fix: [Coda] 修复coderunner RCE/SSRF/SQL注入安全漏洞

[wilesduan]

(LogID: 2025091818571901007120218221212EA)

What type of PR is this?

Check the PR title.

• This PR title match the format: <type>(optional scope): <description>
• The description of this PR title is user-oriented and clear enough for others to understand.
• Add documentation if the current PR requires user awareness at the usage level.

(Optional) Translate the PR title into Chinese.

(Optional) More detailed description for this PR(en: English/zh: Chinese).

en:
zh(optional):

(Optional) Which issue(s) this PR fixes:

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[codecov-commenter]

Codecov Report

❌ Patch coverage is 1.73913% with 113 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...fra/impl/document/parser/builtin/parse_markdown.go	0.00%	76 Missing and 3 partials ⚠️
backend/application/base/appinfra/app_infra.go	0.00%	30 Missing ⚠️
backend/infra/impl/rdb/mysql.go	33.33%	3 Missing and 1 partial ⚠️

Files with missing lines	Coverage Δ
backend/infra/impl/rdb/mysql.go	74.93% <33.33%> (+0.09%)	⬆️
backend/application/base/appinfra/app_infra.go	1.54% <0.00%> (+<0.01%)	⬆️
...fra/impl/document/parser/builtin/parse_markdown.go	36.19% <0.00%> (-19.36%)	⬇️

... and 13 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[N3kox]

这里我们不需要移除本地运行方法吧？不然对现有的部分用户来说可能是破坏性的。
只需要将新用户的代码默认运行方式设置为 sandbox 即可，历史用户升级不受影响。

[N3kox]

这个貌似不在漏洞修复范围内，暂时不用改？

[N3kox]

这里不能直接禁用，workflow 数据库节点功能依赖这里，通过 env 加个配置让用户判断是否运行直接运行 sql 这样可能好点？