fix(function): validate custom tool param keys before code interpolation

Author: waleedlatif1

apps/sim/app/api/function/execute/route.ts

@@ -1089,18 +1089,21 @@ export const POST = withRouteHandler(async (req: NextRequest) => {
 
     const executionMethod = 'isolated-vm'
 
+    const SAFE_IDENTIFIER = /^[a-zA-Z_][a-zA-Z0-9_]*$/
     const wrapperLines = ['(async () => {', '  try {']
     if (isCustomTool) {
       Object.keys(executionParams).forEach((key) => {
-        wrapperLines.push(`    const ${key} = params.${key};`)
+        if (SAFE_IDENTIFIER.test(key)) {
+          wrapperLines.push(`    const ${key} = params.${key};`)
+        }
       })
     }
     userCodeStartLine = wrapperLines.length + 1
 
     let codeToExecute = resolvedCode
     let prependedLineCount = 0
     if (isCustomTool) {
-      const paramKeys = Object.keys(executionParams)
+      const paramKeys = Object.keys(executionParams).filter((key) => SAFE_IDENTIFIER.test(key))
       const paramDestructuring = paramKeys.map((key) => `const ${key} = params.${key};`).join('\n')
       codeToExecute = `${paramDestructuring}\n${resolvedCode}`
       prependedLineCount = paramKeys.length