fix(security): restrict download URL override to HTTPS only

F-008 / DEVA11Y-479 — parseOverride() accepted file:// URLs and bare
paths (CWE-918), enabling SSRF and local-file exfiltration via bsdtar.
Restrict to HTTPS-only to prevent local file access.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: sunny-se

Plugins/BrowserStackAccessibilityLint/BrowserStackAccessibilityLint.swift

@@ -100,10 +100,13 @@ private func parseOverride(urlString: String?) throws -> URL? {
     guard let urlString = urlString, !urlString.isEmpty else {
         return nil
     }
-    if let url = URL(string: urlString), let scheme = url.scheme, ["http", "https", "file"].contains(scheme.lowercased()) {
-        return url
+    guard let url = URL(string: urlString), let scheme = url.scheme else {
+        throw PluginError("Invalid download URL: \(urlString). Only HTTPS URLs are supported.")
+    }
+    guard scheme.lowercased() == "https" else {
+        throw PluginError("Unsupported URL scheme '\(scheme)' in download URL. Only HTTPS is allowed.")
     }
-    return URL(fileURLWithPath: urlString)
+    return url
 }
 
 private func sanitizeArguments(_ arguments: [String]) -> [String] {