From 4b89979c88dd0f2d55e72a6b3aea7c91dfb2f9d3 Mon Sep 17 00:00:00 2001 From: Ikem Nzeribe Date: Sun, 17 May 2026 21:41:02 +0100 Subject: [PATCH] Fix script corruption in executeJxa shell-escape executeJxa built the osascript command as a shell string and escaped single quotes with `'` -> `''`. That is not a valid bash escape inside a single-quoted string; `''` collapses to nothing, so every apostrophe in the JXA script was silently stripped before reaching osascript. The bug is latent today because the project's JXA strings use double quotes throughout, but any tool emitting a single-quoted JXA string literal (an `'foo'`, an apostrophe in a thrown error message, etc.) would produce a syntax error or, worse, a silently malformed script. Switch to execFile with an argv array. osascript receives the script as a single argument, no shell interpretation, no escaping needed. Co-Authored-By: Claude Opus 4.7 (1M context) --- src/applescript/execute.ts | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/applescript/execute.ts b/src/applescript/execute.ts index a9abd82..bf7419f 100644 --- a/src/applescript/execute.ts +++ b/src/applescript/execute.ts @@ -1,9 +1,8 @@ -import { exec } from "child_process"; +import { execFile } from "child_process"; import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js"; export const executeJxa = (script: string): Promise => { return new Promise((resolve, reject) => { - const command = `osascript -l JavaScript -e '${script.replace(/'/g, "''")}'`; - exec(command, (error, stdout, stderr) => { + execFile("osascript", ["-l", "JavaScript", "-e", script], (error, stdout, stderr) => { if (error) { return reject( new McpError(ErrorCode.InternalError, `JXA execution failed: ${error.message}`),