Potential fix for code scanning alert no. 1: Incomplete URL substring sanitization

[jonathansantilli]

Potential fix for https://github.com/jonathansantilli/codegate/security/code-scanning/1

In general, to fix incomplete URL host checks, avoid substring or suffix checks like .includes() or .endsWith() on the raw hostname. Instead, compare the parsed hostname either for exact equality with a set of allowed hosts, or implement an explicit rule that only allows the target domain and its subdomains, where the subdomain constraint is enforced by checking that the hostname is either exactly the domain or ends with "." + domain.

In this specific case, we want to retain the logic that considers well-known Git hosting domains as “likely git sources” but avoid accepting arbitrary hosts that merely end with e.g. "github.com". The best approach is to replace each .endsWith("<domain>") check with a helper that returns true only if the hostname is exactly <domain> or is a subdomain of it (i.e., host === "github.com" or host.endsWith(".github.com")). This still treats api.github.com etc. as Git sources, but rejects github.com.evil.com and notgithub.com. We can implement this as a small local helper function inside isLikelyGitSource so as not to affect other code and avoid changing imports.

Concretely:

• In isLikelyGitSource, introduce a host local derived from parsedUrl.hostname.toLowerCase().
• Add a local function or inline logic that checks: host === "github.com" || host.endsWith(".github.com"), and similarly for the other domains.
• Replace the existing parsedUrl.hostname.endsWith("...") expressions with these stricter checks.

No additional methods or external libraries are needed; all changes stay within src/layer2-static/detectors/plugin-manifest.ts and within the shown snippet.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.