* MM-67372: Filter SVG images from OpenGraph metadata to prevent DoS
This commit adds server-side filtering of SVG images from OpenGraph
metadata to mitigate a DoS vulnerability where malicious SVG images
in og:image tags can crash Chromium-based browsers and Safari.
Changes:
- Add IsSVGImageURL() helper function in model package to detect SVG URLs
- Filter SVG images in parseOpenGraphMetadata() for regular HTML pages
- Filter SVG images in parseOpenGraphFromOEmbed() for oEmbed responses
- Add defense-in-depth filtering in TruncateOpenGraph() and getImagesForPost()
- Add comprehensive tests for all SVG filtering functionality
SVG detection is based on:
- File extension (.svg, .svgz) - case-insensitive
- MIME type (image/svg+xml)
Reference: https://issues.chromium.org/issues/40057345
* MM-67372: Filter SVG images from cache/DB and direct SVG URLs
This commit addresses remaining attack vectors for the SVG DoS vulnerability:
1. Cache/DB filtering: Apply TruncateOpenGraph when returning OpenGraph
from cache or database to filter stale data that was stored before
the initial fix was deployed.
2. Direct SVG URLs: Filter PostImage entries with Format="svg" to prevent
browser crashes when someone posts a direct link to an SVG file.
3. Embed creation: Skip creating image embeds for SVG images and create
link embeds instead.
4. New SVG detection: Return nil instead of creating PostImage when
fetching direct SVG URLs to prevent storing them in the database.
These changes ensure that even environments with pre-existing malicious
link metadata will be protected after a server restart.
* MM-67372: Fix test expectation for SVG image handling
* Removed duplicate logic in favor of already implemented FilterSVGImages in model
* Addressing PR comments
* Replacing exact match comparison with prefix check
* Added new test cases for unit tests
