Uploaded image for project: 'Hibernate Validator'
  1. HV-808

Brazilian CPF and ModCheck Validator are returning false positives

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 5.0.1.Final
    • Fix Version/s: 5.1.0.Beta1
    • Component/s: engine, validators
    • Labels:
    • Environment:
      Hibernate 4.3.Final, Hibernate Validator 5.0.1.Final, PostgreSQL 8.3, JBoss EAP 6.1
      But affects any environment using the faulty constraints
    • Bug Testcase Reminder (view):

      Bug reports should generally be accompanied by a test case!

    • Suitable for new contributors:
      Yes, likely
    • Last commented by a user?:
      true

      Description

      There are some errors in the CPF constraint and ModCheck, first the constraint format pattern treat non digit characters as optional, but the exclusion patterns don't. i.e. 000.000.000-00 is invalid, but 00000000000 is valid.

      The exclusion patterns are missing some other known cases, all document number that is composed only by the same digit is a invalid document that passes the Mod11 check, not only those composed by only zeros or nines.

      The method mod11 used for CPF is giving false positives, accepts invalid check digits as valid.

      As an example the document number 000.000.000-01 is know to be invalid, same occurs with the number 000.000.000-19, other examples would be 378.796.950-01 and 378.796.950-02 and others.

      Two different check digits yet both are valid when put against the Mod11 algorithm used here. That happens because the check digit is being used in the checksum, this can create a condition where the digit validates it self.


      I've wrote a patch and some tests, to ensure compatibility I didn't change any return type nor the method signature, passing on all previous tests.
      I will send a pull request, after cleaning the code.

      Having done that I think it would be wise to change that, pass the check digit separated from the verification list or not passing at all, the mod11 method should calculate the mod not validate it.

      Samples for tests and validation are found in this site: http://www.geradorcpf.com/ and http://www.geradorcpf.com/validar-cpf.htm both in Brazilian Portuguese.

      Excuse my poor English and thanks for the awesome job.

        Attachments

          Issue links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: