security audit fixes: task ID 12: add sanitize method on passing acc_number param to CRM

2024-12-02 01:04:22 +03:00 · 2024-12-02 01:04:22 +03:00 · fbd8c16616
commit fbd8c16616
parent c26aaf2f29
2 changed files with 7 additions and 1 deletions
--- a/lib/SanitizeString/index.js
+++ b/lib/SanitizeString/index.js
@ -0,0 +1,5 @@
+export default function SanitizeString(str, punctuation = false, space = false, replace = false)
+{
+	const r = new RegExp(`[^\\d${ space ? `\\s` : `` }\\.\\-@${ punctuation ? `"'=+,;«»()&!?%` : ``}\\p{A-z}\u0401\u0451\u0410-\u044f]`, 'gi');
+	return str.replace(r, replace ? ' ' : '');
+}
--- a/pages/api/auth/switch.js
+++ b/pages/api/auth/switch.js
@ -6,11 +6,12 @@ import moment from 'moment';
 import jwt from 'jsonwebtoken';

 import { cors } from '../../../lib/cors';
+import SanitizeString from '../../../lib/SanitizeString';

 export default async function handler(req, res) 
 {
 	await cors(req, res);
-	let { acc_number } = req.body;
+	let acc_number = SanitizeString(req.body.acc_number, false, false, true);

 	console.log("API", "auth/switch");
 	if(req.headers.cookie !== undefined)