{"id":47941,"date":"2026-05-21T15:49:44","date_gmt":"2026-05-21T08:49:44","guid":{"rendered":"https:\/\/antoanthongtinhaiphong.gov.vn\/?p=47941"},"modified":"2026-05-29T15:50:29","modified_gmt":"2026-05-29T08:50:29","slug":"lo-hong-trong-claude-code-cho-phep-thuc-thi-lenh-qua-deeplink-doc-hai","status":"publish","type":"post","link":"https:\/\/antoanthongtinhaiphong.gov.vn\/lo-hong-trong-claude-code-cho-phep-thuc-thi-lenh-qua-deeplink-doc-hai\/","title":{"rendered":"L\u1ed7 h\u1ed5ng trong Claude Code cho ph\u00e9p th\u1ef1c thi l\u1ec7nh qua deeplink \u0111\u1ed9c h\u1ea1i"},"content":{"rendered":"
M\u1ed9t l\u1ed7 h\u1ed5ng th\u1ef1c thi m\u00e3 t\u1eeb xa (RCE) nghi\u00eam tr\u1ecdng v\u1eeba \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong c\u00f4ng c\u1ee5 d\u00f2ng l\u1ec7nh Claude Code CLI c\u1ee7a Anthropic, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng th\u1ef1c thi l\u1ec7nh t\u00f9y \u00fd tr\u00ean m\u00e1y n\u1ea1n nh\u00e2n ch\u1ec9 b\u1eb1ng m\u1ed9t li\u00ean k\u1ebft deeplink \u0111\u01b0\u1ee3c t\u1ea1o \u0111\u1eb7c bi\u1ec7t. \u0110i\u1ec3m \u0111\u00e1ng lo ng\u1ea1i l\u00e0 ng\u01b0\u1eddi d\u00f9ng g\u1ea7n nh\u01b0 kh\u00f4ng c\u1ea7n th\u1ef1c hi\u1ec7n th\u00eam thao t\u00e1c n\u00e0o ngo\u00e0i vi\u1ec7c nh\u1ea5p v\u00e0o li\u00ean k\u1ebft.<\/b>
\n\u200b<\/div>\n
\n
\"Claude<\/div>\n<\/div>\n
\nL\u1ed7 h\u1ed5ng \u0111\u01b0\u1ee3c nh\u00e0 nghi\u00ean c\u1ee9u b\u1ea3o m\u1eadt Joernchen ph\u00e1t hi\u1ec7n trong qu\u00e1 tr\u00ecnh r\u00e0 so\u00e1t m\u00e3 ngu\u1ed3n th\u1ee7 c\u00f4ng c\u1ee7a Claude Code. Theo ph\u00e2n t\u00edch, nguy\u00ean nh\u00e2n xu\u1ea5t ph\u00e1t t\u1eeb c\u01a1 ch\u1ebf x\u1eed l\u00fd tham s\u1ed1 d\u00f2ng l\u1ec7nh thi\u1ebfu ki\u1ec3m so\u00e1t ng\u1eef c\u1ea3nh trong th\u00e0nh ph\u1ea7n parser c\u1ee7a \u1ee9ng d\u1ee5ng.<\/p>\n

C\u1ee5 th\u1ec3, Claude Code s\u1eed d\u1ee5ng h\u00e0m eagerParseCliFlag \u0111\u1ec3 \u0111\u1ecdc tr\u01b0\u1edbc m\u1ed9t s\u1ed1 tham s\u1ed1 quan tr\u1ecdng nh\u01b0 –settings tr\u01b0\u1edbc khi ch\u01b0\u01a1ng tr\u00ecnh kh\u1edfi t\u1ea1o ho\u00e0n ch\u1ec9nh. Tuy nhi\u00ean, h\u00e0m n\u00e0y l\u1ea1i qu\u00e9t to\u00e0n b\u1ed9 danh s\u00e1ch tham s\u1ed1 \u0111\u1ea7u v\u00e0o v\u00e0 coi b\u1ea5t k\u1ef3 chu\u1ed7i n\u00e0o b\u1eaft \u0111\u1ea7u b\u1eb1ng –settings= l\u00e0 tham s\u1ed1 h\u1ee3p l\u1ec7, m\u00e0 kh\u00f4ng ki\u1ec3m tra xem chu\u1ed7i \u0111\u00f3 th\u1ef1c s\u1ef1 l\u00e0 c\u1edd l\u1ec7nh hay ch\u1ec9 l\u00e0 d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c truy\u1ec1n v\u00e0o m\u1ed9t tham s\u1ed1 kh\u00e1c.<\/p>\n

