verint.com/obsidian-mcp
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

Compare commits

base: verint.com:v1.1.4
Branches Tags
verint.com:main verint.com:node-server
verint.com:v1.2.0 verint.com:v1.1.9 verint.com:v1.1.8 verint.com:v1.1.7 verint.com:v1.1.6 verint.com:v1.1.5 verint.com:v1.1.4 verint.com:v1.1.3 verint.com:v1.0.0
...
compare: verint.com:v1.1.5
Branches Tags
verint.com:main verint.com:node-server
verint.com:v1.2.0 verint.com:v1.1.9 verint.com:v1.1.8 verint.com:v1.1.7 verint.com:v1.1.6 verint.com:v1.1.5 verint.com:v1.1.4 verint.com:v1.1.3 verint.com:v1.0.0

2 Commits
v1.1.4 ... v1.1.5

Author SHA1 Message Date
Peter.Morton
ec507531ce chore: bump version to 1.1.5 and update CHANGELOG 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-28 12:22:38 -05:00
Peter.Morton
96b44ac97f fix: preserve < and > in note content so Mermaid arrows and HTML are not stripped (fixes #7) 
< and > were in DANGEROUS_CHARS on the assumption they could trigger
shell redirection. However, shell redirection only applies at the
command level — inside double-quoted strings (which is how all values
are passed via formatParam) they are completely inert.

Removing them from DANGEROUS_CHARS and sanitizePath preserves:
- Mermaid diagram connectors: ->>, -->, <|, >>, etc.
- HTML tags in note content
- Any other angle-bracket syntax

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-04-28 12:21:24 -05:00
4 changed files with 18 additions and 5 deletions
Expand all files Collapse all files

10
CHANGELOG.md
View File

@@ -73,6 +73,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Comprehensive input schema definitions - Comprehensive input schema definitions
- Security audit of parameter handling - Security audit of parameter handling
## [1.1.5] - 2026-04-28
### Fixed
- **Mermaid Arrows and HTML Preserved**: Fixed issue #7 where `<` and `>` were being stripped from note content, breaking Mermaid diagram connectors (`->>`, `-->`, `<|`, `>>`) and HTML tags
- `<` and `>` are only meaningful as shell redirects at the command level — inside double-quoted strings (how all values are passed) they are completely inert
- Removed from `DANGEROUS_CHARS` in both `sanitizeString` and `sanitizePath`
## [1.1.4] - 2026-04-28 ## [1.1.4] - 2026-04-28
### Fixed ### Fixed
@@ -136,6 +143,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## Version History ## Version History
- **1.1.5** - Bug fix release: Preserve `<` and `>` in note content for Mermaid/HTML (fixes #7)
- **1.1.4** - Bug fix release: Preserve Markdown code fences (fixes #6)
- **1.1.3** - Bug fix release: Large file chunking for obsidian_read_note; docs clarification for Obsidian must be running (fixes #4, #5) - **1.1.3** - Bug fix release: Large file chunking for obsidian_read_note; docs clarification for Obsidian must be running (fixes #4, #5)
- **1.1.2** - Bug fix release: Ampersand support in filenames (fixes #2) - **1.1.2** - Bug fix release: Ampersand support in filenames (fixes #2)
- **1.1.1** - Bug fix release: Quote escaping in note content - **1.1.1** - Bug fix release: Quote escaping in note content
@@ -145,6 +154,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Search & Discovery (12 tools) - Search & Discovery (12 tools)
- Task & Property Management (8 tools) - Task & Property Management (8 tools)
[1.1.5]: https://git.mortons.site/Peter.Morton/obsidian-mcp/releases/tag/v1.1.5
[1.1.4]: https://git.mortons.site/Peter.Morton/obsidian-mcp/releases/tag/v1.1.4 [1.1.4]: https://git.mortons.site/Peter.Morton/obsidian-mcp/releases/tag/v1.1.4
[1.1.3]: https://git.mortons.site/Peter.Morton/obsidian-mcp/releases/tag/v1.1.3 [1.1.3]: https://git.mortons.site/Peter.Morton/obsidian-mcp/releases/tag/v1.1.3
[1.1.2]: https://git.mortons.site/Peter.Morton/obsidian-mcp/releases/tag/v1.1.2 [1.1.2]: https://git.mortons.site/Peter.Morton/obsidian-mcp/releases/tag/v1.1.2

