Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add possibility to permit specified targets only #195

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
FROM node:lts-alpine

RUN mkdir -p /app
WORKDIR /app

COPY package.json server.js /app/
COPY lib /app/lib/
RUN npm install

ENV CORSANYWHERE_TARGET_WHITELIST "^https?:\/\/duckduckgo\.com"

CMD [ "node", "/app/server.js" ]
EXPOSE 8080
7 changes: 7 additions & 0 deletions lib/cors-anywhere.js
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,7 @@ function getHandler(options, proxy) {
originWhitelist: [], // If non-empty, requests not from an origin in this list will be blocked.
checkRateLimit: null, // Function that may enforce a rate-limit by returning a non-empty string.
redirectSameOrigin: false, // Redirect the client to the requested URL for same-origin requests.
checkTargetWhitelisted: null,
requireHeader: null, // Require a header to be set?
removeHeaders: [], // Strip these request headers.
setHeaders: {}, // Set these request headers.
Expand Down Expand Up @@ -364,6 +365,12 @@ function getHandler(options, proxy) {
return;
}

if (corsAnywhere.checkTargetWhitelisted && !corsAnywhere.checkTargetWhitelisted(location)) {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not the right place to enforce target restrictions, because it does not account for redirects.

I once started with a patch to limit targets, in #78, but never finished it.

res.writeHead(403, 'Forbidden', cors_headers);
res.end('You are not permitted to access the location "' + location.href + '".');
return;
}

var isRequestedOverHttps = req.connection.encrypted || /^\s*https/.test(req.headers['x-forwarded-proto']);
var proxyBaseUrl = (isRequestedOverHttps ? 'https://' : 'http://') + req.headers.host;

Expand Down
26 changes: 26 additions & 0 deletions lib/target-whitelist.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
'use strict';

module.exports = function createTargetWhitelistChecker(targetWhitelist) {
// Configure targets to access. Use the environment variable CORSANYWHERE_TARGET_WHITELIST with a regular expression.
//
// Example:
// ^https?:\/\/duckduckgo\.com
// To access https://duckduckgo.com and all its sub-paths (such as https://duckduckgo.com/?q=looking+for+node.js+proxy)
if (!targetWhitelist || targetWhitelist.length === 0) {
// Permitted by default
return function permitted() {
return true;
};
}

// Test if regular expression is valid
var targetWhitelistPattern = new RegExp(targetWhitelist);

return function permitted(origin) {
if (targetWhitelistPattern && targetWhitelistPattern.test(origin.href)) {
return true;
}

return false;
};
};
4 changes: 4 additions & 0 deletions server.js
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,16 @@ function parseEnvList(env) {
// Set up rate-limiting to avoid abuse of the public CORS Anywhere server.
var checkRateLimit = require('./lib/rate-limit')(process.env.CORSANYWHERE_RATELIMIT);

// Regular expression, which targets are allowed to access
var checkTargetWhitelisted = require('./lib/target-whitelist')(process.env.CORSANYWHERE_TARGET_WHITELIST);

var cors_proxy = require('./lib/cors-anywhere');
cors_proxy.createServer({
originBlacklist: originBlacklist,
originWhitelist: originWhitelist,
requireHeader: ['origin', 'x-requested-with'],
checkRateLimit: checkRateLimit,
checkTargetWhitelisted: checkTargetWhitelisted,
removeHeaders: [
'cookie',
'cookie2',
Expand Down