Add `:url` Validator to Enforce HTTP/HTTPS URI Schemes Only

[alexskr]

Feature request:
Add a new :url validator type to Goo::Validators::DataType that ensures user-supplied URIs are http or https schemes only.

Use case:
The current :uri validator accepts all valid RDF::URIs, which can include schemes like file:, ftp:, data:, or javascript:. While technically valid, these can introduce security risks. Restricting to HTTP(S) schemes mitigates SSRF and URI injection vulnerabilities.

[syphax-bouazzouni]

Good idea

[alexskr]

or just use :url instead of :http_uri ? Technically speaking URL inclues file:// scheme, but in our case we would allow only http/https

[maboukerfa]

Restricting to HTTP-only URLs is insufficient to fully mitigate SSRF vulnerabilities. Attackers can still access internal resources through:

# Get results from the internal SPARQL service directly 
http://localhost:1111/sparql/?default-graph-uri=&query=SELECT?s?p?o WHERE{?s?p?o}&format=text%2Fhtml&should-sponge=&timeout=0&signal_void=on

And localhost has various representations, so custom filters won't be much efficient:

• Standard addresses:

  http://localhost:1111
  http://127.0.0.1:1111
  http://0.0.0.0:1111
  http://[::]:1111
  

• Alternative encodings:

  http://2130706433:1111 (decimal IP)
  http://0x7f000001:1111 (hexadecimal IP)
  http://0177.0.0.1:1111 (octal IP)
  

• Domain variants:

  http://localtest.me:1111
  http://127.0.0.1.nip.io:1111
  http://anything.localhost:1111
  

[alexskr]

Yes, we should block localhost and loopback interfaces, as well as link-local metadata IP addresses like 169.254.169.254.
It may also be a good idea to block all private IP address ranges by default, with support for an optional allowlist in cases where access to internal resources is legitimate.
Alternatively, we could require all outbound requests to go through a proxy

[alexskr]

Implementing a comprehensive SSRF protection in GOO is somewhat too complex without performing DNS resolution, and running DNS lookups when validating data is not ideal. It should be implemented higher in the stack.
refactoring LinkedData::Utils::FileHelpers.download_file in oLD would be a reasonable place to start.