fix(files): guard resolveSimFileUrl against cross-origin URL hijacking

Author: waleedlatif1

apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx

@@ -334,8 +334,11 @@ const MermaidDiagram = memo(function MermaidDiagram({ definition }: { definition
 function resolveSimFileUrl(src: string | undefined): string | undefined {
   if (!src) return src
   try {
-    const { pathname } = new URL(src, 'http://placeholder')
-    const [, seg1, , seg3, fileId] = pathname.split('/')
+    const parsed = new URL(src, 'http://placeholder')
+    const isRelative = parsed.origin === 'http://placeholder'
+    const isSameOrigin = typeof window !== 'undefined' && parsed.origin === window.location.origin
+    if (!isRelative && !isSameOrigin) return src
+    const [, seg1, , seg3, fileId] = parsed.pathname.split('/')
     if (seg1 === 'workspace' && seg3 === 'files' && fileId) {
       return `/api/files/view/${fileId}`
     }