From fbd8c16616e35eeeea9a3c7cb4ecd14d1785435a Mon Sep 17 00:00:00 2001
From: merelendor <merelendor@gmail.com>
Date: Mon, 2 Dec 2024 01:04:22 +0300
Subject: [PATCH] security audit fixes: task ID 12: add sanitize method on
 passing acc_number param to CRM

---
 lib/SanitizeString/index.js | 5 +++++
 pages/api/auth/switch.js    | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 lib/SanitizeString/index.js

diff --git a/lib/SanitizeString/index.js b/lib/SanitizeString/index.js
new file mode 100644
index 0000000..3d0b7ee
--- /dev/null
+++ b/lib/SanitizeString/index.js
@@ -0,0 +1,5 @@
+export default function SanitizeString(str, punctuation = false, space = false, replace = false)
+{
+	const r = new RegExp(`[^\\d${ space ? `\\s` : `` }\\.\\-@${ punctuation ? `"'=+,;«»()&!?%` : ``}\\p{A-z}\u0401\u0451\u0410-\u044f]`, 'gi');
+	return str.replace(r, replace ? ' ' : '');
+}
\ No newline at end of file
diff --git a/pages/api/auth/switch.js b/pages/api/auth/switch.js
index 2d11bc0..4fa6205 100644
--- a/pages/api/auth/switch.js
+++ b/pages/api/auth/switch.js
@@ -6,11 +6,12 @@ import moment from 'moment';
 import jwt from 'jsonwebtoken';
 
 import { cors } from '../../../lib/cors';
+import SanitizeString from '../../../lib/SanitizeString';
 
 export default async function handler(req, res) 
 {
 	await cors(req, res);
-	let { acc_number } = req.body;
+	let acc_number = SanitizeString(req.body.acc_number, false, false, true);
 
 	console.log("API", "auth/switch");
 	if(req.headers.cookie !== undefined)