fix: validate redirect host against allowlist to prevent SSRF bypass

Re-validate each redirected URL's host against allowedDownloadHosts
inside the resolveRedirects loop, preventing an attacker from using
a trusted initial URL that redirects to an internal/restricted resource.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: alichherawalla

android/app/src/main/java/ai/offgridmobile/download/DownloadManagerModule.kt

@@ -397,11 +397,18 @@ class DownloadManagerModule(reactContext: ReactApplicationContext) :
                 if (responseCode in 300..399) {
                     val location = connection.getHeaderField("Location")
                     if (location.isNullOrEmpty()) return currentUrl
-                    currentUrl = if (location.startsWith("http")) {
+                    val nextUrl = if (location.startsWith("http")) {
                         location
                     } else {
                         URL(URL(currentUrl), location).toString()
                     }
+                    // Re-validate redirected host against allowlist to prevent SSRF bypass
+                    val nextHost = try { URL(nextUrl).host } catch (_: Exception) { null }
+                    if (nextHost == null || !allowedDownloadHosts.any { nextHost == it || nextHost.endsWith(".$it") }) {
+                        android.util.Log.w("DownloadManager", "Redirect to unauthorized host blocked: $nextHost")
+                        return currentUrl
+                    }
+                    currentUrl = nextUrl
                 } else {
                     return currentUrl
                 }