d0zingcat/cors-anywhere
1
0
Fork 0
mirror of https://github.com/d0zingcat/cors-anywhere.git synced 2026-05-23 23:16:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Explicit early out for invalid URLs

Browse Source
This commit is contained in:
Rob Wu
2020-05-02 17:52:10 +02:00
parent 20d5d0480e
commit 4ddb796e28
2 changed files with 35 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
lib/cors-anywhere.js
View File

@@ -231,6 +231,10 @@ function parseURL(req_url) {
return null;
}
if (!match[1]) {
if (/^https?:/i.test(req_url)) {
// The pattern at top could mistakenly parse "http:///" as host="http:" and path=///.
return null;
}
// Scheme is omitted.
if (req_url.lastIndexOf('//', 0) === -1) {
// "//" is omitted.
@@ -238,7 +242,12 @@ function parseURL(req_url) {
}
req_url = (match[4] === '443' ? 'https:' : 'http:') + req_url;
}
return url.parse(req_url);
var parsed = url.parse(req_url);
if (!parsed.hostname) {
// "http://:1/" and "http:/notenoughslashes" could end up here.
return null;
}
return parsed;
}
// Request handler factory

25
test/test.js
View File

@@ -119,6 +119,31 @@ describe('Basic functionality', function() {
.expect(200, helpText, done);
});
it('GET /http://:1234', function(done) {
// 'http://:1234' is an invalid URL.
request(cors_anywhere)
.get('/http://:1234')
.expect('Access-Control-Allow-Origin', '*')
.expect(200, helpText, done);
});
it('GET /http:///', function(done) {
// 'http://:1234' is an invalid URL.
request(cors_anywhere)
.get('/http:///')
.expect('Access-Control-Allow-Origin', '*')
.expect(200, helpText, done);
});
it('GET /http:/notenoughslashes', function(done) {
// 'http:/notenoughslashes' is an invalid URL.
request(cors_anywhere)
.get('/http:/notenoughslashes')
.expect('Access-Control-Allow-Origin', '*')
.expect(200, helpText, done);
});
it('GET ///example.com', function(done) {
// API base URL (with trailing slash) + '//example.com'
request(cors_anywhere)