Add dnsLookup option to allow custom blacklist/whitelist logic #1
Conversation
lib/cors-anywhere.js
Outdated
| @@ -268,6 +286,9 @@ function getHandler(options, proxy) { | |||
| setHeaders: {}, // Set these request headers. | |||
| corsMaxAge: 0, // If set, an Access-Control-Max-Age header with this value (in seconds) will be added. | |||
| helpFile: __dirname + '/help.txt', | |||
| dnsLookup: function(hostname, callback) { | |||
| dns.lookup(hostname, {hints: dns.ADDRCONFIG}, callback); | |||
There was a problem hiding this comment.
Does this not need to include the
if (hostname.startsWith('169.254.')) {
throw new Error();
}
logic? Also, we need to exclude loopback addresses (IPv4 addresses starting with 127. or IPv6 addresses starting with ::1) and site local addresses (IPv4 addresses starting with 10., 172.16. or 192.168., you might have to ask Google what the IPv6 equivalents are...)
There was a problem hiding this comment.
Yeah, I can include that in this PR. Was wondering if it should be a separate PR specific to our use case.
I guess any PR submitted upstream can have it separated.
There was a problem hiding this comment.
Marc's request was
Before we can make the corsproxy available to customers again we need to ensure it won't respond to any requests that are address.isLoopbackAddress() || address.isSiteLocalAddress() or 169.254.
so it should be fine to tackle all of those use cases in a single PR (and you're right, we could always tidy up the code in future by adding separate isLoopbackAddress and isLocalAddress methods)...
As described in this upstream issue, this PR introduces a
dnsLookupconfiguration option which allows for custom logic to whitelist or blacklist requests to specific hostnames.To test the change, start the server locally and check that hostnames starting with loopback or site local IPs are blocked.