Add comment explaining each guard in validateSourceUrl

rounak610 · claude · rounak610 · commit e9d41cac623a · 2026-06-10T13:34:19.000+05:30
Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/lib/util.js b/lib/util.js
@@ -5,6 +5,11 @@ module.exports.isUndefined = value => (value === undefined || value === null ||
 const ALLOWED_DOWNLOAD_HOSTS = ['browserstack.com'];
 const ALLOWED_DOWNLOAD_HOST_SUFFIXES = ['.browserstack.com'];
 
+// Each guard below covers a case the final host-equals check does not:
+//   - empty/non-string URL: new url.URL(null) throws TypeError; explicit guard returns a clean message.
+//   - URL constructor catch: convert TypeError on malformed input into our own Error.
+//   - HTTPS check: allowlist matches host only; without this, http://browserstack.com would pass.
+//   - null/empty hostname: URL constructor accepts forms like https:///foo where hostname is empty; give a clear error.
 module.exports.validateSourceUrl = function(sourceUrl) {
   if (!sourceUrl || typeof sourceUrl !== 'string') {
     throw new Error('Refusing binary download: empty source URL');
