From ff4cdfedba8073242b74627b7e01d85855b136df Mon Sep 17 00:00:00 2001 From: Sarhan Aissi Date: Thu, 17 Feb 2022 06:53:45 +0100 Subject: [PATCH 1/4] docs: add a security policy (#1861) --- README.md | 9 ++++++++- SECURITY.md | 11 +++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index 0d2ed2bce..0d7f6a949 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,8 @@ [![Downloads][downloads-image]][npm-url] [![Backers on Open Collective](https://opencollective.com/validatorjs/backers/badge.svg)](#backers) [![Sponsors on Open Collective](https://opencollective.com/validatorjs/sponsors/badge.svg)](#sponsors) -[![Gitter](https://badges.gitter.im/validatorjs/community.svg)](https://gitter.im/validatorjs/community) +[![Gitter][gitter-image]][gitter-url] +[![Disclose a vulnerability][huntr-image]][huntr-url] A library of string validators and sanitizers. @@ -267,6 +268,12 @@ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. [ci-url]: https://github.com/validatorjs/validator.js/actions?query=workflow%3ACI [ci-image]: https://github.com/validatorjs/validator.js/workflows/CI/badge.svg?branch=master +[gitter-url]: https://gitter.im/validatorjs/community +[gitter-image]: https://badges.gitter.im/validatorjs/community.svg + +[huntr-url]: https://huntr.dev/bounties/disclose/?target=https://github.com/validatorjs/validator.js +[huntr-image]: https://cdn.huntr.dev/huntr_security_badge_mono.svg + [amd]: http://requirejs.org/docs/whyamd.html [bower]: http://bower.io/ diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..72592f135 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,11 @@ +# Security Policy + +## Supported Versions + +In the case of a confirmed security issue, only the current version of validator is guaranteed to be patched. + +## Reporting a Vulnerability + +**Please don't disclose security-related issues publicly.** + +If you discover a vulnerability within validator, please use [huntr.dev disclosure form](https://huntr.dev/bounties/disclose/?target=https://github.com/validatorjs/validator.js). We will try to validate and respond to reports in a reasonable time. if the issue is confirmed, we will create a security advisory and a patch as soon as possible. \ No newline at end of file From 2fad8ab4dcbd53f21847dd95fe9294ea4c222498 Mon Sep 17 00:00:00 2001 From: Axel Elmarsson <33149910+elmaxe@users.noreply.github.com> Date: Thu, 17 Feb 2022 06:54:56 +0100 Subject: [PATCH 2/4] feat(isLicensePlate): add support for Swedish license plates (#1665) * feat: add support for Swedish license plates * feat: allow spaces * fix(docs): sort alphabetically * fix(isLicensePlate): Trim, disallow 0 and fix regex --- README.md | 2 +- src/lib/isLicensePlate.js | 2 ++ test/validators.js | 38 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0d7f6a949..2378c3d87 100644 --- a/README.md +++ b/README.md @@ -140,7 +140,7 @@ Validator | Description **isJWT(str)** | check if the string is valid JWT token. **isLatLong(str [, options])** | check if the string is a valid latitude-longitude coordinate in the format `lat,long` or `lat, long`.

`options` is an object that defaults to `{ checkDMS: false }`. Pass `checkDMS` as `true` to validate DMS(degrees, minutes, and seconds) latitude-longitude format. **isLength(str [, options])** | check if the string's length falls in a range.

`options` is an object which defaults to `{min:0, max: undefined}`. Note: this function takes into account surrogate pairs. -**isLicensePlate(str [, locale])** | check if string matches the format of a country's license plate.

(locale is one of `['cs-CZ', 'de-DE', 'de-LI', 'fi-FI', pt-PT', 'sq-AL', 'pt-BR']` or `any`) +**isLicensePlate(str [, locale])** | check if string matches the format of a country's license plate.

(locale is one of `['cs-CZ', 'de-DE', 'de-LI', 'fi-FI', 'pt-BR', 'pt-PT', 'sq-AL', 'sv-SE']` or `any`) **isLocale(str)** | check if the string is a locale **isLowercase(str)** | check if the string is lowercase. **isMACAddress(str [, options])** | check if the string is a MAC address.

