Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Iban.isValid() method does not verify that the check digits match those that would be calculated #82

Closed
edgeofoblivion opened this issue Jul 15, 2021 · 2 comments · Fixed by #83
Closed

Iban.isValid() method does not verify that the check digits match those that would be calculated #82

edgeofoblivion opened this issue Jul 15, 2021 · 2 comments · Fixed by #83
Labels
bug
Milestone
3.1.1

Comments

@edgeofoblivion
Copy link

edgeofoblivion commented Jul 15, 2021
edited

jbanking/src/main/java/fr/marcwrobel/jbanking/iban/Iban.java

Line 156 in ac28e38

return IbanCheckDigit.INSTANCE.validate(normalized);

Hello,
I've seen an unusual instance where the Iban.isValid(String iban) method returns true for what I believe to be an invalid Iban.
At the bottom of the method ultimately a modulus check is performed:

return IbanCheckDigit.INSTANCE.validate(normalized);

But a variation of a valid Iban (as seen in the example below which is based on a valid entry from your test class set of randomly generated valid Ibans) can also pass this modulus check and return true - no check is done to see if the generated Iban check digits match those from the given iban parameter.

@Test
public void ibanLibraryTest() {

  String valid = "MD026JK24D0RFGDJJPJQHKWN";
  String dubious = "MD996JK24D0RFGDJJPJQHKWN";

  // both pass modulo check but the second assertion should really fail
  assertTrue(Iban.isValid(valid));
  assertTrue(Iban.isValid(dubious)); // this should fail

  // both instantiate ok
  Iban validIban = new Iban(valid);
  Iban dubiousIban = new Iban(dubious);

  String calculatedCheckDigits =
      IbanCheckDigit.INSTANCE.calculate(valid.substring(0, 2) + "00" + valid.substring(4)); // returns "02"

  // Calculated matches supplied from iban
  assertTrue(calculatedCheckDigits.equals(validIban.getCheckDigit()));

  // However, if this check was to be done we could tell that the supplied iban is dubious
  assertTrue(calculatedCheckDigits.equals(dubiousIban.getCheckDigit())); // assertion fails
}

Should some additional verification of the check digits be added to Iban.isValid() method?
@edgeofoblivion
Copy link
Author

Apache Commons IBANCheckDigit class has an isValid method which simply first verifies the supplied iban has a check digit in the 02 - 98 range before then performing the modulus check.

@marcwrobel marcwrobel self-assigned this Jul 25, 2021
@marcwrobel marcwrobel added the bug label Jul 25, 2021
@marcwrobel marcwrobel added this to the 3.1.1 milestone Jul 25, 2021
marcwrobel added a commit that referenced this issue Aug 8, 2021
@marcwrobel
Fix IBAN check digit and creditor identifier validation (#82)
6bbeaac 
Validation of IBANs and creditor identifiers with a check digit equals to 00, 01 or 99 will now raise an IllegalArgumentException instead of just being considered invalid. Such check digits are indeed not valid.
marcwrobel added a commit that referenced this issue Aug 8, 2021
@marcwrobel
Fix IBAN check digit and creditor identifier validation (#82)
0a56d50 
Validation of IBANs and creditor identifiers with a check digit equals to 00, 01 or 99 will now raise an IllegalArgumentException instead of just being considered invalid. Such check digits are indeed not valid.
marcwrobel added a commit that referenced this issue Aug 8, 2021
@marcwrobel
Fix IBAN check digit and creditor identifier validation (#82)
7797269 
Validation of IBANs and creditor identifiers with a check digit equals to 00, 01 or 99 will now raise an IllegalArgumentException instead of just being considered invalid. Such check digits are indeed not valid.
marcwrobel added a commit that referenced this issue Aug 8, 2021
@marcwrobel
Fix IBAN check digit and creditor identifier validation (#82)
b195c20 
Validation of IBANs and creditor identifiers with a check digit equals to 00, 01 or 99 will now raise an IllegalArgumentException instead of just being considered invalid. Such check digits are indeed not valid.
@marcwrobel
Copy link
Owner

Thank you @edgeofoblivion for your report. The bug has been fixed and a new release of jbanking will be released today.

@marcwrobel marcwrobel linked a pull request Aug 8, 2021 that will close this issue
Fix IBAN check digit and creditor identifier validation (#82) #83
Merged
@marcwrobel marcwrobel removed their assignment Jun 30, 2022
@marcwrobel marcwrobel mentioned this issue Sep 7, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
3.1.1
Development

Successfully merging a pull request may close this issue.

Fix IBAN check digit and creditor identifier validation (#82) marcwrobel/jbanking
2 participants
@edgeofoblivion @marcwrobel