From c1e248777f75153baa206bfade20ba0a7a50d096 Mon Sep 17 00:00:00 2001
From: Jon Haddow <jon@haddow.me>
Date: Mon, 7 Nov 2022 12:57:46 +0000
Subject: [PATCH 1/2] Add dnsLookup option to allow custom blacklist/whitelist
 logic (#1)

---
 lib/cors-anywhere.js | 24 ++++++++++++++++++++++--
 server.js            | 20 ++++++++++++++++++++
 2 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/lib/cors-anywhere.js b/lib/cors-anywhere.js
index eb4f47c5..0805650f 100644
--- a/lib/cors-anywhere.js
+++ b/lib/cors-anywhere.js
@@ -3,6 +3,7 @@
 
 'use strict';
 
+var dns = require('dns');
 var httpProxy = require('http-proxy');
 var net = require('net');
 var url = require('url');
@@ -84,7 +85,7 @@ function proxyRequest(req, res, proxy) {
   var proxyOptions = {
     changeOrigin: false,
     prependPath: false,
-    target: location,
+    target: location.href,
     headers: {
       host: location.host,
     },
@@ -132,7 +133,24 @@ function proxyRequest(req, res, proxy) {
 
   // Start proxying the request
   try {
-    proxy.web(req, res, proxyOptions);
+    if (!req.corsAnywhereRequestState.dnsLookup) {
+      // Start proxying the request
+      proxy.web(req, res, proxyOptions);
+      return;
+    }
+    var targetUrl = url.parse(proxyOptions.target);
+    req.corsAnywhereRequestState.dnsLookup(targetUrl.hostname, function (err, address) {
+      if (err) {
+        // TODO: Should errors just be propagated, or should we support something like
+        // err.statusCode, err.statusText and err.message to customize the HTTP response?
+        proxy.emit('error', err, req, res);
+        return;
+      }
+      targetUrl.host = null; // Null .host so that .hostname + .port is used.
+      targetUrl.hostname = address;
+      proxyOptions.target = url.format(targetUrl);
+      proxy.web(req, res, proxyOptions);
+    });
   } catch (err) {
     proxy.emit('error', err, req, res);
   }
@@ -268,6 +286,7 @@ function getHandler(options, proxy) {
     setHeaders: {},                 // Set these request headers.
     corsMaxAge: 0,                  // If set, an Access-Control-Max-Age header with this value (in seconds) will be added.
     helpFile: __dirname + '/help.txt',
+    dnsLookup: null,
   };
 
   Object.keys(corsAnywhere).forEach(function(option) {
@@ -299,6 +318,7 @@ function getHandler(options, proxy) {
       getProxyForUrl: corsAnywhere.getProxyForUrl,
       maxRedirects: corsAnywhere.maxRedirects,
       corsMaxAge: corsAnywhere.corsMaxAge,
+      dnsLookup: corsAnywhere.dnsLookup,
     };
 
     var cors_headers = withCORS({}, req);
diff --git a/server.js b/server.js
index 757ac1d0..8dbb43ff 100644
--- a/server.js
+++ b/server.js
@@ -1,3 +1,5 @@
+var dns = require('dns');
+
 // Listen on a specific host via the HOST environment variable
 var host = process.env.HOST || '0.0.0.0';
 // Listen on a specific port via the PORT environment variable
@@ -44,6 +46,24 @@ cors_proxy.createServer({
     // Do not add X-Forwarded-For, etc. headers, because Heroku already adds it.
     xfwd: false,
   },
+  dnsLookup: function (hostname, callback) {
+    var excludedHostnamePrefixes = [
+      '169.254.',
+      '127.',
+      '0:0:0:0:0:0:0:1',
+      '::1',
+      '10.',
+      '172.16.',
+      '192.168.',
+      'fe80::10'
+    ];
+    dns.lookup(hostname, { hints: dns.ADDRCONFIG }, (err, address, family) => {
+      if (excludedHostnamePrefixes.some(p => address.startsWith(p))) {
+        err = 'ExcludedAddress'
+      }
+      callback(err, address, family);
+    });
+  },
 }).listen(port, host, function() {
   console.log('Running CORS Anywhere on ' + host + ':' + port);
 });

From 0a53e435e65ca95de4bbd173dd5518a3ed238821 Mon Sep 17 00:00:00 2001
From: Jon Haddow <jon@haddow.me>
Date: Tue, 7 May 2024 13:48:08 +0100
Subject: [PATCH 2/2] Ensure address is defined before checking against an
 excluded hostname prefix (#2)

---
 server.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server.js b/server.js
index 8dbb43ff..cf1c650e 100644
--- a/server.js
+++ b/server.js
@@ -58,7 +58,7 @@ cors_proxy.createServer({
       'fe80::10'
     ];
     dns.lookup(hostname, { hints: dns.ADDRCONFIG }, (err, address, family) => {
-      if (excludedHostnamePrefixes.some(p => address.startsWith(p))) {
+      if (address && excludedHostnamePrefixes.some(p => address.startsWith(p))) {
         err = 'ExcludedAddress'
       }
       callback(err, address, family);