Feature-221 : Gateway-Level Input Validation & Output Sanitization (#1536)

* added input security validation

Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>

* testcases fixed

Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>

* fixed config.py

Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>

* added env vars and fixed validation code

Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>

* remove input_validator.py file

Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>

* fix: remove duplicate SecurityValidator import

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>

Author: nmveeresh

.env.example

@@ -155,6 +155,73 @@ JWT_AUDIENCE_VERIFICATION=true
 TOKEN_EXPIRY=10080
 REQUIRE_TOKEN_EXPIRATION=false
 
+#####################################
+# Security Validation & Sanitization
+#####################################
+
+# Enable experimental input validation and output sanitization
+# This implements gateway-level security controls to protect against:
+# - Path traversal attacks (../../../etc/passwd)
+# - Command injection (file.jpg; rm -rf /)
+# - SQL injection ('; DROP TABLE users; --)
+# - XSS attacks (<script>alert(1)</script>)
+# - Control character injection (\x1b[31m)
+#
+# Roll-out phases:
+# Phase 0: EXPERIMENTAL_VALIDATE_IO=false (disabled, default)
+# Phase 1: EXPERIMENTAL_VALIDATE_IO=true, VALIDATION_STRICT=false (log-only)
+# Phase 2: EXPERIMENTAL_VALIDATE_IO=true, VALIDATION_STRICT=true (enforce in staging)
+# Phase 3: Production deployment with all features enabled
+EXPERIMENTAL_VALIDATE_IO=true
+
+# Enable validation middleware for all requests
+# When enabled, validates all incoming request parameters and paths
+# Options: true, false (default)
+VALIDATION_MIDDLEWARE_ENABLED=true
+
+# Strict validation mode
+# Options:
+# - true: Reject requests with validation failures (422 status)
+# - false: Log warnings but allow requests (log-only mode)
+# Recommended: false for dev/staging, true for production
+VALIDATION_STRICT=true
+
+# Sanitize output to remove control characters
+# Removes ANSI escape sequences and C0/C1 control characters from responses
+# Preserves newlines (\n) and tabs (\t)
+# Options: true (default), false
+SANITIZE_OUTPUT=true
+
+# Allowed root paths for resource access
+# Restricts file system access to specific directories
+# Format: JSON array or comma-separated list
+# Examples:
+# - JSON: ["/srv/data", "/var/app/uploads"]
+# - CSV: /srv/data,/var/app/uploads
+# - Empty: [] (no restrictions, not recommended)
+# PRODUCTION: Always configure this to limit resource access
+ALLOWED_ROOTS=[]
+
+# Maximum allowed path depth
+# Prevents deeply nested path attacks
+# Default: 10 levels
+MAX_PATH_DEPTH=10
+
+# Maximum parameter length (characters)
+# Prevents buffer overflow and DoS attacks
+# Default: 10000 characters
+MAX_PARAM_LENGTH=10000
+
+# Regex patterns for dangerous input (JSON array)
+# Used to detect and block malicious input patterns
+# Default patterns:
+# 1. Shell metacharacters: [;&|`$(){}\[\]<>]
+# 2. Path traversal: \.\.[/\\]
+# 3. Control characters: [\x00-\x1f\x7f-\x9f]
+# 4. SQL injection: (drop|delete|insert|update|select)\s+(table|from|into|where)
+# Format: JSON array of regex patterns
+DANGEROUS_PATTERNS=["[;&|`$(){}\\[\\]<>]", "\\.\\.[/\\\\]", "[\\x00-\\x1f\\x7f-\\x9f]", "(?i)(drop|delete|insert|update|select)\\s+(table|from|into|where)"]
+
 #####################################
 # Email-Based Authentication
 #####################################