GHSA-gprh-27j3-g5h4

### Summary The spreadsheet-fetch endpoint (`axiosRequestMake`) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted `127.0.0.0/8` and `169.254.0.0/16`, allowing the cloud-metadata endpoint to be reached with a crafted URL.

### Details The extension matcher is now anchored to the end of the path or immediately before the query string (`/\.(xls|xlsx|xlsm|ods|ots)(\?|$)/i` and `/\.(csv)(\?|$)/i`), so `http://169.254.169.254/credentials/.xlsx` no longer satisfies the format gate. The hand-rolled IP blocklist is removed in favour of `useAgent(url)` from `request-filtering-agent`, which blocks private and loopback ranges at the socket layer.

### Impact Authenticated users with editor permission could read cloud metadata and other internal HTTP endpoints reachable from the NocoDB process. On affected installs the spreadsheet import path was a credential-exfiltration primitive on cloud hosts.

### Credit This issue was reported by Devel Group Security Research Team through [@TREXNEGRO](https://github.com/TREXNEGRO). It was independently reported by [@l3tchupkt](https://github.com/l3tchupkt).