zhengchen.tao/obsidian-mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

obsidian-mcp: 初次落地 Obsidian Vault MCP Server (.NET 10, read+write)
Build Docker Image / build (push) Failing after 9m21s
Details
Build Docker Image / deploy (push) Has been skipped
Details

Browse Source 
把 Obsidian vault 通过 MCP 暴露给 Claude.ai,OAuth 走 nas-auth。
设计文档见 vault Coding/obsidian-mcp/obsidian-mcp 设计.md。
代码层落地参考 vault Coding/obsidian-mcp/MCP 实现指南.md。

V1+V2 同时实现(用户要求跳过分阶段直接全部):

读 Tools(需 scope=read:obsidian):
- list_vault_tree(一次性 vault 地图,限制深度)
- list_files / read_file(含 offset/limit 大文件分页)
- search(子串匹配 + glob 过滤,最多 50 hits)
- get_metadata(size / modified_at / has_frontmatter)

写 Tools(需 scope=write:obsidian):
- write_file / append_file
- 多重门禁:scope 校验 + 路径黑名单 + 写入白名单 + 永禁文件
  - 永禁写:任意目录的 AGENTS.md / PROFILE.md / README.md / CLAUDE.md / 01-Secret/**
  - 白名单:02-ShengquGames/logs/ + Coding/ + NAS/NAS 待办清单.md
- 写入审计日志按天 rotate(JSON line)

安全:
- VaultPathResolver chroot:path traversal + symlink 双拒绝
- JwtBearer (HS256, Current+Previous fallback, MapInboundClaims=false)
- aud=obsidian, iss=https://auth.zhengchentao.win
- 黑名单:01-Secret / .obsidian / .trash / .git

技术栈:
- .NET 10 + ModelContextProtocol SDK 1.0
- Streamable HTTP transport (POST /mcp)
- JwtBearer 10.0 + IdentityModel.Tokens 8.x

部署:
- Dockerfile multi-stage,runtime 装 ripgrep(V3 备用),non-root user
- .gitea/workflows/build-image.yml:build + deploy 双 job,buildkit v0.13.2
- 容器内 :8080,宿主端口 9090
- 子域名 obs.zhengchentao.win
- vault 挂载 /volume1/docker/webdav/data/Zhengchen:/vault:rw(V2 写入需要 rw)

测试:35/35 单测过(VaultPathResolver path traversal/blacklist/symlink + VaultWriteGuard whitelist/forbidden)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Zhengchen Tao
2026-05-06 01:32:11 +08:00
commit 28f9a54ba9
28 changed files with 1625 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Services/VaultPathResolver.cs
+141
View File
@@ -0,0 +1,141 @@
using ObsidianMcp.Config;
using Microsoft.Extensions.Options;
namespace ObsidianMcp.Services;
/// <summary>
/// Vault 路径安全守卫(chroot 语义)。
///
/// 职责:
/// - 把相对路径拼接到 VaultRoot,防止路径穿越(../
/// - 拒绝绝对路径输入
/// - 拒绝命中黑名单的路径段
///
/// 线程安全,注册为 Singleton。
/// </summary>
public class VaultPathResolver
{
// hardcode 黑名单路径段(任意路径段命中即拒)
private static readonly HashSet<string> HardcodeBlacklist =
new(StringComparer.OrdinalIgnoreCase)
{
"01-Secret",
".obsidian",
".trash",
".git",
};
private readonly string _root;
private readonly HashSet<string> _blacklist;
public VaultPathResolver(IOptions<VaultOptions> opts)
{
var o = opts.Value;
_root = Path.GetFullPath(o.Root);
// 合并 hardcode + env 配置的黑名单,去重
_blacklist = new HashSet<string>(HardcodeBlacklist, StringComparer.OrdinalIgnoreCase);
foreach (var b in o.Blacklist)
if (!string.IsNullOrWhiteSpace(b))
_blacklist.Add(b.Trim());
}
/// <summary>返回 vault 根目录的绝对路径(规范化后)。</summary>
public string VaultRoot => _root;
/// <summary>
/// 将相对路径解析为 vault 内的绝对路径。
///
/// 可能抛出:
/// UnauthorizedAccessException — 路径穿越、绝对路径、命中黑名单、目标是 symlink
/// ArgumentException — relativePath 为空
/// </summary>
public string Resolve(string relativePath)
{
if (string.IsNullOrWhiteSpace(relativePath))
throw new ArgumentException("路径不能为空。", nameof(relativePath));
// 拒绝绝对路径输入(防止容器外访问;包括 Linux /etc/... 与 Windows C:\... / UNC \\server
if (Path.IsPathRooted(relativePath))
throw new UnauthorizedAccessException(
$"拒绝绝对路径输入:{relativePath}");
// 把 Windows 反斜杠归一化成 Unix 分隔符,避免 Linux 容器上把 "..\\.." 当成单段不消解。
// 注意:仅对相对路径输入做归一化;root 路径已经由 Path.GetFullPath 处理过。
var normalizedRel = relativePath.Replace('\\', '/');
// 拼接并规范化(自动消解 .. 和 .)
var target = Path.GetFullPath(Path.Combine(_root, normalizedRel));
// 确认解析后的路径仍在 vault root 内
if (!IsUnderRoot(target))
throw new UnauthorizedAccessException(
$"路径穿越 vault 根目录:{relativePath}");
// 逐段检查黑名单
CheckBlacklist(target, relativePath);
// 拒绝 symlink(无论指向 vault 内外,统一禁;vault 真实内容应是普通文件 / 目录)。
// 这是兜底防线:万一 WebDAV / 操作失误把 symlink 落到 vault 里,避免 Tool 跟随到容器外。
RejectSymlink(target, relativePath);
return target;
}
/// <summary>
/// 检查路径自身(以及任一父级路径段)是否是 symlink。是 → 拒绝。
/// 防御链外文件 leak(例如有人在 vault 里建一个指向 /etc/passwd 的软链)。
/// </summary>
private void RejectSymlink(string absPath, string original)
{
// 从 absPath 一直向上检查到 _root(不含 root 本体;root 是已知信任的挂载点)
var current = absPath;
while (current != null && current.Length > _root.Length)
{
try
{
var info = new FileInfo(current);
if (info.Exists && info.LinkTarget != null)
throw new UnauthorizedAccessException($"拒绝 symlink 路径:{original}");
if (!info.Exists)
{
var di = new DirectoryInfo(current);
if (di.Exists && di.LinkTarget != null)
throw new UnauthorizedAccessException($"拒绝 symlink 路径:{original}");
}
}
catch (UnauthorizedAccessException) { throw; }
catch
{
// I/O 异常不在这里阻断;后续真正读文件时会自然抛
}
var parent = Path.GetDirectoryName(current);
if (parent == null || parent == current) break;
current = parent;
}
}
/// <summary>检查绝对路径是否在 vault root 下(含等于 root)。</summary>
private bool IsUnderRoot(string absPath)
{
return absPath == _root
|| absPath.StartsWith(_root + Path.DirectorySeparatorChar, StringComparison.OrdinalIgnoreCase);
}
/// <summary>逐个路径段检查黑名单。</summary>
private void CheckBlacklist(string absPath, string original)
{
// 把 absPath 中 root 之后的部分按分隔符拆分,逐段比对
var relative = absPath[_root.Length..].TrimStart(Path.DirectorySeparatorChar);
var segments = relative.Split(
[Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar],
StringSplitOptions.RemoveEmptyEntries);
foreach (var seg in segments)
{
if (_blacklist.Contains(seg))
throw new UnauthorizedAccessException(
$"路径命中黑名单段 '{seg}'{original}");
}
}
}