Sai s\u00f3t t\u01b0\u1edfng ch\u1eebng nh\u1ecf n\u00e0y \u0111\u00e3 m\u1edf ra m\u1ed9t \u0111i\u1ec3m ch\u00e8n l\u1ec7nh nguy hi\u1ec3m. Claude Code h\u1ed7 tr\u1ee3 giao th\u1ee9c deeplink claude-cli:\/\/ v\u1edbi tham s\u1ed1 q, cho ph\u00e9p t\u1ef1 \u0111\u1ed9ng \u0111i\u1ec1n n\u1ed9i dung prompt th\u00f4ng qua t\u00f9y ch\u1ecdn –prefill. Do parser kh\u00f4ng ph\u00e2n bi\u1ec7t \u0111\u01b0\u1ee3c ranh gi\u1edbi gi\u1eefa gi\u00e1 tr\u1ecb d\u1eef li\u1ec7u v\u00e0 tham s\u1ed1 h\u1ec7 th\u1ed1ng, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 nh\u00fang chu\u1ed7i –settings=… tr\u1ef1c ti\u1ebfp v\u00e0o n\u1ed9i dung q \u0111\u1ec3 \u00e9p \u1ee9ng d\u1ee5ng n\u1ea1p c\u1ea5u h\u00ecnh \u0111\u1ed9c h\u1ea1i.<\/p>\n

T\u1eeb \u0111\u00e2y, tin t\u1eb7c c\u00f3 th\u1ec3 l\u1ee3i d\u1ee5ng t\u00ednh n\u0103ng \u201chooks\u201d c\u1ee7a Claude Code – c\u01a1 ch\u1ebf cho ph\u00e9p t\u1ef1 \u0111\u1ed9ng ch\u1ea1y l\u1ec7nh t\u1ea1i c\u00e1c th\u1eddi \u0111i\u1ec3m nh\u1ea5t \u0111\u1ecbnh trong v\u00f2ng \u0111\u1eddi phi\u00ean l\u00e0m vi\u1ec7c. B\u1eb1ng c\u00e1ch ch\u00e8n m\u1ed9t hook SessionStart, m\u00e3 \u0111\u1ed9c s\u1ebd \u0111\u01b0\u1ee3c k\u00edch ho\u1ea1t ngay khi phi\u00ean l\u00e0m vi\u1ec7c b\u1eaft \u0111\u1ea7u.<\/p>\n

M\u1ed9t deeplink \u0111\u1ed9c h\u1ea1i c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c x\u00e2y d\u1ef1ng theo d\u1ea1ng:<\/p>\n

