Fix shell escaping vulnerability in env_updater

[Copilot]

Addresses security issue where environment variable values were written to shell config files without escaping, enabling command injection via special characters.

Changes

• Added escape_shell_value() - Escapes \, ", $, `, and \n before writing to shell files
• Updated update_in_file() and append_to_file() - Both now escape values before insertion
• Added security tests - Verify escaping behavior and command injection prevention

Example

Before:

// Vulnerable to injection
content.push_str(&format!("export {}=\"{}\"\n", var_name, new_value));
// Input: test`whoami`test → export SECRET="test`whoami`test"  (executes whoami)

After:

let escaped_value = Self::escape_shell_value(new_value);
content.push_str(&format!("export {}=\"{}\"\n", var_name, escaped_value));
// Input: test`whoami`test → export SECRET="test\`whoami\`test"  (safe literal)

Additional Fix

Restored proper skip_next_comment logic in remove_from_file() that was broken in previous commit.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.