Skip to content

Endpoint args like /user/... for gh api appear to be misclassified as filesystem absolute paths #1486

@ekroon

Description

@ekroon

Describe the bug

Bug summary: endpoint args like /user/... for gh api appear to be misclassified as filesystem absolute paths (triggering directory-allow behavior) even though they are API routes; expected behavior is to treat them as plain CLI arguments (or provide a temporary command-scoped allow override).

Workaround for report: use gh api user/codespaces/secrets (no leading slash) to avoid path-like interpretation.

Affected version

GitHub Copilot CLI 0.0.410.

Steps to reproduce the behavior

At some point the command tried to run was (with GPT 5.3 Codex):

GH_PAGER=cat gh api /user/codespaces/secrets --jq '.secrets[].name' | while read -r name; do
     vis=$(GH_PAGER=cat gh api "/user/codespaces/secrets/${name}" --jq '.visibility')
     cnt=$(GH_PAGER=cat gh api "/user/codespaces/secrets/${name}" --jq '.selected_repositories_count // 0')
   done

This asked for allowing access to the path /user/codespaces/secrets

Expected behavior

Should not ask for this as it is not a path. OR: should have an option to just allow the command for now, as it is maybe hard to catch this foolproof.

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions