src: disable eval() by default and add --enable-eval support

Modify context initialization to set kAllowCodeGenerationFromStrings to false by default in both snapshot and runtime. Update ModifyCodeGenerationFromStrings callback to strictly respect the embedder data, effectively disabling eval() and new Function() unless the --enable-eval flag is provided.

Author: PR3C14D0

src/api/environment.cc

@@ -822,7 +822,8 @@ Maybe<void> InitializeContextRuntime(Local<Context> context) {
   // The `IsCodeGenerationFromStringsAllowed` can be refreshed by V8 according
   // to the runtime flags, propagate the value to the embedder data.
   bool is_code_generation_from_strings_allowed =
-      context->IsCodeGenerationFromStringsAllowed();
+      context->IsCodeGenerationFromStringsAllowed() &&
+      per_process::cli_options->per_isolate->enable_eval;
   context->AllowCodeGenerationFromStrings(false);
   context->SetEmbedderData(
       ContextEmbedderIndex::kAllowCodeGenerationFromStrings,
@@ -923,7 +924,7 @@ Maybe<void> InitializeMainContextForSnapshot(Local<Context> context) {
   context->SetEmbedderData(ContextEmbedderIndex::kAllowWasmCodeGeneration,
                            True(isolate));
   context->SetEmbedderData(
-      ContextEmbedderIndex::kAllowCodeGenerationFromStrings, True(isolate));
+      ContextEmbedderIndex::kAllowCodeGenerationFromStrings, False(isolate));
 
   if (InitializeBaseContextForSnapshot(context).IsNothing()) {
     return Nothing<void>();

src/node_errors.cc

@@ -659,8 +659,7 @@ v8::ModifyCodeGenerationFromStringsResult ModifyCodeGenerationFromStrings(
 
   Local<Value> allow_code_gen = context->GetEmbedderData(
       ContextEmbedderIndex::kAllowCodeGenerationFromStrings);
-  bool codegen_allowed =
-      allow_code_gen->IsUndefined() || allow_code_gen->IsTrue();
+  bool codegen_allowed = allow_code_gen->IsTrue();
   return {
       codegen_allowed,
       {},