Security: Add comprehensive attack surface analysis and security documentation

[Copilot]

This PR provides a comprehensive security analysis of the AsyncAPI Generator project, identifying critical vulnerabilities and attack vectors that require immediate attention.

What was analyzed

The analysis examined the entire codebase with focus on:

• Template loading and execution mechanisms
• NPM package installation processes
• File operations and path handling
• CLI parameter parsing and input validation
• Dependency vulnerabilities
• Container security

Critical security findings

The analysis revealed several critical vulnerabilities that pose significant security risks:

1. Template Execution Without Sandboxing (CRITICAL)

Templates and hooks execute with full Node.js privileges, allowing arbitrary code execution:

// apps/generator/lib/hooksRegistry.js:44
delete require.cache[require.resolve(filePath)];
const mod = require(filePath); // Executes arbitrary code

2. Automatic NPM Package Installation (CRITICAL)

The generator automatically installs user-specified npm packages without verification:

// apps/generator/lib/generator.js:617
const installResult = await arb.reify({
  add: [this.templateName], // User-controlled package name
  saveType: 'prod',
  save: false
});

3. Critical Dependency Vulnerabilities

• JSONPath Plus RCE (CVE) - Remote code execution in jsonpath-plus ≤10.2.0
• Lodash Command Injection (CVE) - Command injection in lodash.template
• 34 total vulnerabilities identified by npm audit

4. Path Traversal Vulnerabilities (HIGH)

Insufficient path validation allows writing files outside target directories:

// apps/generator/lib/generator.js:854
const targetFile = path.resolve(this.targetDir, relativeBaseDir, newFileName);
// Can be exploited with "../../../etc/passwd" patterns

Documentation added

This PR adds three comprehensive security documents:

1. ATTACK_SURFACE_ANALYSIS.md - Complete security analysis with risk assessment matrix and detailed vulnerability descriptions
2. SECURITY_TECHNICAL_DETAILS.md - Technical implementation details, code examples, and exploitation scenarios
3. SECURITY_CHECKLIST.md - Prioritized implementation checklist with timelines for addressing vulnerabilities

Risk assessment

The analysis uses a risk matrix approach, identifying:

• 3 Critical-level vulnerabilities requiring immediate action
• 2 High-level vulnerabilities needing urgent attention
• 5 Medium/Low-level issues for future remediation

Recommended immediate actions

1. Implement template sandboxing using VM2 or similar isolation
2. Update all vulnerable dependencies especially jsonpath-plus and lodash.template
3. Add comprehensive path validation to prevent directory traversal
4. Implement template verification with digital signatures or trusted registries

Impact

These vulnerabilities could allow attackers to:

• Execute arbitrary code on systems running the generator
• Overwrite critical system files
• Exfiltrate sensitive data
• Compromise CI/CD pipelines using the generator

The documentation provides a clear roadmap for addressing these security concerns in a prioritized manner.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 35da202

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud