TASK-009: Mitigate SSRF vulnerability in blocklist URL validation

- Change BlocklistSourceCreate.url from str to AnyHttpUrl (Pydantic type)
  - Rejects non-http schemes (file://, ftp://, etc.) at model boundary

- Add is_private_ip() utility to detect RFC 1918 private ranges:
  - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (RFC 1918)
  - 127.0.0.0/8, ::1/128 (loopback)
  - 169.254.0.0/16, fe80::/10 (link-local)
  - IPv6 site-local, multicast, and reserved ranges

- Add async validate_blocklist_url() function:
  - Resolves hostname via DNS using loop.run_in_executor()
  - Rejects if hostname resolves to private/reserved IP
  - Raises ValueError on validation failure

- Integrate validation into service layer:
  - create_source() calls validate_blocklist_url() before persist
  - update_source() conditionally validates if url provided
  - Both raise ValueError on failure

- Update router endpoints with error handling:
  - create_blocklist() and update_blocklist() catch ValueError
  - Return HTTP 400 Bad Request with descriptive error message

- Add comprehensive test coverage (9 new SSRF tests):
  - file://, ftp://, localhost, 127.0.0.1, 192.168.x.x
  - 10.x.x.x, 172.16.x.x, 169.254.x.x (link-local)
  - Valid public URLs (passes validation)
  - All 36 service tests passing

- Update documentation:
  - Features.md: Document URL validation constraints
  - Backend-Development.md: Add SSRF prevention pattern section

Fixes SSRF vulnerability where authenticated users could supply
file://, ftp://, or private IP URLs and the backend would fetch them.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

backend/app/services/blocklist_service.py

@@ -166,15 +166,24 @@ async def create_source(
 ) -> BlocklistSource:
     """Create a new blocklist source and return the persisted record.
 
+    Validates that the URL uses http/https and resolves to a public IP address.
+
     Args:
         db: Active application database connection.
         name: Human-readable display name.
-        url: URL of the blocklist text file.
+        url: URL of the blocklist text file (must be http/https and resolve to public IP).
         enabled: Whether the source is active.  Defaults to ``True``.
 
     Returns:
         The newly created :class:`~app.models.blocklist.BlocklistSource`.
+
+    Raises:
+        ValueError: If the URL fails SSRF validation.
     """
+    from app.utils.ip_utils import validate_blocklist_url
+
+    await validate_blocklist_url(url)
+
     new_id = await blocklist_repo.create_source(db, name, url, enabled=enabled)
     source = await get_source(db, new_id)
     assert source is not None  # noqa: S101
@@ -192,17 +201,27 @@ async def update_source(
 ) -> BlocklistSource | None:
     """Update fields on a blocklist source.
 
+    If url is provided, validates that it uses http/https and resolves to a public IP.
+
     Args:
         db: Active application database connection.
         source_id: Primary key of the source to modify.
         name: New display name, or ``None`` to leave unchanged.
-        url: New URL, or ``None`` to leave unchanged.
+        url: New URL, or ``None`` to leave unchanged (validated if provided).
         enabled: New enabled state, or ``None`` to leave unchanged.
 
     Returns:
         Updated :class:`~app.models.blocklist.BlocklistSource`, or ``None``
         if the source does not exist.
+
+    Raises:
+        ValueError: If the URL fails SSRF validation.
     """
+    if url is not None:
+        from app.utils.ip_utils import validate_blocklist_url
+
+        await validate_blocklist_url(url)
+
     updated = await blocklist_repo.update_source(
         db, source_id, name=name, url=url, enabled=enabled
     )