From aad45b338e4104cc6003ccaed1f2c7b7db2140f9 Mon Sep 17 00:00:00 2001
From: ChrisChrome <christophercookman@gmail.com>
Date: Mon, 5 Aug 2024 15:43:41 -0600
Subject: [PATCH] Add more protections

---
 index.js | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/index.js b/index.js
index ce3dccb..70aa351 100644
--- a/index.js
+++ b/index.js
@@ -20,12 +20,17 @@ app.get("/:domain/*", (req, res) => {
 	const domain = req.params.domain;
 	const path = req.params[0];
 	const args = req.query;
-	// Check that domain is equal or subdomain of allowedDomains
-	if (!allowedDomains.some((allowedDomain) => domain.endsWith(allowedDomain))) {
-		res.status(403).send("Domain not allowed");
-		return;
+	// If domain has any characters that arent alphanumeric, a period, or -, return 400
+	if (!/^[a-zA-Z0-9.-]+$/.test(domain)) {
+		return res.status(400).send("Invalid domain");
 	}
 
+	// Check if domain is valid subdomain of allowedDomains
+	if (!allowedDomains.some((allowedDomain) => domain.endsWith(allowedDomain))) {
+		return res.status(400).send("Invalid domain");
+	}
+	
+
 	// Make the request
 	axios.get(`https://${domain}/${path}`, {
 		params: args
@@ -34,10 +39,18 @@ app.get("/:domain/*", (req, res) => {
 		res.status(response.status).send(response.data);
 	}).catch((error) => {
 		// Send the error back
+		if (!error.response) {
+			return res.status(500).send("An error occurred");
+		}
 		res.status(error.response.status).send(error.response.data);
 	});	
 });
 
+app.get("/:domain", (req, res) => {
+	// redirect them to /:domain/
+	res.redirect(`/${req.params.domain}/`);
+})
+
 const port = process.env.SERVER_PORT || 3000;
 app.listen(port, () => {
 	console.log(`Server is running on port ${port}`);