fix: restricted scorecard-classic project url argument (#2649)

Author: DmitryAnansky

.changeset/dirty-walls-jam.md

@@ -0,0 +1,5 @@
+---
+"@redocly/cli": patch
+---
+
+Restricted scorecard-classic project URL to the `.redocly.com` domain only.

docs/@v2/commands/scorecard-classic.md

@@ -54,7 +54,7 @@ redocly scorecard-classic openapi/openapi.yaml --config=./another/directory/redo
 
 ### Configure scorecard in redocly.yaml
 
-You can configure the scorecard project URL in your Redocly configuration file to avoid passing it as a command-line argument:
+You can configure the scorecard project URL in your Redocly configuration file to avoid passing it as a command-line argument. The URL must use a hostname that ends with `.redocly.com` (for example, `app.cloud.redocly.com`), other domains are not allowed.
 
 ```yaml
 scorecard:

packages/cli/src/commands/scorecard-classic/__tests__/project-url.test.ts

@@ -0,0 +1,22 @@
+import { isAllowedScorecardProjectUrl } from '../validation/project-url.js';
+
+describe('isAllowedScorecardProjectUrl', () => {
+  it('should return true for valid project URLs', () => {
+    expect(
+      isAllowedScorecardProjectUrl('https://app.some.redocly.com/org/my-org/project/my-project')
+    ).toBe(true);
+  });
+
+  it('should return false for invalid project URLs', () => {
+    expect(isAllowedScorecardProjectUrl('https://example.com/org/my-org/project/my-project')).toBe(
+      false
+    );
+    expect(isAllowedScorecardProjectUrl('file://example/org/my-org/project/my-project')).toBe(
+      false
+    );
+    expect(
+      isAllowedScorecardProjectUrl('https://app.some.remocly.com/org/my-org/project/my-project')
+    ).toBe(false);
+    expect(isAllowedScorecardProjectUrl('project/my-project')).toBe(false);
+  });
+});

packages/cli/src/commands/scorecard-classic/index.ts

@@ -10,6 +10,7 @@ import { printScorecardResultsAsJson } from './formatters/json-formatter.js';
 import { printScorecardResults } from './formatters/stylish-formatter.js';
 import { fetchRemoteScorecardAndPlugins } from './remote/fetch-scorecard.js';
 import type { ScorecardClassicArgv } from './types.js';
+import { isAllowedScorecardProjectUrl } from './validation/project-url.js';
 import { validateScorecard } from './validation/validate-scorecard.js';
 
 export async function handleScorecardClassic({
@@ -46,6 +47,10 @@ export async function handleScorecardClassic({
     );
   }
 
+  if (!isAllowedScorecardProjectUrl(projectUrl)) {
+    exitWithError(`Project URL must be from the .redocly.com domain. Received: ${projectUrl}`);
+  }
+
   if (isNonInteractiveEnvironment() && !apiKey) {
     exitWithError(
       'Please provide an API key using the REDOCLY_AUTHORIZATION environment variable.\n'

packages/cli/src/commands/scorecard-classic/validation/project-url.ts

@@ -0,0 +1,10 @@
+const ALLOWED_DOMAIN_SUFFIX = '.redocly.com';
+
+export function isAllowedScorecardProjectUrl(urlString: string): boolean {
+  try {
+    const hostname = new URL(urlString).hostname.toLowerCase();
+    return hostname.endsWith(ALLOWED_DOMAIN_SUFFIX);
+  } catch {
+    return false;
+  }
+}