Skip to content

Fixing issue with single quotes being lost from input #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dvcrn merged 2 commits into from
Feb 4, 2026
Merged

Fixing issue with single quotes being lost from input #27

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e3a89ed
Fixing issue with apostrophes/single quotes being lost from input to …
j-wang Feb 3, 2026
f605b3d
Addressing feedback from gemini-code-assist to avoid shell spawning e…
j-wang Feb 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions src/applescript/execute.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
import { exec } from "child_process";
import { execFile } from "child_process";
import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js";
export const executeJxa = <T>(script: string): Promise<T> => {
return new Promise((resolve, reject) => {
const command = `osascript -l JavaScript -e '${script.replace(/'/g, "''")}'`;
exec(command, (error, stdout, stderr) => {
execFile("osascript", ["-l", "JavaScript", "-e", script], (error, stdout, stderr) => {
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

The change from exec to execFile with an array of arguments is a significant security enhancement. The previous method of constructing a command string and manually escaping characters was inherently vulnerable to shell injection if not meticulously handled for all special characters. execFile bypasses the shell's interpretation of arguments, making the execution much safer and more reliable, directly addressing the issue of lost single quotes.

if (error) {
return reject(
new McpError(ErrorCode.InternalError, `JXA execution failed: ${error.message}`),
Expand Down