Restrict thumbnail creation to safe file formats

Override Hyrax "create_derivatives" method to restrict "derivatives"/
thumbnail creation to safe file formats. Instead of trying to create
thumbnails for "everything and the kitchen sink", only create
thumbnails for file formats/MIME types that the the ImageMagick
developers consider "web-safe":
- GIF
- JPEG
- PNG

For details on what ImageMagick considers "web-safe", see here:
https://imagemagick.org/script/security-policy.php

Also, don't generate derivatives at all for non-image formats, because
those are even worse from a security standpoint. For example, audio and
video files would otherwise be fed into ffmpeg, and document/office
files would be fed into LibreOffice. Neither ffmpeg nor LibreOffice can
be considered anywhere near safe enough to read/parse/convert any files
inside a web application.

hyrax/config/initializers/hyrax_create_derivatives_override.rb

+# Override Hyrax::FileSetDerivativesService.create_derivatives method to only create derivatives/thumbnails for safe file formats.
+# https://github.com/samvera/hyrax/blob/hyrax-v3.5.0/app/services/hyrax/file_set_derivatives_service.rb#L32
+Rails.configuration.to_prepare do
+  Hyrax.module_eval do
+    class_methods do
+      def create_derivatives(filename)
+        case mime_type
+        when *["image/gif", "image/jpeg", "image/jpg", "image/png"] then create_image_derivatives(filename)
+        end
+      end
+    end
+  end
+end

hyrax/policy.xml

 <policymap>
   <policy domain="delegate" rights="none" pattern="*" />
   <policy domain="module" rights="none" pattern="*" />
-  <policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
+  <policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG}" />
   <policy domain="coder" rights="write" pattern="{MSVG,MVG,PDF,PS,PS2,PS3,XPS}" />
   <!-- <policy domain="resource" name="list-length" value="1"/> -->
   <policy domain="module" rights="none" pattern="{PS,PDF,XPS}"/>