From 466587d1c58cfcfbd1a4e3fc6d12e632ae1b30ea Mon Sep 17 00:00:00 2001 From: "Peter.Morton" Date: Fri, 10 Apr 2026 00:07:13 -0500 Subject: [PATCH] fix: preserve square brackets and escape quotes in note content (v1.1.1) - Fix square bracket removal: Remove [] from DANGEROUS_CHARS regex * Wikilinks ([[link]]) now work correctly * Task checkboxes (- [ ] Task) are properly preserved * Brackets are safe because values are quoted and passed as array args - Fix quote truncation: Escape double quotes in formatParam * Content like "Bot QM" no longer truncates * Internal quotes escaped as \" before wrapping in parameter quotes * Prevents shell from misinterpreting quote boundaries Bump version: 1.0.0 -> 1.1.1 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- CHANGELOG.md | 23 +++++++++++++++++++++++ manifest.json | 2 +- package.json | 2 +- src/utils/cli-helpers.ts | 7 ++++++- src/validation/sanitizer.ts | 7 +++++-- 5 files changed, 36 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 43cb428..c090ef6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -73,6 +73,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Comprehensive input schema definitions - Security audit of parameter handling +## [1.1.1] - 2026-04-10 + +### Fixed +- **Quote Escaping**: Fixed critical bug where note content was being truncated when containing double quotes + - Content like `"Bot QM"` is now properly escaped and passed to the CLI without truncation + - Internal double quotes are escaped as `\"` before being wrapped in parameter quotes + - Prevents shell from misinterpreting quote boundaries in parameter values + - Affects all tools that pass content: create, append, prepend, search queries, etc. + +## [1.1.0] - 2026-04-10 + +### Fixed +- **Square Brackets Preservation**: Fixed critical bug where square brackets `[` and `]` were being removed from note content during sanitization + - Wikilinks (`[[link]]`) now work correctly when creating or modifying notes + - Task checkboxes (`- [ ] Task` and `- [x] Done`) are properly preserved + - Array notation and date formats with brackets are no longer corrupted + - Security: Square brackets are safe because parameter values are quoted and passed as array arguments to the CLI + - All dangerous shell metacharacters (`;`, `|`, `$()`, backticks, etc.) are still properly blocked + ## [Unreleased] ### Planned @@ -86,9 +105,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## Version History +- **1.1.1** - Bug fix release: Quote escaping in note content +- **1.1.0** - Bug fix release: Square brackets preservation in note content - **1.0.0** - Initial release with 28 MCP tools across 3 user stories - File Operations (8 tools) - Search & Discovery (12 tools) - Task & Property Management (8 tools) +[1.1.1]: https://github.com/yourusername/obsidian-mcp/releases/tag/v1.1.1 +[1.1.0]: https://github.com/yourusername/obsidian-mcp/releases/tag/v1.1.0 [1.0.0]: https://github.com/yourusername/obsidian-mcp/releases/tag/v1.0.0 diff --git a/manifest.json b/manifest.json index 2f48939..b8a5afe 100644 --- a/manifest.json +++ b/manifest.json @@ -1,7 +1,7 @@ { "manifest_version": "0.3", "name": "obsidian-mcp", - "version": "1.0.0", + "version": "1.1.1", "display_name": "Obsidian CLI Bundle", "description": "MCP Bundle for Obsidian CLI - Enable AI assistants to manage Obsidian vaults through conversational interface", "long_description": "This MCP bundle provides a comprehensive set of tools for AI assistants to interact with and manage Obsidian vaults. It includes capabilities for creating, reading, updating, and deleting notes, managing links and tags, handling tasks, and more. With this bundle, AI assistants can seamlessly integrate with Obsidian to help users organize their knowledge and workflows.", diff --git a/package.json b/package.json index 68539fb..86cb326 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "obsidian-mcp", - "version": "1.0.0", + "version": "1.1.1", "description": "MCP Bundle for Obsidian CLI - Enable AI assistants to manage Obsidian vaults through Model Context Protocol", "type": "module", "main": "dist/index.js", diff --git a/src/utils/cli-helpers.ts b/src/utils/cli-helpers.ts index f17c7b6..f68dcbe 100644 --- a/src/utils/cli-helpers.ts +++ b/src/utils/cli-helpers.ts @@ -13,7 +13,12 @@ export function formatParam(key: string, value: string | number): string { // Always quote string values to handle spaces and special characters safely // Note: Obsidian CLI docs say: "Quote values with spaces: name="My Note"" - return `${key}="${value}"`; + + // Escape any double quotes in the value to prevent shell interpretation issues + // This prevents truncation when content contains quotes like "Bot QM" + const escapedValue = String(value).replace(/"/g, '\\"'); + + return `${key}="${escapedValue}"`; } /** diff --git a/src/validation/sanitizer.ts b/src/validation/sanitizer.ts index 3c195ac..bf4f814 100644 --- a/src/validation/sanitizer.ts +++ b/src/validation/sanitizer.ts @@ -8,8 +8,10 @@ import { logger } from '../utils/logger.js'; /** * Characters that should be removed or escaped for security + * Note: Square brackets [] are safe because values are quoted and passed as array args + * They're essential for Obsidian markdown (wikilinks [[link]] and tasks - [ ] Task) */ -const DANGEROUS_CHARS = /[;&|`$(){}[\]<>]/g; +const DANGEROUS_CHARS = /[;&|`$(){}<>]/g; const COMMAND_INJECTION_PATTERNS = [ /\$\(/g, // Command substitution $(...) /`[^`]*`/g, // Command substitution `...` @@ -67,7 +69,8 @@ export function sanitizePath(path: string): string { sanitized = sanitized.replace(/^\/+|\/+$/g, ''); // Remove dangerous characters but allow path separators - sanitized = sanitized.replace(/[;&|`$(){}[\]<>]/g, ''); + // Note: Square brackets are safe in paths (quoted args) but removed for consistency + sanitized = sanitized.replace(/[;&|`$(){}<>]/g, ''); return sanitized; }