From 4ddb796e28a5dda926db9f6406ee2149070e8a85 Mon Sep 17 00:00:00 2001
From: Rob Wu <rob@robwu.nl>
Date: Sat, 2 May 2020 17:52:10 +0200
Subject: [PATCH] Explicit early out for invalid URLs

---
 lib/cors-anywhere.js | 11 ++++++++++-
 test/test.js         | 25 +++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/lib/cors-anywhere.js b/lib/cors-anywhere.js
index b92eb4e..7fd8ec8 100644
--- a/lib/cors-anywhere.js
+++ b/lib/cors-anywhere.js
@@ -231,6 +231,10 @@ function parseURL(req_url) {
     return null;
   }
   if (!match[1]) {
+    if (/^https?:/i.test(req_url)) {
+      // The pattern at top could mistakenly parse "http:///" as host="http:" and path=///.
+      return null;
+    }
     // Scheme is omitted.
     if (req_url.lastIndexOf('//', 0) === -1) {
       // "//" is omitted.
@@ -238,7 +242,12 @@ function parseURL(req_url) {
     }
     req_url = (match[4] === '443' ? 'https:' : 'http:') + req_url;
   }
-  return url.parse(req_url);
+  var parsed = url.parse(req_url);
+  if (!parsed.hostname) {
+    // "http://:1/" and "http:/notenoughslashes" could end up here.
+    return null;
+  }
+  return parsed;
 }
 
 // Request handler factory
diff --git a/test/test.js b/test/test.js
index 2951cc0..7cefac6 100644
--- a/test/test.js
+++ b/test/test.js
@@ -119,6 +119,31 @@ describe('Basic functionality', function() {
       .expect(200, helpText, done);
   });
 
+  it('GET /http://:1234', function(done) {
+    // 'http://:1234' is an invalid URL.
+    request(cors_anywhere)
+      .get('/http://:1234')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(200, helpText, done);
+  });
+
+  it('GET /http:///', function(done) {
+    // 'http://:1234' is an invalid URL.
+    request(cors_anywhere)
+      .get('/http:///')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(200, helpText, done);
+  });
+
+  it('GET /http:/notenoughslashes', function(done) {
+    // 'http:/notenoughslashes' is an invalid URL.
+    request(cors_anywhere)
+      .get('/http:/notenoughslashes')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(200, helpText, done);
+  });
+
+
   it('GET ///example.com', function(done) {
     // API base URL (with trailing slash) + '//example.com'
     request(cors_anywhere)