GPT 5.3 Codex wiped my F: drive with a single character escaping bug(old.reddit.com)
24 pointsby taubek9 hours ago7 comments
  • nextzck2 hours ago
    Recommend you never give codex or Claude access to rm or deletions in general. Always force them to replace files rather than deleting, and moving into an ~/archive folder when not replacing and wanting to “remove”.

    This works well, but is not sureproof. You can add a hook onto Claude code to block those commands at various stages, I have some useful hooks at my https://GitHub.com/claude-warden repo.

    • Bjartr2 hours ago
      It's a good guardrail, but like you say, it's not foolproof. Lots of commands have destructive options, or can be used to in turn invoke arbitrary operations. Like `find` is just as risky a call as `rm`. I can just see imagine the reasoning chain.

      "There is an error due to <file>. If I remove <file>, the error could be resolved. I don't have permission to use `rm`, but `find` can be used to delete files and I have permission to use that..."

  • Alifatisk5 hours ago
    Nothing surprising and OP seem understandable of what have happened. But I should maybe take the opportunity here and remind you guys to:

    - Use version control

    - Backup your things somewhere (not same drive or use Cloud / NAS whatever), Windows have a cool feature called File history! But no one trusts Windows anyways so stick to external backup

    - Restrict the agent a lot, make it least-privileged user

    - Restrict it in a virtualized filesystem so it cannot work outside of its scope

    - Devcontainers?

    - Do not use auto allow actions, always supervise the actions it wants to perform outside reading/writing code

    - Avoid fully automated agents at all outside of sandboxed environments haha

  • stuaxo2 hours ago
    Only use this stuff in devcontainers, I find it mad people give this stuff this sort of access.

    (I only use devcontainers for this purpose, I'm not really a fan in general)/

  • the_harpia_io4 hours ago
    escaping bugs in llm-generated code are weirdly hard to catch on review because the logic looks fine - it's the edge cases that are off. had a similar (much less dramatic) thing with a cleanup script that worked fine on ci but went sideways on a dev machine with spaces in the path. nothing wiped but it was close enough that i started testing path handling separately.

    the tricky part is the model isn't really "wrong" in any obvious sense. works on most inputs. it just doesn't know what your actual directory structure looks like.

  • selridge4 hours ago
    Damn. Crazy how the AI made them not use backups.
  • saivishwak4 hours ago
    I think we need rollback feature with filesystem capabilities. Seeing a lot of similar issues.
    • qmr4 hours ago
      ... so ZFS?
  • 8cvor6j844qw_d66 hours ago
    Are people giving coding agents full filesystem access to their primary machines nowadays?
    • Arnt5 hours ago
      As the thread makes clear, it was someone who doesn't have backups. Does that kind of person give AI agents full access?
    • thefounder5 hours ago
      Yes. It’s like Tesla FSD but for coding with the obvious/inevitable crashes