fix(security): block SSRF via send-test-email SMTP host validation (GHSA-vvxf-f8q9-86gh) (#41666)

## Description

**TL;DR:** The `POST /api/v1/admin/send-test-email` endpoint was
vulnerable to SSRF (CWE-918) and error-based information disclosure
(CWE-209). Attacker-controlled `smtpHost`/`smtpPort` were passed
directly to JavaMail, bypassing the `WebClientUtils.IP_CHECK_FILTER`
that only protects HTTP requests. This fix adds host validation and
sanitizes error messages.

### Root Cause
`EnvManagerCEImpl.sendTestEmail()` accepted user-controlled SMTP
host/port and established raw TCP connections via `JavaMailSenderImpl`
without any IP validation. The existing `WebClientUtils.IP_CHECK_FILTER`
only applies to Spring WebClient HTTP requests — a completely separate
code path from JavaMail SMTP.

### Changes
1. **`WebClientUtils.validateHostNotDisallowed()`** — new reusable
method that checks a hostname against the existing cloud-metadata
denylist, resolves it via DNS, and rejects loopback, link-local,
site-local, any-local, and multicast addresses.
2. **`EnvManagerCEImpl.sendTestEmail()`** — calls the new validation
before connecting. Error messages from
`MessagingException`/`MailException` are no longer returned verbatim to
the caller, preventing error-based port scanning.
3. **Tests** — added parameterized tests in `WebClientUtilsTest` for
blocked hosts (private ranges, metadata IPs, localhost, unresolvable)
and allowed hosts (legitimate SMTP servers). Added SSRF regression tests
in `EnvManagerTest`.

Fixes
https://linear.app/appsmith/issue/APP-15034/ssrf-via-post-apiv1adminsend-test-email-javamail-bypasses-webclient-ip
Advisory:
[GHSA-vvxf-f8q9-86gh](https://github.com/appsmithorg/appsmith/security/advisories/GHSA-vvxf-f8q9-86gh)

## Automation

/ok-to-test tags="@tag.All"

### :mag: Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/23764710161>
> Commit: ead902522adcef370125b3c433f2cc24f1363cc6
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=23764710161&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.All`
> Spec:
> <hr>Mon, 30 Mar 2026 21:09:27 UTC
<!-- end of auto-generated comment: Cypress test results  -->

## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [x] No

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added outbound SMTP host validation and resolution to block
disallowed, private, loopback, link-local, multicast, and unresolvable
hosts; connections use resolved addresses.
* Enforced an allowed SMTP-port list and adjusted TLS/SSL behavior for
secure port handling.

* **Bug Fixes**
* Fail-fast for invalid SMTP configuration and unified, non-sensitive
error messaging on connection/send failures.

* **Tests**
* Expanded tests covering blocked/allowed hosts, null/empty input,
unresolvable hosts, and disallowed ports.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->