feat(security): added containment options and predefined secure loaders

[fredbi]

The loaders may now be constrained to prevent the spec loading to escape from a local root or to escape to forbidden URLs.

Defaults remain unaffected and insecure: this avoids breaking changes.

The default use case for this library is not guard against uncontrolled adversarial specs but to easily load a spec the user knows.

We expose the new contained options and loaders for users who'd like to use this library in a more open context, where the source is not necessarily trusted.

Change type

Please select: 🆕 New feature or enhancement|🔧 Bug fix'|📃 Documentation update

Short description

Fixes

Full description

Checklist

• I have signed all my commits with my name and email (see DCO. This does not require a PGP-signed commit
• I have rebased and squashed my work, so only one commit remains
• I have added tests to cover my changes.
• I have properly enriched go doc comments in code.
• I have properly documented any breaking change.

[codecov]

Codecov Report

❌ Patch coverage is 92.75362% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.86%. Comparing base (f9dfe0a) to head (87cc26d).
⚠️ Report is 1 commits behind head on master.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
restricted.go	89.13%	3 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #145      +/-   ##
==========================================
+ Coverage   80.78%   82.86%   +2.08%     
==========================================
  Files           4        5       +1     
  Lines         229      286      +57     
==========================================
+ Hits          185      237      +52     
- Misses         28       31       +3     
- Partials       16       18       +2     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.