I pretty much want to allow Cursor to run any command except a few (mostly git add and git commit but also any console like rails consolerails c etc.
I can’t figure out how the allow and deny list exactly work.
For instance all rails command can be called with or without bundle exec but that’s fine still I have just a few deny commands I can add the variations.
At the beginning I had only deny commands but Cursor would get stuck at approvals so I started adding allow commands which grew a lot but it’s been manageable.
The problem is with command parameters - for incense I’ve got grep in the allowlist but it asks me for permission when running eg. grep -A 5 -B 5 "STEP DEBUG.*contract ID\|CONTROLLER DEBUG.*Contract ID" log/test_p5.log
How does it exactly work?
Simple wildcards or regexes would solve this.
Do I need to add commands to allowlist once I have some in denylist?…
It is not a simple exact match on the command name (executable). I’ve added git and it still ask about git log ... commands.
So is it a pattern on the whole command line?
In general the lack of sanboxing is a bit turnoff. Hope they will focus on this in the future (if not, at least provide a guide for how to best run the whole IDE in a sandbox on different platforms)
+1 here. It’s a safety-critical alternative for babysitting each action of the AI agent. It needs to be better specified.
Even without malicious AI hijacks I’ve seen enough sudden AI meltdowns where it would go haywire and start randomly breaking things. For now I keep an IntelliJ IDE running in parallel to track local history (vscode local history extension isn’t a good replacement there).
◦cursor-agent --print "run the command: ls" 15:10:20 The directory contains a Rails application with both backend (Ruby) and frontend components. Key directories and files include:
@cursor team please update the docs to clarify this
I’ve also noticed that the allow list matches the first part of the command. So cd will match any command beginning with cd.
npm will allow any and all npm commands, including npm install. Note, that this is what will be added to the allow list if you allow from chat. Alternatively, you can got into settings and add something like npm run unit_test:run, so that only that specific command will be allowed.
Although there’s @olejorgenb 's comment from last June that seems to contradict that with the git and git log example. Maybe the functionality changed?
I reiterate the desire for docs to specify exactly how this works, so there’s no guessing and testing needed.
+1 to the above. I explictly need confirmation that the allowlist does not support subcommands. Allowing pnpm test also allows pnpm install which seems like a MAJOR security issue. If I think that the allow list blocks subcommands and then it doesn’t, I’m leaving a huge hole in my workflow even with the sandbox.
Please add this to the docs and also please support allow/disallow explicit subcommands. For now I’m going to painfully walk back to using “Ask Every Time”
Hey, good catch. Right now the agent just uses prefix matching, so the best fix is to put dangerous subcommands like pnpm install right into the deny list. Since deny always overrides allow, it is really the only way to get granular control until we get official regex or exact-match support.