From 4a4d1db74c63fb4ff8d366551c3af006c25ead12 Mon Sep 17 00:00:00 2001
From: Rob Cowsill <42620235+rcowsill@users.noreply.github.com>
Date: Tue, 26 Jan 2021 13:37:11 +0000
Subject: [PATCH] Fix TypeError when server-side request fails

In addition to the intended SSRF vulnerability, it was possible to
crash the server with maliciously chosen query parameters.

Closes #225
---
 app/routes/research.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/routes/research.js b/app/routes/research.js
index 3e04cfe..c3ae59d 100644
--- a/app/routes/research.js
+++ b/app/routes/research.js
@@ -13,7 +13,7 @@ function ResearchHandler(db) {
 
         if (req.query.symbol) {
             const url = req.query.url + req.query.symbol;
-            return needle.get(url, (error, newResponse) => {
+            return needle.get(url, (error, newResponse, body) => {
                 if (!error && newResponse.statusCode === 200) {
                     res.writeHead(200, {
                         "Content-Type": "text/html"
@@ -21,7 +21,9 @@ function ResearchHandler(db) {
                 }
                 res.write("<h1>The following is the stock information you requested.</h1>\n\n");
                 res.write("\n\n");
-                res.write(newResponse.body);
+                if (body) {
+                    res.write(body);
+                }
                 return res.end();
             });
         }