feat: add new URL-related validation args (public, https_only, no_ip) (#24)

* New rule: domain-only URLs (no IP addresses allowed)

* test: add not_ip_url rule test cases

* feat: add URL validation modifiers (public, https_only, no_ip)

Adds three independent URL validation rules:
- public: validates against real public domains
- https_only: enforces HTTPS protocol
- no_ip: blocks direct IP addresses

* `not_ip_url.rb` + `not_local_url.rb` rules have been deleted

* feat: add URL validation modifiers (public, https_only, no_ip)

Adds three independent URL validation rules:
- public: validates against real public domains
- https_only: enforces HTTPS protocol
- no_ip: blocks direct IP addresses

* `not_ip_url.rb` + `not_local_url.rb` rules have been deleted

* refactor(url): enhance URL rule validation with domain checks + private network check

- Use proper public domain (`public_suffix`) validation checking both structure and access

- Add pattern loading with memoization for private/reserved domains

- Fix error message consistency across validation scenarios

- Add tests for validation scenarios

* Restructured private patterns based on trustworthy srcs + some tests

Author: RaneemAlRushud

lib/mini_defender/data/private_network_patterns.txt

@@ -0,0 +1,64 @@
+# RFC 2606 - Reserved Domain Names
+# https://datatracker.ietf.org/doc/html/rfc2606
+*.test
+*.example
+*.invalid
+localhost
+*.localhost
+example.com
+example.net
+example.org
+
+# RFC 6761 - Special-Use Domain Names
+# https://datatracker.ietf.org/doc/html/rfc6761
+*.local
+*.onion
+*.home.arpa
+
+# RFC 1918 - Private Address Space
+# https://datatracker.ietf.org/doc/html/rfc1918
+10.*
+172.(1[6-9]|2[0-9]|3[0-1]).*
+192.168.*
+
+# RFC 3330 - Special-Use IPv4 Addresses
+# https://datatracker.ietf.org/doc/html/rfc3330
+127.*
+169.254.*
+0.0.0.0
+
+# RFC 4291 - IPv6 Addressing Architecture
+# https://datatracker.ietf.org/doc/html/rfc4291
+::1
+fe80:*
+::
+::ffff:*
+
+# RFC 4193 - Unique Local IPv6 Unicast Addresses
+# https://datatracker.ietf.org/doc/html/rfc4193
+fc00:*
+fd00:*
+
+# Common Internal Network Patterns (based on RFC 2606 and 6761)
+*.intranet
+*.internal
+*.corp
+*.lan
+intranet.*
+internal.*
+corp.*
+lan.*
+
+# Development Environments (based on RFC 2606)
+*.dev.test
+*.staging.test
+*.qa.test
+dev.example.*
+staging.example.*
+qa.example.*
+
+# RFC 6052 - IPv6 Translation
+64:ff9b::*
+
+# RFC 3986 - URI Encoded Forms
+%6C%6F%63%61%6C%68%6F%73%74

lib/mini_defender/rules/not_local_url.rb

@@ -1,17 +1,130 @@
 # frozen_string_literal: true
 
 require 'uri'
+require 'ipaddr'
+require 'public_suffix'
 
+# TODO: ensure rescues
 class MiniDefender::Rules::Url < MiniDefender::Rule
+  ALLOWED_MODIFIERS = %w[https public not_ip not_private]
+
+  def initialize(modifiers = [])
+    @modifiers = Array(modifiers).map(&:to_s)
+
+    unless @modifiers.empty?
+      validate_modifiers!
+    end
+
+    @validation_error = "URL modifiers list contains only #{ALLOWED_MODIFIERS.join(', ')}."
+  end
+
   def self.signature
     'url'
   end
 
+  def self.make(modifiers) # no need to raise an error when no modifier is entered; as 'url' rule checks URL structure on its own
+    new(modifiers)
+  end
+
   def passes?(attribute, value, validator)
-    value.is_a?(String) && URI.regexp(%w[http https]).match?(value)
+    # TODO: warning: URI.regexp is obsolete; use URI::DEFAULT_PARSER.make_regexp instead
+    unless value.is_a?(String) && URI::DEFAULT_PARSER.make_regexp(%w[http https]).match?(value)
+      return false
+    end
+
+    begin
+      uri = URI.parse(value)
+
+      if @modifiers.empty?
+        return true
+      end
+
+      if @modifiers.include?('https') && uri.scheme != 'https'
+        @validation_error = 'The URL must use HTTPS.'
+        return false
+      end
+
+      if @modifiers.include?('public') && (!PublicSuffix.valid?(uri.host) || self.class.private_network?(uri.host))
+        @validation_error = 'The URL must use a valid public domain.'
+        return false
+      end
+
+      if @modifiers.include?('not_ip') && ip_address?(uri.host)
+        @validation_error = 'IP addresses are not allowed in URLs.'
+        return false
+      end
+
+      if @modifiers.include?('not_private') && self.class.private_network?(uri.host)
+        @validation_error = 'Private or reserved resources are not allowed.'
+        return false
+      end
+
+      true
+    rescue URI::InvalidURIError
+      @validation_error = 'The field must contain a valid URL.'
+      false
+    rescue PublicSuffix::Error
+      false
+    end
+  end
+
+  def self.private_network?(host)
+    unless host
+      return false
+    end
+
+    host = host.downcase
+
+    private_patterns.any? { |pattern| pattern.match?(host) }
   end
 
   def message(attribute, value, validator)
-    'The field must contain a valid URL.'
+    @validation_error || 'The field must contain a valid URL.'
+  end
+
+  private
+
+  def validate_modifiers!
+    invalid_modifiers = @modifiers - ALLOWED_MODIFIERS
+    if invalid_modifiers.empty?
+      return
+    end
+
+    raise ArgumentError, "Invalid URL modifiers: #{invalid_modifiers.join(', ')}"
+  end
+
+  def ip_address?(host)
+    unless host
+      return false
+    end
+
+    begin
+      IPAddr.new(host)
+      true
+    rescue IPAddr::InvalidAddressError
+      false
+    end
+  end
+
+  def self.private_patterns
+    @private_patterns ||= begin
+      pattern_file = File.expand_path('../data/private_network_patterns.txt', __dir__)
+      File.readlines(pattern_file).filter_map do |line|
+        line = line.strip
+
+        if line.empty? || line.start_with?('#')
+          next
+        end
+
+        # Pattern => regex (once)
+        pattern = line
+                  .gsub('.', '\.')           # escape dots
+                  .gsub('*', '.*')           # wildcards => regex
+                  .gsub('[0-9]+', '\d+')     # convert number ranges
+                  .gsub(/\[(.+?)\]/, '(\1)') # convert chars classes
+
+        Regexp.new("^#{pattern}$", Regexp::IGNORECASE)
+      end
+    end
   end
 end

lib/mini_defender/rules/url.rb

@@ -34,4 +34,5 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'countries'
   spec.add_runtime_dependency 'money'
   spec.add_runtime_dependency 'marcel'
+  spec.add_runtime_dependency 'public_suffix'
 end