Fix TypeError when server-side request fails

In addition to the intended SSRF vulnerability, it was possible to crash the server with maliciously chosen query parameters. Closes #225
Tim-sandbox · Jan 26, 2021 · 4a4d1db · 4a4d1db
1 parent b9e2c49
commit 4a4d1db
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/app/routes/research.js b/app/routes/research.js
@@ -13,15 +13,17 @@ function ResearchHandler(db) {
 
         if (req.query.symbol) {
             const url = req.query.url + req.query.symbol;
-            return needle.get(url, (error, newResponse) => {
+            return needle.get(url, (error, newResponse, body) => {
                 if (!error && newResponse.statusCode === 200) {
                     res.writeHead(200, {
                         "Content-Type": "text/html"
                     });
                 }
                 res.write("<h1>The following is the stock information you requested.</h1>\n\n");
                 res.write("\n\n");
-                res.write(newResponse.body);
+                if (body) {
+                    res.write(body);
+                }
                 return res.end();
             });
         }