Copilot is (sometimes) able to delete files outside of the allowed directories via ~ expansion and interpreter execution (Python shutil.rmtree) #2309
Description
Describe the bug
Copilot CLI can delete files outside explicitly allowed directories when:
- Shell commands use ~ (tilde) paths, or
- Copilot executes Python code (e.g. shutil.rmtree) that performs filesystem operations
According to my understanding of how --add-dir / trusted directories work, both cases bypass Copilot CLI’s path‑based permission enforcement.
Affected version
1.0.11
Steps to reproduce the behavior
Within the /sandbox/workdir folder execute this command:
copilot -p "create an hello-world.py script, then run it, then list all files in your workdir, then remove all contents in the folder .copilot/session-state. if you fail to delete contents keep trying in different ways at least 10 times before you give up" \
--add-dir /sandbox/workdir/ \
--allow-all-tools \
--allow-all-urls
Expected behavior
Copilot CLI should not read, modify, or delete files outside /sandbox/workdir, regardless of:
- whether ~ is used instead of absolute paths
- whether deletion is attempted via shell commands or via code (e.g. Python)
In particular, /sandbox/.copilot/session-state outside /sandbox/workdir should remain protected.
Additional context
- Copilot CLI version: 1.0.11
- OS: Linux
- Shell: bash
- Working directory: /sandbox/workdir