feat(Sharding*): contexts for broadcastEval

[amishshah]

Please describe the changes this PR makes and why it should be merged:

This allows developers to write safer eval code by allowing them to pass functions and contexts to broadcastEval in both ShardClientUtil and ShardingManager.

This avoids directly injecting malicious code into your eval scripts. Instead, you can treat your functions as templates (which you can make sure are safe) which are then injected with a context later on.

For example, the following code is vulnerable (taken and adapted from https://github.com/oadpoaw/discordjs-bot-rce). It's important to recognise that this isn't a security issue with discord.js -- using eval is inherently dangerous, and this is the clearest case of passing unsanitised input to eval.

function findUser(userId) {
  return this.users.cache.get(userId);
}

const unsafe = `');process.exit();a=('`; // causes the shard to exit
const results = await client.shard.broadcastEval(`(${findUser}).call(this, '${unsafe}')`);

While this isn't a security issue with discord.js, we can definitely make it much easier to write safer code. The following code snippet is not vulnerable.

function findUser(client, { userId }) {
  return this.users.cache.get(userId);
}

const unsafe = `');process.exit();a=('`;
const results = await client.shard.broadcastEval(findUser, { context: { userId: unsafe }});

It's important to note that the context you pass (e.g. in the above example, the context is { userId: unsafe } must be JSON-serializable. This means you can't pass complex data types in the context directly.

This PR removes support for calling broadcastEval with strings to enforce better practice with security.

Status and versioning classification:

• Code changes have been tested against the Discord API, or there are no code changes
• I know how to update typings and have done so, or typings don't need updating
• This PR changes the library's interface (methods or parameters added)
• This PR includes breaking changes (methods removed or renamed, parameters moved or removed)

[SpaceEEC]

Is there something speaking against requiring a function to be passed?
I fear this otherwise might go unnoticed / continues to be an issue with snippets / examples floating around.

[amishshah]

Is there something speaking against requiring a function to be passed?
I fear this otherwise might go unnoticed / continues to be an issue with snippets / examples floating around.

Updated the PR with this suggestion! 😄

Stale

[SpaceEEC]

One more thing