add test ensuring non-workflow SVGs aren't allowed

Author: ItsMajestiX

src/test/package.test.ts

@@ -1625,6 +1625,15 @@ describe('MarkdownProcessor', () => {
 		assert(file);
 	});
 
+	it('should prevent SVG from a GitHub repo in image tag', async() => {
+		const manifest = { name: 'test', publisher: 'mocha', version: '0.0.1', engines: Object.create(null), repository: 'https://github.com/username/repository' };
+		const contents = `![title](https://github.com/eviluser/evilrepo/blob/master/malicious.svg)`;
+		const processor = new ReadmeProcessor(manifest, {});
+		const readme = { path: 'extension/readme.md', contents };
+
+		await throws(() => processor.onFile(readme));
+	});
+
 	it('should prevent SVGs from not trusted sources in img tags', async () => {
 		const manifest = { name: 'test', publisher: 'mocha', version: '0.0.1', engines: Object.create(null), repository: 'https://github.com/username/repository' };
 		const contents = `<img src="https://foo/hello.svg" />`;