misc: validate iban size, refuse empty or null bban (#42562)

2020-05-06 15:09:25 +02:00 · 2020-05-06 15:09:25 +02:00 · 5889ee2d06
parent 55c655bc35
commit 5889ee2d06
2 changed files with 37 additions and 0 deletions
--- a/tests/test_widgets.py
+++ b/tests/test_widgets.py
@ -860,6 +860,12 @@ def test_wcsextrastringwidget_iban_validation():
                 'FR76 hello 234 6789 1234 6789 123',
                 'FRxx 2004 1000 0101 2345 6Z02 068',
                 'FR76 3000 6000 011² 3456 7890 189',  # ²
+                 'XX12',
+                 'XX12 0000 00',
+                 'FR76',
+                 'FR76 0000 0000 0000 0000 0000 000',
+                 'FR76 1234 4567',
+                 'Fr76 3000 6000 0112 3456 7890 189',
            ]:
        widget = WcsExtraStringWidget('test', value='foo', required=False)
        widget.field = fakefield
--- a/wcs/qommon/misc.py
+++ b/wcs/qommon/misc.py
@ -746,6 +746,32 @@ def validate_nir(string_value):
    return int(nir_key) == 97 - int(string_value[:13]) % 97


+IBAN_LENGTH = {
+    # from https://www.iban.com/structure
+    'AD': 24, 'AE': 23, 'AL': 28, 'AT': 20, 'AZ': 28, 'BA': 20,
+    'BE': 16, 'BG': 22, 'BH': 22, 'BR': 29, 'BY': 28, 'CH': 21,
+    'CR': 22, 'CY': 28, 'CZ': 24, 'DE': 22, 'DK': 18, 'DO': 28,
+    'EE': 20, 'EG': 29, 'ES': 24, 'FI': 18, 'FO': 18, 'FR': 27,
+    'GB': 22, 'GE': 22, 'GI': 23, 'GL': 18, 'GR': 27, 'GT': 28,
+    'HR': 21, 'HU': 28, 'IE': 22, 'IL': 23, 'IQ': 23, 'IS': 26,
+    'IT': 27, 'JO': 30, 'KW': 30, 'KZ': 20, 'LB': 28, 'LC': 32,
+    'LI': 21, 'LT': 20, 'LU': 20, 'LV': 21, 'MC': 27, 'MD': 24,
+    'ME': 22, 'MK': 19, 'MR': 27, 'MT': 31, 'MU': 30, 'NL': 18,
+    'NO': 15, 'PK': 24, 'PL': 28, 'PS': 29, 'PT': 25, 'QA': 29,
+    'RO': 24, 'RS': 22, 'SA': 24, 'SC': 31, 'SE': 24, 'SI': 19,
+    'SK': 24, 'SM': 27, 'ST': 25, 'SV': 28, 'TL': 23, 'TN': 24,
+    'TR': 26, 'UA': 29, 'VA': 22, 'VG': 24, 'XK': 20,
+    # FR includes:
+    'GF': 27, 'GP': 27, 'MQ': 27, 'RE': 27, 'PF': 27, 'TF': 27,
+    'YT': 27, 'NC': 27, 'BL': 27, 'MF': 27, 'PM': 27, 'WF': 27,
+    # GB includes:
+    'IM': 22, 'GG': 22, 'JE': 22,
+    # FI includes:
+    'AX': 18,
+    # ES includes:
+    'IC': 24, 'EA': 24,
+}
+
 def validate_iban(string_value):
    '''https://fr.wikipedia.org/wiki/International_Bank_Account_Number'''
    if not string_value:
@ -755,8 +781,13 @@ def validate_iban(string_value):
    bban = string_value[4:]
    if not (country_code.isalpha() and country_code.isupper()):
        return False
+    if IBAN_LENGTH.get(country_code) and len(string_value) != IBAN_LENGTH[country_code]:
+        return False
    if not is_ascii_digit(iban_key):
        return False
+    if not bban or is_ascii_digit(bban) and int(bban) == 0:
+        # bban is empty or a list of 0
+        return False
    dummy_iban = bban + country_code + '00'
    dummy_iban_converted = ''
    for car in dummy_iban: