Agents can bypass permission pattern with variable assignment

[superDuperCyberTechno]

Description

If the agent assigns the path of any disallowed pattern (i.e., a file) to a shell variable, it can access its contents by referencing the variable...

f=.env && cat "$f"

This bug seems to imply that the assignment operator (=) is somehow responsible.

The opencode.json file in use can by seen below...

{
  "$schema": "https://opencode.ai/config.json",
  "permission": {
    "bash": {
      "*.env*": "deny",
      "*artisan*": "deny"
    },
    "read": {
      "*.env*": "deny"
    },
    "edit": {
      "*.env*": "deny"
    },
    "grep": {
      "*.env*": "deny"
    }
  }
}

Plugins

n/a

OpenCode version

1.14.39

Steps to reproduce

1. Make sure to use the aforementioned permissions.
2. Have the agent execute the following bash command: f=./.env && cat "$f"

Screenshot and/or share link

No response

Operating System

Arch Linux

Terminal

Kitty

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• [Bug]: Inline env var prefix (e.g. CI=true git commit) bypasses bash permission rules #16075: Variable assignment in bash commands (e.g. CI=true git commit) bypasses bash permission pattern matching — the same underlying mechanism (shell variable assignment causing permission rules to not match) appears to be at play here.
• Missing validation for .env access #21325: Agents bypassing .env deny rules via alternative methods (Python), which is a related class of permission bypass for .env files.

If your issue is distinct from the above (e.g. the specific bypass via f=.env && cat "$f" is not covered), feel free to clarify and a maintainer will confirm.