Feat: add featuregates to disallow url in ref-objects

[Somefive]

Signed-off-by: Somefive yd219913@alibaba-inc.com

Description of your changes

For security issues, allowing url in ref-objects could lead to potential risks. This PR allows administrator to decide whether to enable this feature. (By default, this is enabled.)

I have:

• Read and followed KubeVela's contribution process.
• Related Docs updated properly. In a new feature or configuration option, an update to the documentation is necessary.
• Run make reviewable to ensure this PR is ready for review.
• Added backport release-x.y labels to auto-backport this PR if necessary.

How has this code been tested

Special notes for your reviewer

[codecov]

Codecov Report

Merging #4446 (78db78d) into master (572fba3) will increase coverage by 0.42%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master    #4446      +/-   ##
==========================================
+ Coverage   59.51%   59.94%   +0.42%     
==========================================
  Files         343      348       +5     
  Lines       34285    34427     +142     
==========================================
+ Hits        20405    20636     +231     
+ Misses      11188    11038     -150     
- Partials     2692     2753      +61     

Flag	Coverage Δ
apiserver-e2etests	27.58% <0.00%> (+0.03%)	⬆️
apiserver-unittests	40.24% <ø> (+0.04%)	⬆️
core-unittests	56.47% <0.00%> (+0.09%)	⬆️
e2e-multicluster-test	19.75% <0.00%> (?)
e2e-rollout-tests	22.87% <0.00%> (-0.01%)	⬇️
e2etests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/appfile/parser.go	55.97% <0.00%> (+5.43%)	⬆️
pkg/features/controller_features.go	100.00% <ø> (ø)
.../manualscalertrait/manualscalertrait_controller.go	11.53% <0.00%> (-55.77%)	⬇️
.../core.oam.dev/v1beta1/componentdefinition_types.go	0.00% <0.00%> (-50.00%)	⬇️
pkg/webhook/utils/utils.go	0.00% <0.00%> (-38.47%)	⬇️
.../core/scopes/healthscope/healthscope_controller.go	41.73% <0.00%> (-30.44%)	⬇️
pkg/utils/errors/list.go	57.14% <0.00%> (-28.58%)	⬇️
apis/core.oam.dev/v1alpha2/methods.go	0.00% <0.00%> (-25.00%)	⬇️
pkg/appfile/template.go	35.16% <0.00%> (-20.77%)	⬇️
apis/core.oam.dev/v1alpha1/applyonce_types.go	0.00% <0.00%> (-20.00%)	⬇️
... and 76 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 572fba3...78db78d. Read the comment docs.

[barnettZQG]

@Somefive Do we need to add a simple whitelist mechanism to judge the target host?

[Somefive]

@Somefive Do we need to add a simple whitelist mechanism to judge the target host?

Good idea. We can make this extension in the future.

[github-actions]

Backport failed for release-1.4, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin release-1.4
git worktree add -d .worktree/backport-4446-to-release-1.4 origin/release-1.4
cd .worktree/backport-4446-to-release-1.4
git checkout -b backport-4446-to-release-1.4
ancref=$(git merge-base 572fba3539b0d8d7e98f3d335300353f0ccdb498 78db78d9081dcdf6d970e619e6fb207940cd2a1c)
git cherry-pick -x $ancref..78db78d9081dcdf6d970e619e6fb207940cd2a1c

[github-actions]

Backport failed for release-1.5, because it was unable to create a new branch.

Please cherry-pick the changes locally.

git fetch origin release-1.5
git worktree add -d .worktree/backport-4446-to-release-1.5 origin/release-1.5
cd .worktree/backport-4446-to-release-1.5
git checkout -b backport-4446-to-release-1.5
ancref=$(git merge-base 572fba3539b0d8d7e98f3d335300353f0ccdb498 78db78d9081dcdf6d970e619e6fb207940cd2a1c)
git cherry-pick -x $ancref..78db78d9081dcdf6d970e619e6fb207940cd2a1c