Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add dnsLookup option to allow custom blacklist/whitelist logic #1

Merged
merged 5 commits into from
Nov 7, 2022
Merged

Add dnsLookup option to allow custom blacklist/whitelist logic #1

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e3ddf7c
Add dnsLookup option to allow custom blacklist/whitelist logic
jonhaddow Nov 7, 2022
ed5a5b7
Add exclusion logic to server.js
jonhaddow Nov 7, 2022
6dec16a
Re-add config option
jonhaddow Nov 7, 2022
686de88
Add IP check into dns.lookup
jonhaddow Nov 7, 2022
2c6453c
Set dnsLookup to null by default
jonhaddow Nov 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 24 additions & 2 deletions lib/cors-anywhere.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

'use strict';

var dns = require('dns');
var httpProxy = require('http-proxy');
var net = require('net');
var url = require('url');
Expand Down Expand Up @@ -84,7 +85,7 @@ function proxyRequest(req, res, proxy) {
var proxyOptions = {
changeOrigin: false,
prependPath: false,
target: location,
target: location.href,
headers: {
host: location.host,
},
Expand Down Expand Up @@ -132,7 +133,24 @@ function proxyRequest(req, res, proxy) {

// Start proxying the request
try {
proxy.web(req, res, proxyOptions);
if (!req.corsAnywhereRequestState.dnsLookup) {
// Start proxying the request
proxy.web(req, res, proxyOptions);
return;
}
var targetUrl = url.parse(proxyOptions.target);
req.corsAnywhereRequestState.dnsLookup(targetUrl.hostname, function (err, address) {
if (err) {
// TODO: Should errors just be propagated, or should we support something like
// err.statusCode, err.statusText and err.message to customize the HTTP response?
proxy.emit('error', err, req, res);
return;
}
targetUrl.host = null; // Null .host so that .hostname + .port is used.
targetUrl.hostname = address;
proxyOptions.target = url.format(targetUrl);
proxy.web(req, res, proxyOptions);
});
} catch (err) {
proxy.emit('error', err, req, res);
}
Expand Down Expand Up @@ -268,6 +286,9 @@ function getHandler(options, proxy) {
setHeaders: {}, // Set these request headers.
corsMaxAge: 0, // If set, an Access-Control-Max-Age header with this value (in seconds) will be added.
helpFile: __dirname + '/help.txt',
dnsLookup: function(hostname, callback) {
dns.lookup(hostname, {hints: dns.ADDRCONFIG}, callback);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this not need to include the

    if (hostname.startsWith('169.254.')) {
      throw new Error();
    }

logic? Also, we need to exclude loopback addresses (IPv4 addresses starting with 127. or IPv6 addresses starting with ::1) and site local addresses (IPv4 addresses starting with 10., 172.16. or 192.168., you might have to ask Google what the IPv6 equivalents are...)

Copy link
Author

@jonhaddow jonhaddow Nov 7, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I can include that in this PR. Was wondering if it should be a separate PR specific to our use case.

I guess any PR submitted upstream can have it separated.

Copy link

@AndyNeale AndyNeale Nov 7, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Marc's request was

Before we can make the corsproxy available to customers again we need to ensure it won't respond to any requests that are address.isLoopbackAddress() || address.isSiteLocalAddress() or 169.254.

so it should be fine to tackle all of those use cases in a single PR (and you're right, we could always tidy up the code in future by adding separate isLoopbackAddress and isLocalAddress methods)...

},
};

Object.keys(corsAnywhere).forEach(function(option) {
Expand Down Expand Up @@ -299,6 +320,7 @@ function getHandler(options, proxy) {
getProxyForUrl: corsAnywhere.getProxyForUrl,
maxRedirects: corsAnywhere.maxRedirects,
corsMaxAge: corsAnywhere.corsMaxAge,
dnsLookup: corsAnywhere.dnsLookup,
};

var cors_headers = withCORS({}, req);
Expand Down
18 changes: 18 additions & 0 deletions server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
var dns = require('dns');

// Listen on a specific host via the HOST environment variable
var host = process.env.HOST || '0.0.0.0';
// Listen on a specific port via the PORT environment variable
Expand Down Expand Up @@ -44,6 +46,22 @@ cors_proxy.createServer({
// Do not add X-Forwarded-For, etc. headers, because Heroku already adds it.
xfwd: false,
},
dnsLookup: function (hostname, callback) {
var excludedHostnamePrefixes = [
'169.254.',
'127.',
'0:0:0:0:0:0:0:1',
'::1',
'10.',
'172.16.',
'192.168.',
'fe80::10'
];
if (excludedHostnamePrefixes.some(p => hostname.startsWith(p))) {
throw new Error();
}
dns.lookup(hostname, {hints: dns.ADDRCONFIG}, callback);
},
}).listen(port, host, function() {
console.log('Running CORS Anywhere on ' + host + ':' + port);
});