fix(sdk): prevent shell injection in MCP config via proper escaping

[kagura-agent]

Summary

Fixes #1154

When creating a sandbox with an mcp config, the JSON-serialized config is interpolated directly into a shell command wrapped in single quotes. Since json.dumps() / JSON.stringify() do not escape single quotes, any MCP config value containing a single quote (e.g., API keys, tokens, URLs) breaks out of shell quoting and allows arbitrary command execution inside the sandbox.

Changes

Python SDK (sandbox_async/main.py, sandbox_sync/main.py)

• Use shlex.quote() to properly escape the JSON config string (4 locations)
• shlex.quote() is a stdlib function designed exactly for this purpose

JS/TS SDK (sandbox/index.ts)

• Add a shellQuote() helper that escapes single quotes using the standard '\''' pattern (equivalent to Python's shlex.quote())
• Apply it to both MCP config interpolation sites (2 locations)

Before / After

Before (vulnerable):

mcp-gateway --config '{"servers": {"test": {"envs": {"KEY": "it's a value"}}}}'
#                                                            ^^ breaks out

After (safe):

mcp-gateway --config '{"servers": {"test": {"envs": {"KEY": "it'\''s a value"}}}}'
#                                                            ^^^^ properly escaped

Testing

Verified escaping behavior for both Python (shlex.quote) and JS (shellQuote) with the PoC from the issue — single quotes in config values are properly escaped and no longer allow shell breakout.

[claude]

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

[changeset-bot]

🦋 Changeset detected

Latest commit: 89fe756

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
e2b	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR