fix(shared): harden direct URL loading and align lodash to 4.18.1 (#2304)

Restrict DirectUrlDocumentLoader to approved hosts, block URL credentials, and force relative request paths to reduce SSRF risk (CodeQL alert 68). Add targeted tests and loader option wiring.

Also align lodash/lodash-es to 4.18.1 in overrides and regenerate lockfiles on Node 22, including advent-of-calm website.

Follow-up: merge allowedRemoteHosts from CLI user config in parseDocumentLoaderConfig and add coverage tests.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: rocketstack-matt

advent-of-calm/website/package-lock.json

@@ -6,7 +6,7 @@
     "diff": "^8.0.3",
     "ajv": "^8.18.0",
     "devalue": "^5.6.3",
-    "lodash": "^4.17.23",
+    "lodash": "^4.18.1",
     "yaml": "^2.8.3"
   },
   "scripts": {

advent-of-calm/website/package.json

@@ -12,7 +12,8 @@ vi.mock('os', () => ({
 }));
 
 const exampleConfig = {
-    calmHubUrl: 'https://example.com/calmhub'
+    calmHubUrl: 'https://example.com/calmhub',
+    allowedRemoteHosts: ['schemas.example.com']
 };
 
 
@@ -44,4 +45,4 @@ describe('cli-config', () => {
         });
         await expect(loadCliConfig()).resolves.toBeNull();
     });
-});
+});

cli/src/cli-config.spec.ts

@@ -5,6 +5,7 @@ import { join } from 'path';
 
 export interface CLIConfig {
     calmHubUrl?: string
+    allowedRemoteHosts?: string[]
 }
 
 function getUserConfigLocation(): string {
@@ -30,4 +31,4 @@ export async function loadCliConfig(): Promise<CLIConfig | null> {
         logger.error('Unexpected error loading user config: ' + String(err));
         return null;
     }
-}
+}

cli/src/cli-config.ts

@@ -7,7 +7,6 @@ import {
 } from '@finos/calm-shared';
 import { Command } from 'commander';
 import { MockInstance } from 'vitest';
-import { parseDocumentLoaderConfig } from './cli';
 
 let calmShared: typeof import('@finos/calm-shared');
 let validateModule: typeof import('./command-helpers/validate');
@@ -440,8 +439,18 @@ describe('CLI Commands', () => {
 });
 
 describe('parseDocumentLoaderConfig', () => {
+    const parseDocLoaderConfigForTest = async (options: {
+        verbose?: boolean;
+        calmHubUrl?: string;
+        schemaDirectory?: string;
+        allowedRemoteHosts?: string[];
+    }) => {
+        const cliModule = await import('./cli');
+        return cliModule.parseDocumentLoaderConfig(options);
+    };
+
     it('should parse calmhub url when provided', async () => {
-        const options = await parseDocumentLoaderConfig({
+        const options = await parseDocLoaderConfigForTest({
             calmHubUrl: 'calmhub'
         });
         expect(options.calmHubUrl).toEqual('calmhub');
@@ -451,29 +460,58 @@ describe('parseDocumentLoaderConfig', () => {
         cliConfigModule = await import('./cli-config');
         vi.spyOn(cliConfigModule, 'loadCliConfig').mockResolvedValue({ calmHubUrl: 'calmhub-file' });
 
-        const options = await parseDocumentLoaderConfig({
+        const options = await parseDocLoaderConfigForTest({
             calmHubUrl: 'calmhub-cli'
         });
         expect(options.calmHubUrl).toEqual('calmhub-cli');
     });
 
     it('should parse schemaDirectoryPath when provided', async () => {
-        const options = await parseDocumentLoaderConfig({
+        const options = await parseDocLoaderConfigForTest({
             schemaDirectory: 'path'
         });
         expect(options.schemaDirectoryPath).toEqual('path');
     });
 
+    it('should parse allowedRemoteHosts when provided', async () => {
+        const options = await parseDocLoaderConfigForTest({
+            allowedRemoteHosts: ['schemas.example.com']
+        });
+        expect(options.allowedRemoteHosts).toEqual(['schemas.example.com']);
+    });
+
+    it('should use allowedRemoteHosts from config when CLI does not provide them', async () => {
+        cliConfigModule = await import('./cli-config');
+        vi.spyOn(cliConfigModule, 'loadCliConfig').mockResolvedValue({
+            allowedRemoteHosts: ['config.example.com']
+        });
+
+        const options = await parseDocLoaderConfigForTest({});
+        expect(options.allowedRemoteHosts).toEqual(['config.example.com']);
+    });
+
+    it('should prefer CLI allowedRemoteHosts over config values', async () => {
+        cliConfigModule = await import('./cli-config');
+        vi.spyOn(cliConfigModule, 'loadCliConfig').mockResolvedValue({
+            allowedRemoteHosts: ['config.example.com']
+        });
+
+        const options = await parseDocLoaderConfigForTest({
+            allowedRemoteHosts: ['cli.example.com']
+        });
+        expect(options.allowedRemoteHosts).toEqual(['cli.example.com']);
+    });
+
     it('should set debug to true when verbose passed along', async () => {
-        const options = await parseDocumentLoaderConfig({
+        const options = await parseDocLoaderConfigForTest({
             verbose: true
         });
         expect(options.debug).toBeTruthy();
     });
 
     it('should default debug to false', async () => {
-        const options = await parseDocumentLoaderConfig({
+        const options = await parseDocLoaderConfigForTest({
         });
         expect(options.debug).toBeFalsy();
     });
-});
+});

cli/src/cli.spec.ts

@@ -2,7 +2,7 @@ import { CALM_META_SCHEMA_DIRECTORY, DocifyMode, initLogger, runGenerate, Schema
 import { Option, Command } from 'commander';
 import { version } from '../package.json';
 import { promptUserForOptions } from './command-helpers/generate-options';
-import { loadCliConfig } from './cli-config';
+import * as cliConfig from './cli-config';
 import path from 'path';
 import { select } from '@inquirer/prompts';
 
@@ -245,6 +245,7 @@ interface ParseDocumentLoaderOptions {
     verbose?: boolean;
     calmHubUrl?: string;
     schemaDirectory?: string;
+    allowedRemoteHosts?: string[];
 }
 
 export async function parseDocumentLoaderConfig(
@@ -258,17 +259,22 @@ export async function parseDocumentLoaderConfig(
         schemaDirectoryPath: options.schemaDirectory,
         urlToLocalMap: urlToLocalMap,
         basePath: basePath,
+        allowedRemoteHosts: options.allowedRemoteHosts,
         debug: !!options.verbose
     };
 
-    const userConfig = await loadCliConfig();
+    const userConfig = await cliConfig.loadCliConfig();
     if (userConfig && userConfig.calmHubUrl && !options.calmHubUrl) {
         logger.info('Using CALMHub URL from config file: ' + userConfig.calmHubUrl);
         docLoaderOpts.calmHubUrl = userConfig.calmHubUrl;
     }
+    if (userConfig && userConfig.allowedRemoteHosts && !options.allowedRemoteHosts) {
+        logger.info('Using allowed remote hosts from config file');
+        docLoaderOpts.allowedRemoteHosts = userConfig.allowedRemoteHosts;
+    }
     return docLoaderOpts;
 }
 
 export async function buildSchemaDirectory(docLoader: DocumentLoader, debug: boolean): Promise<SchemaDirectory> {
     return new SchemaDirectory(docLoader, debug);
-}
+}