Router: Add option to check unknown payload for prototype pollution

[flash1293]

It's required to define a validation schema for each route added via core router, with an option to allow unknown keys. In theory it makes sense for all routes to use strict validation schemes. But that's not always possible (e.g. when piping through Elasticsearch dsl) - for these cases there's no protection at all at the moment for prototype pollution. It would be helpful to introduce a new option as part of @kbn/config-schema:
schema.object({}, { unknowns: 'allowSafe' })

This would do the recursive check for prototype pollution keys, failing the validation when encountering them. It's somewhere between the security of an actual schema and an unknown object payload.

This could be used by TSVB: #78908

[elasticmachine]

Pinging @elastic/kibana-platform (Team:Platform)

[pgayvallet]

We did, at some point, some preliminary work to allow that kind of 'security' checks to be performed by default on all routes

kibana/src/core/server/http/router/validator/validator.ts

Lines 224 to 232 in f593455

	private safetyPrechecks<T>(data: T, namespace?: string): T {
	// We can add any pre-validation safety logic in here
	return data;
	}
	private safetyPostchecks<T>(data: T, namespace?: string): T {
	// We can add any post-validation safety logic in here
	return data;
	}

Even if no-op for now, these validations are enabled by default, and must manually be opted out, via

  router.post(
    {
      path: '/somewhere',
      validate: {
        body: schema.object(
          {},
          { unknowns: 'allow' }
        ),
        unsafe: {
          body: true,
        },
      },
    },

We should add prototype pollution guard here.

cc @elastic/kibana-security

[watson]

This is a possible duplicate of #49608 and #49609

[pgayvallet]

It sure is a dupe of #49609. Closing.