Skip to content

fix(sdk): prevent shell injection in MCP config via proper escaping#1276

Open
kagura-agent wants to merge 3 commits intoe2b-dev:mainfrom
kagura-agent:fix/mcp-config-shell-injection
Open

fix(sdk): prevent shell injection in MCP config via proper escaping#1276
kagura-agent wants to merge 3 commits intoe2b-dev:mainfrom
kagura-agent:fix/mcp-config-shell-injection

Conversation

@kagura-agent
Copy link
Copy Markdown

@kagura-agent kagura-agent commented Apr 17, 2026

Summary

Fixes #1154

When creating a sandbox with an mcp config, the JSON-serialized config is interpolated directly into a shell command wrapped in single quotes. Since json.dumps() / JSON.stringify() do not escape single quotes, any MCP config value containing a single quote (e.g., API keys, tokens, URLs) breaks out of shell quoting and allows arbitrary command execution inside the sandbox.

Changes

Python SDK (sandbox_async/main.py, sandbox_sync/main.py)

  • Use shlex.quote() to properly escape the JSON config string (4 locations)
  • shlex.quote() is a stdlib function designed exactly for this purpose

JS/TS SDK (sandbox/index.ts)

  • Add a shellQuote() helper that escapes single quotes using the standard '\''' pattern (equivalent to Python's shlex.quote())
  • Apply it to both MCP config interpolation sites (2 locations)

Before / After

Before (vulnerable):

mcp-gateway --config '{"servers": {"test": {"envs": {"KEY": "it's a value"}}}}'
#                                                            ^^ breaks out

After (safe):

mcp-gateway --config '{"servers": {"test": {"envs": {"KEY": "it'\''s a value"}}}}'
#                                                            ^^^^ properly escaped

Testing

Verified escaping behavior for both Python (shlex.quote) and JS (shellQuote) with the PoC from the issue — single quotes in config values are properly escaped and no longer allow shell breakout.

@kagura-agent
fix(sdk): prevent shell injection in MCP config via shlex.quote / she…
850b344 
…llQuote

Use shlex.quote() (Python) and a shellQuote() helper (JS/TS) to properly
escape the JSON-serialized MCP config before interpolating it into the
shell command. Previously, single quotes in config values (API keys,
tokens, URLs) could break out of shell quoting and allow arbitrary
command execution inside the sandbox.

Fixes e2b-dev#1154
claude[bot]
claude bot reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 17, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 89fe756

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
e2b Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@jakubno jakubno Awaiting requested review from jakubno jakubno is a code owner

@ValentaTomas ValentaTomas Awaiting requested review from ValentaTomas ValentaTomas is a code owner

@mishushakov mishushakov Awaiting requested review from mishushakov mishushakov is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: Shell command injection via single-quote breakout in MCP config JSON interpolation

1 participant

@kagura-agent