fix: address PR review comments

- Fix JQL injection bypass: escape backslashes before double-quotes
- Replace str.startswith() with Path.is_relative_to() for path traversal check
- Add path traversal guard to download_issue_attachments()
- Redact client_secret in VS Code config JSON blob

Author: JKAW

src/mcp_atlassian/jira/attachments.py

@@ -38,11 +38,13 @@ def download_attachment(self, url: str, target_path: str) -> bool:
                 target_path = os.path.abspath(target_path)
 
             # Guard against path traversal
-            base_dir = os.path.abspath(os.getcwd())
-            if not target_path.startswith(base_dir):
+            base_dir = Path(os.getcwd()).resolve()
+            resolved = Path(target_path).resolve()
+            if not resolved.is_relative_to(base_dir):
                 raise ValueError(
-                    f"Path traversal detected: {target_path} is outside {base_dir}"
+                    f"Path traversal detected: {resolved} is outside {base_dir}"
                 )
+            target_path = str(resolved)
 
             logger.info(f"Downloading attachment from {url} to {target_path}")
 
@@ -214,6 +216,15 @@ def download_issue_attachments(
         if not os.path.isabs(target_dir):
             target_dir = os.path.abspath(target_dir)
 
+        # Guard against path traversal
+        base_dir = Path(os.getcwd()).resolve()
+        resolved_dir = Path(target_dir).resolve()
+        if not resolved_dir.is_relative_to(base_dir):
+            raise ValueError(
+                f"Path traversal detected: {resolved_dir} is outside {base_dir}"
+            )
+        target_dir = str(resolved_dir)
+
         logger.info(
             f"Downloading attachments for {issue_key} to directory: {target_dir}"
         )

src/mcp_atlassian/jira/search.py

@@ -59,7 +59,8 @@ def search_issues(
 
                 # Build the project filter query part
                 # Sanitize project names to prevent JQL injection
-                projects = [p.replace('"', '\\"') for p in projects]
+                # Escape backslashes before double-quotes to prevent bypass
+                projects = [p.replace('\\', '\\\\').replace('"', '\\"') for p in projects]
 
                 if len(projects) == 1:
                     project_query = f'project = "{projects[0]}"'

src/mcp_atlassian/utils/oauth_setup.py

@@ -338,7 +338,7 @@ def run_oauth_flow(args: OAuthSetupArgs) -> bool:
                             "CONFLUENCE_URL": "https://your-company.atlassian.net/wiki",
                             "JIRA_URL": "https://your-company.atlassian.net",
                             "ATLASSIAN_OAUTH_CLIENT_ID": oauth_config.client_id,
-                            "ATLASSIAN_OAUTH_CLIENT_SECRET": oauth_config.client_secret,
+                            "ATLASSIAN_OAUTH_CLIENT_SECRET": "<redacted - set via environment variable>",
                             "ATLASSIAN_OAUTH_REDIRECT_URI": oauth_config.redirect_uri,
                             "ATLASSIAN_OAUTH_SCOPE": oauth_config.scope,
                             "ATLASSIAN_OAUTH_CLOUD_ID": oauth_config.cloud_id,