LOC-6727: validate source URL host before binary download

rounak610 · claude · rounak610 · commit 8936933b70ed · 2026-06-09T20:23:56.000+05:30
Mirror the host allowlist added in the Java and Python bindings
(browserstack-local-java#99, browserstack-local-python#62). Refuse
download endpoints that aren't HTTPS or whose host isn't
browserstack.com / *.browserstack.com.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/lib/fetchDownloadSourceUrl.js b/lib/fetchDownloadSourceUrl.js
@@ -1,7 +1,7 @@
 const https = require('https'),
   fs = require('fs'),
   HttpsProxyAgent = require('https-proxy-agent'),
-  { isUndefined } = require('./util');
+  { isUndefined, validateSourceUrl } = require('./util');
 
 const authToken = process.argv[2], bsHost = process.argv[3], proxyHost = process.argv[6], proxyPort = process.argv[7], useCaCertificate = process.argv[8], downloadFallback = process.argv[4], downloadErrorMessage = process.argv[5];
 
@@ -45,7 +45,7 @@ const req = https.request(options, res => {
       if(reqBody.error) {
         throw reqBody.error;
       }
-      console.log(reqBody.data.endpoint);
+      console.log(validateSourceUrl(reqBody.data.endpoint));
     } catch (e) {
       console.error(e);
     }
diff --git a/lib/fetchDownloadSourceUrlAsync.js b/lib/fetchDownloadSourceUrlAsync.js
@@ -1,7 +1,7 @@
 const https = require('https'),
   fs = require('fs'),
   HttpsProxyAgent = require('https-proxy-agent'),
-  { isUndefined } = require('./util'),
+  { isUndefined, validateSourceUrl } = require('./util'),
   version = require('../package.json').version;
 
 const packageName = 'browserstack-local-nodejs';
@@ -48,7 +48,7 @@ function fetchDownloadSourceUrlAsync(authToken, bsHost, downloadFallback, downlo
         if(reqBody.error) {
           throw reqBody.error;
         }
-        callback(null, reqBody.data.endpoint);
+        callback(null, validateSourceUrl(reqBody.data.endpoint));
       } catch (e) {
         console.error(e);
         callback(e);
diff --git a/lib/util.js b/lib/util.js
@@ -1 +1,30 @@
+const url = require('url');
+
 module.exports.isUndefined = value => (value === undefined || value === null || value === 'undefined');
+
+const ALLOWED_DOWNLOAD_HOSTS = ['browserstack.com'];
+const ALLOWED_DOWNLOAD_HOST_SUFFIXES = ['.browserstack.com'];
+
+module.exports.validateSourceUrl = function(sourceUrl) {
+  if (!sourceUrl || typeof sourceUrl !== 'string') {
+    throw new Error('Refusing binary download: empty source URL');
+  }
+  let parsed;
+  try {
+    parsed = new url.URL(sourceUrl);
+  } catch (e) {
+    throw new Error('Refusing binary download: malformed source URL');
+  }
+  if (parsed.protocol !== 'https:') {
+    throw new Error('Refusing binary download from non-HTTPS source URL');
+  }
+  const host = (parsed.hostname || '').toLowerCase();
+  if (!host) {
+    throw new Error('Refusing binary download: source URL has no host');
+  }
+  if (ALLOWED_DOWNLOAD_HOSTS.indexOf(host) !== -1) return sourceUrl;
+  for (const suffix of ALLOWED_DOWNLOAD_HOST_SUFFIXES) {
+    if (host.endsWith(suffix)) return sourceUrl;
+  }
+  throw new Error("Refusing binary download: host '" + host + "' is not in the allowed host list");
+};
