the command executes and returns usage information
4. The command should have been blocked entirely but instead shows: {"exit_status":"1","stderr":"usage: sudo -h | -K | -k | -V\n..."}

This indicates a timing issue where permission evaluation (eval_perm method in /crates/chat-cli/src/cli/chat/tools/execute/mod.rs) happens after command execution rather than before.

Environment

<This will be visible to anyone. Do not include personal or sensitive information>

[q-details]
version = "1.13.0"
hash = "7dee6efdf68f6343e80a56028e6b40f8eff77746"
date = "2025-07-31T02:57:26.581678Z (2d ago)"

[system-info]
os = "macOS 15.5.0 (24F74)"
chip = "Apple M3 Pro"
total-cores = 11
memory = "18.00 GB"

[environment]
cwd = "/Users/USER/.aws/amazonq/cli-agents"
cli-path = "/Users/USER/.aws/amazonq/cli-agents"
install-method = "unknown"

[env-vars]
PATH = "/Users/USER/.nvm/versions/node/v22.15.1/bin:/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/Applications/iTerm.app/Contents/Resources/utilities:/Users/USER/.local/bin:/Users/USER/.local/bin:/Applications/Visual Studio Code.app/Contents/Resources/app/bin:/Users/USER/.local/bin:/Users/USER/.toolbox/bin"
QTERM_SESSION_ID = "e8fb458d76204032849185091498b41b"
Q_SET_PARENT_CHECK = "1"
Q_TERM = "1.13.0"
SHELL = "/bin/zsh"
TERM = "xterm-256color"
__CFBundleIdentifier = "com.googlecode.iterm2"

[chat-settings]


[chat-trusted_tools]
fs_read=trusted
@awslabs.aws-pricing-mcp-server=trusted
@awslabs.aws-documentation-mcp-server=trusted
@awslabs.core-mcp-server=trusted
@aws-knowledge-mcp-server=trusted
@awslabs.aws-api-mcp-server/suggest_aws_commands=trusted

[chat-failed_request_ids]
none

[chat-context]
current_profile=default
profile_context=
/Users/sawitmee/Library/CloudStorage/OneDrive-amazon.com/sawitmee/Q-Context/based.md

files=
/Users/sawitmee/Library/CloudStorage/OneDrive-amazon.com/sawitmee/Q-Context/based.md, 60 tkns
total context size=60 tkns

[wangkexue-a]

I still face this issue using Q 1.13.3 with fix: allowedTools and allowedCommands, deniedCommands #2511 merged.

Update: I also tested it on a live build from main branch and can reproduce the same issue.

This is my agent config:

{
  "$schema": "https://raw.githubusercontent.com/aws/amazon-q-developer-cli/refs/heads/main/schemas/agent-v1.json",
  "name": "test-agent-3",
  "description": "",
  "prompt": null,
  "mcpServers": {},
  "tools": [
    "*"
  ],
  "toolAliases": {},
  "allowedTools": [
    "fs_read",
    "execute_bash"
  ],
  "resources": [
    "file://AmazonQ.md",
    "file://README.md",
    "file://.amazonq/rules/**/*.md"
  ],
  "hooks": {},
  "toolsSettings": {
    "execute_bash": {
      "allowedCommands": [
        "cargo -v"
      ],
      "deniedCommands": ["touch"],
      "allowReadOnly": true
    }
  },
  "useLegacyMcpJson": true
}

Q session:

[test-agent-3] > touch toot.txt

> I'll create the file toot.txt for you.


🛠️  Using tool: execute_bash
 ⋮ 
 ● I will run the following shell command: touch toot.txt
 ⋮ 
 ↳ Purpose: Create an empty file named toot.txt