fix(sdk): prevent shell injection in MCP config via proper escaping (#1276)

kagura-agent · mishushakov · claude · web-flow · commit 2f0ff5f0f7e5 · 2026-04-21T07:30:14.000-07:00
## Summary Fixes #1154 When creating a sandbox with an `mcp` config, the JSON-serialized config is interpolated directly into a shell command wrapped in single quotes. Since `json.dumps()` / `JSON.stringify()` do not escape single quotes, any MCP config value containing a single quote (e.g., API keys, tokens, URLs) breaks out of shell quoting and allows arbitrary command execution inside the sandbox. ## Changes ### Python SDK (`sandbox_async/main.py`, `sandbox_sync/main.py`) - Use `shlex.quote()` to properly escape the JSON config string (4 locations) - `shlex.quote()` is a stdlib function designed exactly for this purpose ### JS/TS SDK (`sandbox/index.ts`) - Add a `shellQuote()` helper that escapes single quotes using the standard `'\'''` pattern (equivalent to Python's `shlex.quote()`) - Apply it to both MCP config interpolation sites (2 locations) ## Before / After **Before** (vulnerable): ``` mcp-gateway --config '{"servers": {"test": {"envs": {"KEY": "it's a value"}}}}' # ^^ breaks out ``` **After** (safe): ``` mcp-gateway --config '{"servers": {"test": {"envs": {"KEY": "it'\''s a value"}}}}' # ^^^^ properly escaped ``` ## Testing Verified escaping behavior for both Python (`shlex.quote`) and JS (`shellQuote`) with the PoC from the issue — single quotes in config values are properly escaped and no longer allow shell breakout. --------- Co-authored-by: Mish Ushakov <10400064+mishushakov@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
diff --git a/.changeset/fix-mcp-config-shell-injection.md b/.changeset/fix-mcp-config-shell-injection.md
@@ -0,0 +1,6 @@
+---
+"e2b": patch
+"@e2b/python-sdk": patch
+---
+
+fix(sdk): prevent shell injection in MCP config by using proper shell escaping (shlex.quote in Python, shellQuote helper in JS/TS)
diff --git a/packages/js-sdk/src/sandbox/index.ts b/packages/js-sdk/src/sandbox/index.ts
@@ -29,6 +29,7 @@ import { getSignature } from './signature'
 import { compareVersions } from 'compare-versions'
 import { SandboxError } from '../errors'
 import { ENVD_DEBUG_FALLBACK, ENVD_DEFAULT_USER } from '../envd/versions'
+import { shellQuote } from '../utils'
 
 /**
  * Options for sandbox upload/download URL generation.
@@ -301,7 +302,7 @@ export class Sandbox extends SandboxApi {
     if (sandboxOpts?.mcp) {
       sandbox.mcpToken = crypto.randomUUID()
       const res = await sandbox.commands.run(
-        `mcp-gateway --config '${JSON.stringify(sandboxOpts?.mcp)}'`,
+        `mcp-gateway --config ${shellQuote(JSON.stringify(sandboxOpts.mcp))}`,
         {
           user: 'root',
           envs: {
@@ -398,7 +399,7 @@ export class Sandbox extends SandboxApi {
     if (sandboxOpts?.mcp) {
       sandbox.mcpToken = crypto.randomUUID()
       const res = await sandbox.commands.run(
-        `mcp-gateway --config '${JSON.stringify(sandboxOpts?.mcp)}'`,
+        `mcp-gateway --config ${shellQuote(JSON.stringify(sandboxOpts.mcp))}`,
         {
           user: 'root',
           envs: {
diff --git a/packages/js-sdk/src/utils.ts b/packages/js-sdk/src/utils.ts
@@ -125,6 +125,14 @@ export function toBlob(
   return new Response(data).blob()
 }
 
+/**
+ * Escape a string for safe inclusion in a single-quoted shell argument.
+ * Equivalent to Python's shlex.quote().
+ */
+export function shellQuote(s: string): string {
+  return "'" + s.replace(/'/g, "'\\''") + "'"
+}
+
 /**
  * Prepare data for upload as a BodyInit, optionally gzip-compressed.
  * When gzip is enabled, compresses the data and returns a Blob.
diff --git a/packages/python-sdk/e2b/sandbox_async/main.py b/packages/python-sdk/e2b/sandbox_async/main.py
@@ -1,6 +1,7 @@
 import datetime
 import json
 import logging
+import shlex
 import uuid
 from typing import Dict, List, Optional, Union, overload
 
@@ -235,7 +236,7 @@ async def create(
             sandbox._mcp_token = token
 
             res = await sandbox.commands.run(
-                f"mcp-gateway --config '{json.dumps(mcp)}'",
+                f"mcp-gateway --config {shlex.quote(json.dumps(mcp))}",
                 user="root",
                 envs={"GATEWAY_ACCESS_TOKEN": token},
             )
@@ -616,7 +617,7 @@ async def beta_create(
             sandbox._mcp_token = token
 
             res = await sandbox.commands.run(
-                f"mcp-gateway --config '{json.dumps(mcp)}'",
+                f"mcp-gateway --config {shlex.quote(json.dumps(mcp))}",
                 user="root",
                 envs={"GATEWAY_ACCESS_TOKEN": token},
             )
diff --git a/packages/python-sdk/e2b/sandbox_sync/main.py b/packages/python-sdk/e2b/sandbox_sync/main.py
@@ -1,6 +1,7 @@
 import datetime
 import json
 import logging
+import shlex
 import uuid
 from typing import Dict, List, Optional, Union, overload
 
@@ -233,7 +234,7 @@ def create(
             sandbox._mcp_token = token
 
             res = sandbox.commands.run(
-                f"mcp-gateway --config '{json.dumps(mcp)}'",
+                f"mcp-gateway --config {shlex.quote(json.dumps(mcp))}",
                 user="root",
                 envs={"GATEWAY_ACCESS_TOKEN": token},
             )
@@ -617,7 +618,7 @@ def beta_create(
             sandbox._mcp_token = token
 
             res = sandbox.commands.run(
-                f"mcp-gateway --config '{json.dumps(mcp)}'",
+                f"mcp-gateway --config {shlex.quote(json.dumps(mcp))}",
                 user="root",
                 envs={"GATEWAY_ACCESS_TOKEN": token},
             )
