Lack of URL Validation in avatarUrl at /v4/profile

## Summary The endpoint `profile4-noneu.truecaller.com/v4/profile` is currently making a validation of the avatarURL param, but it can be easily by craft a fake url adding a valid trucallerstatic url after a `#` sign. (E.g: `https:\/\/evil.com/evil.svg#images-noneu.truecallerstatic.com\/myview\/1\/a033e33df60f303e64bd5ef0ee3b1a87\/3`) - In the current moment, this endpoint is just validating if the url starts with `https` and has the string `images-noneu.truecallerstatic.com` in any part of the text This lack of validation exposes the application to several security risks, including but not limited to Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), and potential data exfiltration. ## Steps to Reproduce 1. Using the mobile app, go to the profile edit page, upload a new image and intercept the profile update request 1. Use the valid url generated during the image upload to craft a fake one, pointing to a domain of your own {F3252025} 1. Search for your number in the mobile app or in the web application, and validate if the update has been reflected on the request {F3252043} ## Impact ## Summary: This issue exposes the application to a lot o potential vulnerabilities. For example: - By embedding a malicious SVG file with a script tag as its avatar URL, attackers can seamlessly execute devastating Cross-Site Scripting (XSS) attacks, potentially compromising sensitive user data and hijacking sessions. - Exploiting the absence of size validation, attackers can upload excessively large files as avatars, resulting in systemic crashes for all users accessing their profiles, causing widespread disruption and service downtime. - The pervasive lack of URL validation opens avenues for Cross-Site Request Forgery (CSRF) attacks, enabling adversaries to manipulate user sessions, execute unauthorized actions, and compromise the integrity of the application's functionality and data security.