docs: add security warning comment in code-execution-executor.ts

yaonyan · yaonyan · commit 9662cbd0c37f · 2025-11-09T11:19:10.000+08:00
Add a TODO comment explaining that using new Function() with user-provided code introduces a code injection vulnerability. This clarifies the security risk for future reviewers and maintainers.
diff --git a/packages/core/src/executors/code-execution/code-execution-executor.ts b/packages/core/src/executors/code-execution/code-execution-executor.ts
@@ -241,7 +241,8 @@ export class CodeExecutionExecutor {
         return await this.server.callTool(toolName, params);
       };
 
-      // Create and execute function with injected APIs
+      // Create and execute function with injected APIs,
+      // TODO: using new Function() with user-provided code creates a code injection vulnerability, using deno to sandbox would be safer.
       const fn = new Function(
         "console",
         "callMCPTool",
