Harden file_url handling to prevent SSRF and internal data exfiltration

[Youssef-SH]

Fixes #4970

Summary

This PR hardens handling of the file_url parameter used during submission processing to prevent Server-Side Request Forgery (SSRF) and unintended access to internal network resources.

The previous implementation allowed arbitrary outbound requests based on user-controlled URLs, enabling access to loopback, private, or otherwise non-public network targets.

Changes

• Added strict validation of file_url scheme (HTTP/HTTPS only)
• Resolved hostnames and validated all resolved IP addresses
• Blocked loopback, private, link-local, multicast, reserved, and unspecified IP ranges
• Applied validation before any outbound network request
• Ensured redirects are also validated and restricted

Result

• Non-public or internal URLs are rejected
• No submission is created when validation fails
• Existing submission flow remains unchanged for valid public URLs

Testing

• Reproduced SSRF locally using internal HTTP endpoints (pre-fix)
• Verified requests are now rejected and no submission artifacts are created (post-fix)

[Youssef-SH]

Hi @RishabhJain2018,

I added SSRF protection for file_url submissions and updated the related unit test.

CI is currently failing, but it looks unrelated to this change (build/dependency side).

Would appreciate a review when you have a moment.