Check for localhost in remote url (#355)

Add check for localhost in remote url.

#274 (comment)

## Motivation and Context
We don't want authors to publish server with remote url set as
localhost.

## How Has This Been Tested?
It has been tested using UTs.

## Types of changes
<!-- What types of changes does your code introduce? Put an `x` in all
the boxes that apply: -->
- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [ ] Documentation update

---------

Co-authored-by: Avish Porwal <[email protected]>
Co-authored-by: Adam Jones <[email protected]>
Co-authored-by: Claude <[email protected]>

Author: 4 people

internal/validators/utils.go

@@ -43,7 +43,7 @@ func IsValidURL(rawURL string) bool {
 		return false
 	}
 
-	if u.Host == "" {
+	if u.Host == "" || u.Hostname() == "localhost" {
 		return false
 	}
 	return true

internal/validators/validators_test.go

@@ -179,6 +179,46 @@ func TestValidate(t *testing.T) {
 			},
 			expectedError: validators.ErrInvalidRemoteURL.Error(),
 		},
+		{
+			name: "remote with localhost url",
+			serverDetail: apiv0.ServerJSON{
+				Name:        "com.example/test-server",
+				Description: "A test server",
+				Repository: model.Repository{
+					URL:    "https://github.com/owner/repo",
+					Source: "github",
+				},
+				VersionDetail: model.VersionDetail{
+					Version: "1.0.0",
+				},
+				Remotes: []model.Remote{
+					{
+						URL: "http://localhost",
+					},
+				},
+			},
+			expectedError: validators.ErrInvalidRemoteURL.Error(),
+		},
+		{
+			name: "remote with localhost url with port",
+			serverDetail: apiv0.ServerJSON{
+				Name:        "com.example/test-server",
+				Description: "A test server",
+				Repository: model.Repository{
+					URL:    "https://github.com/owner/repo",
+					Source: "github",
+				},
+				VersionDetail: model.VersionDetail{
+					Version: "1.0.0",
+				},
+				Remotes: []model.Remote{
+					{
+						URL: "http://localhost:3000",
+					},
+				},
+			},
+			expectedError: validators.ErrInvalidRemoteURL.Error(),
+		},
 		{
 			name: "multiple remotes with one invalid",
 			serverDetail: apiv0.ServerJSON{
@@ -311,16 +351,6 @@ func TestValidate_RemoteNamespaceMatch(t *testing.T) {
 			expectError: true,
 			errorMsg:    "remote URL host api.github.com does not match publisher domain microsoft.com",
 		},
-		{
-			name: "localhost URLs allowed with any namespace",
-			serverDetail: apiv0.ServerJSON{
-				Name: "com.example/test-server",
-				Remotes: []model.Remote{
-					{URL: "http://localhost:3000/sse"},
-				},
-			},
-			expectError: false,
-		},
 		{
 			name: "invalid URL format",
 			serverDetail: apiv0.ServerJSON{