LOC-6727: validate source URL host before binary download

Mirror the host allowlist added in the Java and Python bindings
(browserstack-local-java#99, browserstack-local-python#62). Refuse
download endpoints that aren't HTTPS or whose host isn't
browserstack.com / *.browserstack.com.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: rounak610

BrowserStackLocal/BrowserStackLocal/BrowserStackTunnel.cs

@@ -21,6 +21,9 @@ public enum LocalState { Idle, Connecting, Connected, Error, Disconnected };
 
   public class BrowserStackTunnel : IDisposable
   {
+    private static readonly string[] AllowedDownloadHosts = new string[] { "browserstack.com" };
+    private static readonly string[] AllowedDownloadHostSuffixes = new string[] { ".browserstack.com" };
+
     static readonly string uname = Util.GetUName();
     static readonly string binaryName = GetBinaryName();
 
@@ -229,11 +232,43 @@ private string fetchSourceUrl(string accessKey)
           throw new Exception((string)jsonResponse["error"]);
         }
 
-        sourceUrl = jsonResponse["data"]?["endpoint"]?.ToString();
+        sourceUrl = ValidateSourceUrl(jsonResponse["data"]?["endpoint"]?.ToString());
         return sourceUrl;
       }
     }
 
+    private static string ValidateSourceUrl(string url)
+    {
+      if (string.IsNullOrEmpty(url))
+      {
+        throw new Exception("Refusing binary download: empty source URL");
+      }
+      Uri parsed;
+      if (!Uri.TryCreate(url, UriKind.Absolute, out parsed))
+      {
+        throw new Exception("Refusing binary download: malformed source URL");
+      }
+      if (!string.Equals(parsed.Scheme, "https", StringComparison.OrdinalIgnoreCase))
+      {
+        throw new Exception("Refusing binary download from non-HTTPS source URL");
+      }
+      string host = parsed.Host;
+      if (string.IsNullOrEmpty(host))
+      {
+        throw new Exception("Refusing binary download: source URL has no host");
+      }
+      host = host.ToLowerInvariant();
+      foreach (var allowed in AllowedDownloadHosts)
+      {
+        if (host.Equals(allowed)) return url;
+      }
+      foreach (var suffix in AllowedDownloadHostSuffixes)
+      {
+        if (host.EndsWith(suffix)) return url;
+      }
+      throw new Exception("Refusing binary download: host '" + host + "' is not in the allowed host list");
+    }
+
     public void downloadBinary()
     {
       string binaryDirectory = Path.Combine(this.binaryAbsolute, "..");