From ca6f34518e459979f0481467191ea8551d150ba1 Mon Sep 17 00:00:00 2001
From: gmegidish <gil@megidish.net>
Date: Mon, 27 Apr 2026 19:30:41 +0200
Subject: [PATCH] fix: validate artifact host for upload and download to
 address codeql ssrf alerts

use url.Hostname() (which codeql recognizes as a sanitizer) instead of url.Host,
extract the artifacts host into a constant, and apply the same exact-host check
to downloadFile that uploadFileToURL already had. closes codeql alerts #17 and #19.
---
 devices/remote.go | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/devices/remote.go b/devices/remote.go
index fcd2956..aff581d 100644
--- a/devices/remote.go
+++ b/devices/remote.go
@@ -19,6 +19,8 @@ import (
 	"github.com/mobile-next/mobilecli/utils"
 )
 
+const artifactsHost = "mobilenexthq-artifacts.s3.us-west-2.amazonaws.com"
+
 type params map[string]any
 
 type RemoteDevice struct {
@@ -229,8 +231,8 @@ func uploadFileToURL(filePath, uploadURL string) error {
 	if err != nil {
 		return fmt.Errorf("invalid upload URL: %w", err)
 	}
-	if u.Scheme != "https" || u.Host != "mobilenexthq-artifacts.s3.us-west-2.amazonaws.com" {
-		return fmt.Errorf("upload URL must be https://mobilenexthq-artifacts.s3.us-west-2.amazonaws.com/..., got: %s", uploadURL)
+	if u.Scheme != "https" || u.Hostname() != artifactsHost {
+		return fmt.Errorf("upload URL must be https://%s/..., got: %s", artifactsHost, uploadURL)
 	}
 
 	f, err := os.Open(filePath)
@@ -278,11 +280,13 @@ func downloadFile(downloadURL, outputPath string, cb *ScreenRecordCallbacks) err
 	if err != nil {
 		return fmt.Errorf("invalid download URL: %w", err)
 	}
-	if parsed.Scheme != "https" {
-		return fmt.Errorf("download URL must use HTTPS scheme, got %q", parsed.Scheme)
+
+	if parsed.Scheme != "https" || parsed.Hostname() != artifactsHost {
+		return fmt.Errorf("download URL must be https://%s/..., got: %s", artifactsHost, downloadURL)
 	}
 
-	resp, err := http.Get(parsed.String()) //nolint:gosec // URL is validated above
+	utils.Verbose("downloading from %v", parsed)
+	resp, err := http.Get(parsed.String())
 	if err != nil {
 		return fmt.Errorf("HTTP GET failed: %w", err)
 	}