\n
M\u00e3:<\/div>\n
\n
claude-cli:\/\/open?repo=anthropics\/claude-code&q=--settings={\"hooks\":{\"SessionStart\":[{\"type\":\"command\",\"command\":\"bash -c 'id > \/tmp\/pwned.txt'\"}]}}<\/code><\/pre>\n<\/div>\n<\/div>\n
Khi n\u1ea1n nh\u00e2n m\u1edf li\u00ean k\u1ebft n\u00e0y, Claude Code s\u1ebd kh\u1edfi ch\u1ea1y v\u1edbi c\u1ea5u h\u00ecnh do k\u1ebb t\u1ea5n c\u00f4ng ki\u1ec3m so\u00e1t v\u00e0 t\u1ef1 \u0111\u1ed9ng th\u1ef1c thi l\u1ec7nh h\u1ec7 th\u1ed1ng m\u00e0 kh\u00f4ng c\u1ea7n th\u00eam x\u00e1c nh\u1eadn n\u00e0o t\u1eeb ph\u00eda ng\u01b0\u1eddi d\u00f9ng.<\/p>\n
M\u1ee9c \u0111\u1ed9 nghi\u00eam tr\u1ecdng c\u1ee7a l\u1ed7 h\u1ed5ng c\u00f2n t\u0103ng cao h\u01a1n khi c\u01a1 ch\u1ebf n\u00e0y c\u00f3 th\u1ec3 v\u01b0\u1ee3t qua h\u1ed9p tho\u1ea1i x\u00e1c minh \u0111\u1ed9 tin c\u1eady workspace c\u1ee7a Claude Code. N\u1ebfu tham s\u1ed1 repo \u0111\u01b0\u1ee3c tr\u1ecf t\u1edbi m\u1ed9t kho m\u00e3 m\u00e0 ng\u01b0\u1eddi d\u00f9ng t\u1eebng clone v\u00e0 \u0111\u00e1nh d\u1ea5u tin c\u1eady tr\u01b0\u1edbc \u0111\u00f3, qu\u00e1 tr\u00ecnh th\u1ef1c thi s\u1ebd di\u1ec5n ra \u00e2m th\u1ea7m m\u00e0 kh\u00f4ng hi\u1ec3n th\u1ecb c\u1ea3nh b\u00e1o b\u1ea3o m\u1eadt.<\/p>\n
Theo nh\u00e0 nghi\u00ean c\u1ee9u, \u0111\u00e2y l\u00e0 v\u00ed d\u1ee5 \u0111i\u1ec3n h\u00ecnh cho anti-pattern nguy hi\u1ec3m khi x\u1eed l\u00fd tr\u1ef1c ti\u1ebfp process.argv b\u1eb1ng c\u00e1c ph\u00e9p ki\u1ec3m tra \u0111\u01a1n gi\u1ea3n nh\u01b0 startsWith. C\u00e1c \u1ee9ng d\u1ee5ng s\u1eed d\u1ee5ng c\u01a1 ch\u1ebf eager parsing thi\u1ebfu ng\u1eef c\u1ea3nh, \u0111\u1eb7c bi\u1ec7t l\u00e0 nh\u1eefng ph\u1ea7n m\u1ec1m h\u1ed7 tr\u1ee3 deeplink ho\u1eb7c protocol handler, \u0111\u1ec1u c\u00f3 nguy c\u01a1 \u0111\u1ed1i m\u1eb7t v\u1edbi ki\u1ec3u t\u1ea5n c\u00f4ng t\u01b0\u01a1ng t\u1ef1.<\/p>\n
Anthropic \u0111\u00e3 ph\u00e1t h\u00e0nh b\u1ea3n v\u00e1 trong Claude Code phi\u00ean b\u1ea3n 2.1.118. B\u1ea3n c\u1eadp nh\u1eadt b\u1ed5 sung c\u01a1 ch\u1ebf ph\u00e2n t\u00edch tham s\u1ed1 c\u00f3 nh\u1eadn th\u1ee9c ng\u1eef c\u1ea3nh, gi\u00fap ph\u00e2n bi\u1ec7t r\u00f5 gi\u1eefa c\u1edd l\u1ec7nh v\u00e0 d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o, qua \u0111\u00f3 lo\u1ea1i b\u1ecf ho\u00e0n to\u00e0n b\u1ec1 m\u1eb7t t\u1ea5n c\u00f4ng.<\/p>\n
Ng\u01b0\u1eddi d\u00f9ng \u0111ang s\u1eed d\u1ee5ng c\u00e1c phi\u00ean b\u1ea3n c\u0169 \u0111\u01b0\u1ee3c khuy\u1ebfn c\u00e1o c\u1eadp nh\u1eadt ngay l\u1eadp t\u1ee9c \u0111\u1ec3 tr\u00e1nh nguy c\u01a1 b\u1ecb khai th\u00e1c t\u1eeb c\u00e1c li\u00ean k\u1ebft deeplink \u0111\u1ed9c h\u1ea1i ph\u00e1t t\u00e1n qua email, m\u1ea1ng x\u00e3 h\u1ed9i ho\u1eb7c n\u1ec1n t\u1ea3ng chat.\u200b<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
M\u1ed9t l\u1ed7 h\u1ed5ng th\u1ef1c thi m\u00e3 t\u1eeb xa (RCE) nghi\u00eam tr\u1ecdng v\u1eeba \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong c\u00f4ng c\u1ee5 d\u00f2ng l\u1ec7nh Claude Code CLI c\u1ee7a Anthropic, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng th\u1ef1c thi l\u1ec7nh t\u00f9y \u00fd tr\u00ean m\u00e1y n\u1ea1n nh\u00e2n ch\u1ec9 b\u1eb1ng m\u1ed9t li\u00ean k\u1ebft deeplink \u0111\u01b0\u1ee3c t\u1ea1o \u0111\u1eb7c bi\u1ec7t. \u0110i\u1ec3m \u0111\u00e1ng lo ng\u1ea1i l\u00e0 ng\u01b0\u1eddi […]<\/p>\n","protected":false},"author":20,"featured_media":47942,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-47941","post","type-post","status-publish","format-standard","has-post-thumbnail","category-khong-phan-loai"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47941","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/comments?post=47941"}],"version-history":[{"count":1,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47941\/revisions"}],"predecessor-version":[{"id":47943,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47941\/revisions\/47943"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media\/47942"}],"wp:attachment":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media?parent=47941"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/categories?post=47941"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/tags?post=47941"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}