fix(import-url)!: validate artifact URLs to prevent SSRF. Fixes #304

[rootp1]

Description

• Added pkg/util/url_validation.go with ValidateArtifactURL() that enforces scheme allowlist and blocks private/internal IP ranges before any URL is sent to the Microcks server
• Scheme allowlist: only https:// is permitted by default; http:// requires the new --allow-insecure-url flag; all other schemes (file://, ftp://, gopher://, etc.) are always rejected
• Private IP block (always enforced, cannot be bypassed): rejects loopback (127.0.0.0/8, ::1), link-local (169.254.0.0/16 - covers cloud metadata at 169.254.169.254), RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), carrier-grade NAT (100.64.0.0/10), unspecified (0.0.0.0, ::), and well-known internal hostnames (localhost, host.docker.internal)
• DNS resolution of hostnames: all resolved IPs are checked against private ranges to prevent bypassing via DNS names that resolve internally
• Added --allow-insecure-url flag to import-url command (default false) for users who need http:// for internal artifact repositories
• Added allowInsecure parameter to DownloadArtifact interface method so the flag propagates end-to-end through the validation layer
• Added comprehensive test suite: 27 URL validation tests, 15 IP classification tests, 6 hostname tests, plus connector-level integration tests for private IP rejection, HTTP scheme rejection, and HTTP-with-flag acceptance

Reproduction results

Before fix - SSRF to cloud metadata:

microcks import-url http://169.254.169.254/latest/meta-data/
→ Server fetches the URL, returns cloud IAM credentials

After fix - Blocked:

microcks import-url http://169.254.169.254/latest/meta-data/
→ Error: artifact URL validation failed: IP address "169.254.169.254" is not allowed as it is a private/reserved address

Before fix - SSRF to localhost:

microcks import-url http://localhost:8080/api/admin/
→ Server fetches internal endpoint

After fix - Blocked:

microcks import-url http://localhost:8080/api/admin/
→ Error: artifact URL validation failed: hostname "localhost" is not allowed as it resolves to an internal address

Before fix - No scheme validation:

microcks import-url file:///etc/passwd
→ URL passed to server without any scheme check

After fix - Blocked:

microcks import-url file:///etc/passwd
→ Error: URL must have a host (file:// has no host component)

Legitimate use still works:

microcks import-url https://example.com/openapi.yaml
→ Microcks has discovered 'openapi.yaml'

microcks import-url http://93.184.216.34/spec.yaml --allow-insecure-url
→ Microcks has discovered 'spec.yaml'

Related issue(s)

Fixes Server-Side Request Forgery (SSRF) vulnerability in import-url command where unvalidated artifact URLs allow coercion of the Microcks server to fetch internal network resources, including cloud metadata endpoints.
Fixes #304

BREAKING CHANGE

MicrocksClient.DownloadArtifact interface signature now requires an allowInsecure bool parameter as the fourth argument. Any external implementations of this interface must be updated from DownloadArtifact(artifactURL string, mainArtifact bool, secret string) to DownloadArtifact(artifactURL string, mainArtifact bool, secret string, allowInsecure bool).

[rootp1]

Hey, @yada @lbroudoux @Harsh4902
I have tried the best practices in this pr, and have tried to follow all the contribution guildelines, please have a look whenever you have a chance to