Rob--W · naddi96 · Feb 25, 2023
diff --git a/lib/cors-anywhere.js b/lib/cors-anywhere.js
@@ -5,6 +5,7 @@
 
 var httpProxy = require('http-proxy');
 var net = require('net');
+const { parse } = require('path');
 var url = require('url');
 var regexp_tld = require('./regexp-top-level-domain');
 var getProxyForUrl = require('proxy-from-env').getProxyForUrl;
@@ -253,12 +254,32 @@ function parseURL(req_url) {
   return parsed;
 }
 
+
+function checkUrlMatchList(url,list){
+  var parsed_list=list.map((el)=> parseURL(el))
+
+  var complete_url=url.host+url.pathname
+
+  for (var i in parsed_list){
+    var url = parsed_list[i].host +parsed_list[i].pathname
+    url=url.replace(".","\.")
+    url=url.replace("*","[^.]*")
+    var regrex= RegExp("^"+url+"$")
+    if (regrex.test(complete_url)){
+      return true
+    }
+  }
+  return false 
+}
+
 // Request handler factory
 function getHandler(options, proxy) {
   var corsAnywhere = {
     handleInitialRequest: null,     // Function that may handle the request instead, by returning a truthy value.
     getProxyForUrl: getProxyForUrl, // Function that specifies the proxy to use
     maxRedirects: 5,                // Maximum number of redirects to be followed.
+    requestUrlBlacklist: [],        // Requests to these url will be blocked.
+    requestUrlWhitelist: [],        // If non-empty, requests not from an url in this list will be blocked.
     originBlacklist: [],            // Requests from these origins will be blocked.
     originWhitelist: [],            // If non-empty, requests not from an origin in this list will be blocked.
     checkRateLimit: null,           // Function that may enforce a rate-limit by returning a non-empty string.
@@ -358,6 +379,23 @@ function getHandler(options, proxy) {
       return;
     }
 
+    if (corsAnywhere.requestUrlBlacklist.length>0){
+      if (checkUrlMatchList(location,corsAnywhere.requestUrlBlacklist)){
+        res.writeHead(403, 'Forbidden', cors_headers);
+        res.end('The destination "' + req.url.slice(1) + '" was blocked by the operator of this proxy.');
+        return ;
+      }
+    }
+
+    if (corsAnywhere.requestUrlWhitelist.length>0){
+      if (! checkUrlMatchList(location,corsAnywhere.requestUrlWhitelist)){
+        res.writeHead(403, 'Forbidden', cors_headers);
+        res.end('The destination "' + req.url.slice(1) + '" was blocked by the operator of this proxy.');
+        return;
+      }
+    }
+
+
     var origin = req.headers.origin || '';
     if (corsAnywhere.originBlacklist.indexOf(origin) >= 0) {
       res.writeHead(403, 'Forbidden', cors_headers);

diff --git a/server.js b/server.js
@@ -9,6 +9,9 @@ var port = process.env.PORT || 8080;
 // use originWhitelist instead.
 var originBlacklist = parseEnvList(process.env.CORSANYWHERE_BLACKLIST);
 var originWhitelist = parseEnvList(process.env.CORSANYWHERE_WHITELIST);
+var requestUrlBlacklist= parseEnvList(process.env.CORSANYWHERE_URL_BLACKLIST);
+var requestUrlWhitelist = parseEnvList(process.env.CORSANYWHERE_URL_WHITELIST);
+
 function parseEnvList(env) {
   if (!env) {
     return [];
@@ -23,6 +26,8 @@ var cors_proxy = require('./lib/cors-anywhere');
 cors_proxy.createServer({
   originBlacklist: originBlacklist,
   originWhitelist: originWhitelist,
+  requestUrlBlacklist:requestUrlBlacklist,
+  requestUrlWhitelist:requestUrlWhitelist,
   requireHeader: ['origin', 'x-requested-with'],
   checkRateLimit: checkRateLimit,
   removeHeaders: [