2
manifest.json
View File

@@ -1,7 +1,7 @@
{ {
"manifest_version": "0.3", "manifest_version": "0.3",
"name": "obsidian-mcp", "name": "obsidian-mcp",
"version": "1.1.4", "version": "1.1.5",
"display_name": "Obsidian CLI Bundle", "display_name": "Obsidian CLI Bundle",
"description": "MCP Bundle for Obsidian CLI - Enable AI assistants to manage Obsidian vaults through conversational interface", "description": "MCP Bundle for Obsidian CLI - Enable AI assistants to manage Obsidian vaults through conversational interface",
"long_description": "This MCP bundle provides a comprehensive set of tools for AI assistants to interact with and manage Obsidian vaults. It includes capabilities for creating, reading, updating, and deleting notes, managing links and tags, handling tasks, and more. With this bundle, AI assistants can seamlessly integrate with Obsidian to help users organize their knowledge and workflows.", "long_description": "This MCP bundle provides a comprehensive set of tools for AI assistants to interact with and manage Obsidian vaults. It includes capabilities for creating, reading, updating, and deleting notes, managing links and tags, handling tasks, and more. With this bundle, AI assistants can seamlessly integrate with Obsidian to help users organize their knowledge and workflows.",

2
package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "obsidian-mcp", "name": "obsidian-mcp",
"version": "1.1.4", "version": "1.1.5",
"description": "MCP Bundle for Obsidian CLI - Enable AI assistants to manage Obsidian vaults through Model Context Protocol", "description": "MCP Bundle for Obsidian CLI - Enable AI assistants to manage Obsidian vaults through Model Context Protocol",
"type": "module", "type": "module",
"main": "dist/index.js", "main": "dist/index.js",

9
src/validation/sanitizer.ts
View File

@@ -13,10 +13,12 @@ import { logger } from '../utils/logger.js';
* Note: Single & is safe in quoted args (filenames like "Research & Development.md") * Note: Single & is safe in quoted args (filenames like "Research & Development.md")
* Note: Backticks are safe because formatParam escapes them as \` inside double-quoted strings, * Note: Backticks are safe because formatParam escapes them as \` inside double-quoted strings,
* preventing shell command substitution while preserving Markdown code fences (``` ```) * preventing shell command substitution while preserving Markdown code fences (``` ```)
* We only block: ; | $ < > (command separators, pipes, substitution, redirects) * Note: < and > are safe inside double-quoted strings — shell redirection only applies at the
* command level, not inside quotes. Stripping them breaks Mermaid arrows (->>, -->) and HTML.
* We only block: ; | $ (command separators, pipes, variable substitution)
* Command injection patterns (&&, ||, etc.) are handled separately * Command injection patterns (&&, ||, etc.) are handled separately
*/ */
const DANGEROUS_CHARS = /[;|$<>]/g; const DANGEROUS_CHARS = /[;|$]/g;
const COMMAND_INJECTION_PATTERNS = [ const COMMAND_INJECTION_PATTERNS = [
/\$\(/g, // Command substitution $(...) /\$\(/g, // Command substitution $(...)
/\|\|/g, // OR operator /\|\|/g, // OR operator
@@ -74,7 +76,8 @@ export function sanitizePath(path: string): string {
// Remove dangerous characters but allow path separators // Remove dangerous characters but allow path separators
// Note: Brackets, parentheses, braces, and single & are safe in paths (quoted args) // Note: Brackets, parentheses, braces, and single & are safe in paths (quoted args)
sanitized = sanitized.replace(/[;|`$<>]/g, ''); // Note: < and > are safe inside double-quoted strings (not shell redirects)
sanitized = sanitized.replace(/[;|`$]/g, '');
return sanitized; return sanitized;
} }