fix(validators): allow brackets in query parameters while blocking IPv6 addresses

[bogdanmariusc10]

🔗 Related Issue

Closes #4580

---

📝 Summary

Fixed an overly broad IPv6 validation check in SecurityValidator.validate_url() that incorrectly rejected URLs containing [ or ] characters anywhere in the URL, including legitimate query parameters.

Problem: The validator scanned the entire decoded URL for brackets, causing false positives on common API patterns like:

• ?filter[name]=value (Laravel/Spatie)
• ?sort[0]=name&sort[1]=created_at (array notation)
• ?include[]=relation (JSON:API)

Root Cause: IPv6 addresses only appear in the netloc (hostname) with brackets per RFC 3986, but the check was applied to the entire URL.

Solution:

• Removed the broad bracket check that scanned the full decoded URL
• IPv6 validation now only checks the netloc portion (both literal and URL-encoded)
• Added comprehensive test coverage for bracket usage in query parameters

Security Impact: ✅ No vulnerabilities introduced

• IPv6 addresses (literal [::1] and encoded %5B::1%5D) are still blocked
• All injection attempts (XSS, CRLF, protocol injection) remain blocked
• Brackets in query params, paths, and fragments are now correctly allowed

---

🏷️ Type of Change

• Bug fix
• Feature / Enhancement
• Documentation
• Refactor
• Chore (deps, CI, tooling)
• Other (describe below)

---

🧪 Verification

Check	Command	Status
Lint suite	make lint	✅ Pass
Unit tests	make test	✅ Pass
Coverage ≥ 80%	make coverage	✅ Pass

Test Results:

• All existing IPv6 blocking tests pass
• New test test_brackets_in_query_params_allowed verifies the fix
• Comprehensive security verification completed (25+ test cases)

---

✅ Checklist

• Code formatted (make black isort pre-commit)
• Tests added/updated for changes
• Documentation updated (if applicable)
• No secrets or credentials committed

---

📓 Notes

Example URLs now working:

http://bar-assistant.bar-assistant.svc:8080/api/ingredients?filter%5Bparent_ingredient_id%5D=null&per_page=100
https://api.example.com/items?filter[name]=value
https://api.example.com/items?sort[0]=name&sort[1]=created_at

Security verification performed:

1. ✅ Legitimate bracket query parameters allowed
2. ✅ IPv6 addresses (literal and encoded) still blocked
3. ✅ All injection attempts still blocked (JavaScript, data URIs, XSS, CRLF)
4. ✅ No encoding bypass vulnerabilities
5. ✅ Edge cases tested (brackets in path, fragment, multiple params)

Code changes:

• mcpgateway/common/validators.py: Removed broad check, added netloc-specific decoded bracket validation
• tests/unit/mcpgateway/validation/test_validators_advanced.py: Added test for legitimate bracket usage