fix: fixed several issues with proxy

- proxy no longer crashes with malformed input - use URL whitelist instead of blindly proxying everything - clean up code
2024-11-10 03:28:35 +01:00 · 2022-12-19 18:22:43 +01:00 · 2022-12-19 18:22:43 +01:00 · 9dad70b2e4
commit 9dad70b2e4
parent ee347dd3dc
1 changed files with 49 additions and 22 deletions
--- a/p/server.js
+++ b/p/server.js
@ -2,48 +2,75 @@ const fs = require("fs");
 const express = require("express");
 const fetch = require("node-fetch");
 const htmlParser = require("node-html-parser");
+const { URL } = require("url");
+
+// Array of hostnames that will be proxied
+const URL_WHITELIST = [
+  'i.ytimg.com',
+  'yt3.googleusercontent.com',
+  'cdn.glitch.global',
+  'cdn.statically.io',
+  'site-assets.fontawesome.com',
+  'fonts.gstatic.com',
+  'yt3.ggpht.com',
+  'tube.kuylar.dev',
+  'lh3.googleusercontent.com',
+  'is4-ssl.mzstatic.com',
+  'twemoji.maxcdn.com',
+  'unpkg.com',
+];

 const app = express();

 app.use(express.json()); // for parsing application/json
 app.use(express.urlencoded({ extended: true })); // for parsing application/x-www-form-urlencoded

+app.use(function (req, res, next) {
+  console.log(`=> ${req.method} ${req.originalUrl.slice(1)}`)
+  next();
+});
+
 app.use(function (req, res, next) {
  res.header("Access-Control-Allow-Origin", "*");
  next();
 });
-let Proxy = async (req, res) => {
-  const url = "https://" + req.originalUrl.slice(10);
+
+/**
+ * @param {express.Request} req 
+ * @param {express.Response} res 
+ */
+const proxy = async (req, res) => {
+  try {
+    let url;
+
+    try {
+      url = new URL("https://" + req.originalUrl.slice(1));
+    } catch(e) {
+      console.log('==> Cannot parse URL: ' + e);
+      return res.status(400).send('Malformed URL');
+    }
+
+    if (!URL_WHITELIST.includes(url.host)) {
+      console.log(`==> Refusing to proxy host ${url.host}`);
+      res.status(401).send(`Hostname '${url.host}' is not permitted`);
+      return;
+    }
+
+    console.log(`==> Proxying request`);

    let f = await fetch(url, {
      method: req.method,
    });
-  if (false && f.headers.get("content-type").includes("html")) {
-    const body = await f.text();
-    if (false && !htmlParser.valid(body)) {
-      console.warn(`[ERROR] Invalid HTML at ${url}`);
-      f.body.pipe(res);
-      return;
-    }
-    const root = htmlParser.parse(body);
-    let html = root.childNodes.filter(
-      (x) => x.tagName && x.tagName.toLowerCase() == "html"
-    )[0];

-    if (!html) {
-      console.warn(`[ERROR] No <html> at ${url}`);
-      res.send(body);
-      return;
-    }
-
-    res.send(html.toString());
-  } else {
    f.body.pipe(res);
+  } catch(e) {
+    console.log(`==> Error: ${e}`);
+    res.status(500).send('Internal server error');
  }
 };

 const listener = (req, res) => {
-  Proxy(req, res);
+  proxy(req, res);
 };

 app.get("/", (req, res) =>
@ -52,4 +79,4 @@ app.get("/", (req, res) =>

 app.all("/*", listener);

-app.listen(3000, () => {});
+app.listen(3000, () => console.log('Listening on 0.0.0.0:3000'));