Brazilian CPF and ModCheck Validator are returning false positives

Description

There are some errors in the CPF constraint and ModCheck, first the constraint format pattern treat non digit characters as optional, but the exclusion patterns don't. i.e. 000.000.000-00 is invalid, but 00000000000 is valid.

The exclusion patterns are missing some other known cases, all document number that is composed only by the same digit is a invalid document that passes the Mod11 check, not only those composed by only zeros or nines.

The method mod11 used for CPF is giving false positives, accepts invalid check digits as valid.

As an example the document number 000.000.000-01 is know to be invalid, same occurs with the number 000.000.000-19, other examples would be 378.796.950-01 and 378.796.950-02 and others.

Two different check digits yet both are valid when put against the Mod11 algorithm used here. That happens because the check digit is being used in the checksum, this can create a condition where the digit validates it self.


I've wrote a patch and some tests, to ensure compatibility I didn't change any return type nor the method signature, passing on all previous tests.
I will send a pull request, after cleaning the code.

Having done that I think it would be wise to change that, pass the check digit separated from the verification list or not passing at all, the mod11 method should calculate the mod not validate it.

Samples for tests and validation are found in this site: http://www.geradorcpf.com/ and http://www.geradorcpf.com/validar-cpf.htm both in Brazilian Portuguese.

Excuse my poor English and thanks for the awesome job.

Environment

Hibernate 4.3.Final, Hibernate Validator 5.0.1.Final, PostgreSQL 8.3, JBoss EAP 6.1
But affects any environment using the faulty constraints

Status

Assignee

Unassigned

Reporter

Victor Rezende dos Santos

Labels

Feedback Requested

None

Feedback Requested By

None

backPortable

None

Suitable for new contributors

Yes, likely

Pull Request

None

backportDecision

None

backportReEvaluate

None

Components

Fix versions

Affects versions

Priority

Minor
Configure