LOC-6727: validate source URL host before binary download

Mirror the host allowlist added in the Java and Python bindings
(browserstack-local-java#99, browserstack-local-python#62). Refuse
download endpoints that aren't HTTPS or whose host isn't
browserstack.com / *.browserstack.com.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: rounak610

lib/browserstack/fetch_download_source_url.rb

@@ -8,6 +8,29 @@ module BrowserStack
   module FetchDownloadSourceUrl
     BS_HOST = 'local.browserstack.com'.freeze
     ENDPOINT_PATH = '/binary/api/v1/endpoint'.freeze
+    ALLOWED_DOWNLOAD_HOSTS = ['browserstack.com'].freeze
+    ALLOWED_DOWNLOAD_HOST_SUFFIXES = ['.browserstack.com'].freeze
+
+    def self.validate_source_url(url)
+      if url.nil? || url.to_s.empty?
+        raise BrowserStack::LocalException.new('Refusing binary download: empty source URL')
+      end
+      uri = begin
+        URI.parse(url)
+      rescue URI::InvalidURIError
+        raise BrowserStack::LocalException.new('Refusing binary download: malformed source URL')
+      end
+      unless uri.scheme == 'https'
+        raise BrowserStack::LocalException.new('Refusing binary download from non-HTTPS source URL')
+      end
+      host = (uri.host || '').downcase
+      if host.empty?
+        raise BrowserStack::LocalException.new('Refusing binary download: source URL has no host')
+      end
+      return url if ALLOWED_DOWNLOAD_HOSTS.include?(host)
+      return url if ALLOWED_DOWNLOAD_HOST_SUFFIXES.any? { |suffix| host.end_with?(suffix) }
+      raise BrowserStack::LocalException.new("Refusing binary download: host '#{host}' is not in the allowed host list")
+    end
 
     def self.call(auth_token:, user_agent:, fallback: false, error_message: nil,
                   proxy_host: nil, proxy_port: nil)
@@ -57,7 +80,7 @@ def self.call(auth_token:, user_agent:, fallback: false, error_message: nil,
         )
       end
 
-      endpoint
+      validate_source_url(endpoint)
     end
   end
 end