fix: sanitize openresty include filenames to prevent eval injection

Add defense-in-depth sanitization for OpenResty include files to prevent
OS command injection via malicious filenames that break shell quoting in eval.

- Add filename validation in core-post-extract using regex [^a-zA-Z0-9_.-]
- Validate both http-includes and location-includes paths
- Abort deploy via dokku_log_fail on unsafe filenames
- Skip non-regular files (symlinks, directories) during extraction
- Add security regression test with unsafe filename containing space
- Keep existing guards in docker-args-process-deploy as belt-and-suspenders
- Update documentation to clarify allowed filename characters

Addresses CVSS 9.9 vulnerability where filenames like poc'$(cmd)'x.conf
could escape shell quoting and execute arbitrary commands during deploy.

docs/networking/proxies/openresty.md

@@ -124,6 +124,8 @@ The following folders within an app repository may have `*.conf` files that will
 - `openresty/http-includes/`: Injected in the `server` block serving http(s) requests for the app.
 - `openresty/http-location-includes/`: Injected in the `location` block that proxies to the app in the app's respective `server` block.
 
+Custom snippets filenames may only include alphanumeric, underscore, and dot characters. For security reasons, filenames that contain other characters will be ignored.
+
 ### Label Management
 
 The OpenResty plugin allows you to add custom container labels to apps. These labels are injected into containers during deployment and can be used to configure OpenResty behavior beyond what the plugin provides by default.