Rob--W · lutra · Aug 28, 2019 · Aug 28, 2019 · Rob--W · Aug 28, 2019
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,13 @@
+FROM node:lts-alpine
+
+RUN mkdir -p /app
+WORKDIR /app
+
+COPY package.json server.js /app/
+COPY lib /app/lib/
+RUN npm install
+
+ENV CORSANYWHERE_TARGET_WHITELIST "^https?:\/\/duckduckgo\.com"
+
+CMD [ "node", "/app/server.js" ]
+EXPOSE 8080
diff --git a/lib/cors-anywhere.js b/lib/cors-anywhere.js
@@ -250,6 +250,7 @@ function getHandler(options, proxy) {
     originWhitelist: [],            // If non-empty, requests not from an origin in this list will be blocked.
     checkRateLimit: null,           // Function that may enforce a rate-limit by returning a non-empty string.
     redirectSameOrigin: false,      // Redirect the client to the requested URL for same-origin requests.
+    checkTargetWhitelisted: null,
     requireHeader: null,            // Require a header to be set?
     removeHeaders: [],              // Strip these request headers.
     setHeaders: {},                 // Set these request headers.
@@ -364,6 +365,12 @@ function getHandler(options, proxy) {
       return;
     }
 
+    if (corsAnywhere.checkTargetWhitelisted && !corsAnywhere.checkTargetWhitelisted(location)) {
+      res.writeHead(403, 'Forbidden', cors_headers);
+      res.end('You are not permitted to access the location "' + location.href + '".');
+      return;
+    }
+
     var isRequestedOverHttps = req.connection.encrypted || /^\s*https/.test(req.headers['x-forwarded-proto']);
     var proxyBaseUrl = (isRequestedOverHttps ? 'https://' : 'http://') + req.headers.host;
 

diff --git a/lib/target-whitelist.js b/lib/target-whitelist.js
@@ -0,0 +1,26 @@
+'use strict';
+
+module.exports = function createTargetWhitelistChecker(targetWhitelist) {
+  // Configure targets to access. Use the environment variable CORSANYWHERE_TARGET_WHITELIST with a regular expression.
+  //
+  // Example:
+  // ^https?:\/\/duckduckgo\.com
+  // To access https://duckduckgo.com and all its sub-paths (such as https://duckduckgo.com/?q=looking+for+node.js+proxy)
+  if (!targetWhitelist || targetWhitelist.length === 0) {
+    // Permitted by default
+    return function permitted() {
+      return true;
+    };
+  }
+
+  // Test if regular expression is valid
+  var targetWhitelistPattern = new RegExp(targetWhitelist);
+
+  return function permitted(origin) {
+    if (targetWhitelistPattern && targetWhitelistPattern.test(origin.href)) {
+      return true;
+    }
+
+    return false;
+  };
+};
diff --git a/server.js b/server.js
@@ -19,12 +19,16 @@ function parseEnvList(env) {
 // Set up rate-limiting to avoid abuse of the public CORS Anywhere server.
 var checkRateLimit = require('./lib/rate-limit')(process.env.CORSANYWHERE_RATELIMIT);
 
+// Regular expression, which targets are allowed to access
+var checkTargetWhitelisted = require('./lib/target-whitelist')(process.env.CORSANYWHERE_TARGET_WHITELIST);
+
 var cors_proxy = require('./lib/cors-anywhere');
 cors_proxy.createServer({
   originBlacklist: originBlacklist,
   originWhitelist: originWhitelist,
   requireHeader: ['origin', 'x-requested-with'],
   checkRateLimit: checkRateLimit,
+  checkTargetWhitelisted: checkTargetWhitelisted,
   removeHeaders: [
     'cookie',
     'cookie2',