`options` is an object which defaults to `{no_separators: false}`. If `no_separators` is true, the validator will allow MAC addresses without separators. Also, it allows the use of hyphens, spaces or dots e.g '01 02 03 04 05 ab', '01-02-03-04-05-ab' or '0102.0304.05ab'. The options also allow a `eui` property to specify if it needs to be validated against EUI-48 or EUI-64. The accepted values of `eui` are: 48, 64. diff --git a/src/lib/isLicensePlate.js b/src/lib/isLicensePlate.js index d6b27a5ad..668064f13 100644 --- a/src/lib/isLicensePlate.js +++ b/src/lib/isLicensePlate.js @@ -13,6 +13,8 @@ const validators = { /^[A-Z]{2}[- ]?((\d{3}[- ]?(([A-Z]{2})|T))|(R[- ]?\d{3}))$/.test(str), 'pt-BR': str => /^[A-Z]{3}[ -]?[0-9][A-Z][0-9]{2}|[A-Z]{3}[ -]?[0-9]{4}$/.test(str), + 'sv-SE': str => + /^[A-HJ-PR-UW-Z]{3} ?[\d]{2}[A-HJ-PR-UW-Z1-9]$|(^[A-ZÅÄÖ ]{2,7}$)/.test(str.trim()), }; export default function isLicensePlate(str, locale) { diff --git a/test/validators.js b/test/validators.js index 76ec3d95a..be8a4df60 100644 --- a/test/validators.js +++ b/test/validators.js @@ -11767,6 +11767,44 @@ describe('Validators', () => { 'FS AB 1234 A', ], }); + test({ + validator: 'isLicensePlate', + args: ['sv-SE'], + valid: [ + 'ABC 123', + 'ABC 12A', + 'ABC123', + 'ABC12A', + 'A WORD', + 'WORD', + 'ÅSNA', + 'EN VARG', + 'CERISE', + 'AA', + 'ABCDEFG', + 'ÅÄÖ', + 'ÅÄÖ ÅÄÖ', + ], + invalid: [ + '', + ' ', + 'IQV 123', + 'IQV123', + 'ABI 12Q', + 'ÅÄÖ 123', + 'ÅÄÖ 12A', + 'AB1 A23', + 'AB1 12A', + 'lower', + 'abc 123', + 'abc 12A', + 'abc 12a', + 'AbC 12a', + 'WORDLONGERTHANSEVENCHARACTERS', + 'A', + 'ABC-123', + ], + }); }); it('should validate VAT numbers', () => { test({ From 4ee165580fc37627a4dffdea1d026acb4b8c6e4c Mon Sep 17 00:00:00 2001 From: "Serhii [boonya] Buinytskyi" <779184+boonya@users.noreply.github.com> Date: Thu, 17 Feb 2022 07:56:35 +0200 Subject: [PATCH 3/4] feat(isTaxID): Canadian Social Insurance Number (SIN) validator (#1867) * Additional test cases for isPostalCode validator CA, PL, UA * [The Social Insurance Number (SIN)](https://www.canada.ca/en/employment-social-development/services/sin.html) * Function docstring corrected * Canadian SIN is a part of general TaxID validator * Redundant line of code + test fixed * Valid ISO 639-1 + ISO 3166-1 alpha 2 locale --- README.md | 4 ++-- src/lib/isTaxID.js | 38 +++++++++++++++++++++++++---- test/validators.js | 59 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 95 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 2378c3d87..321f7122e 100644 --- a/README.md +++ b/README.md @@ -110,7 +110,7 @@ Validator | Description **isDecimal(str [, options])** | check if the string represents a decimal number, such as 0.1, .3, 1.1, 1.00003, 4.0, etc.

`options` is an object which defaults to `{force_decimal: false, decimal_digits: '1,', locale: 'en-US'}`

`locale` determine the decimal separator and is one of `['ar', 'ar-AE', 'ar-BH', 'ar-DZ', 'ar-EG', 'ar-IQ', 'ar-JO', 'ar-KW', 'ar-LB', 'ar-LY', 'ar-MA', 'ar-QA', 'ar-QM', 'ar-SA', 'ar-SD', 'ar-SY', 'ar-TN', 'ar-YE', 'bg-BG', 'cs-CZ', 'da-DK', 'de-DE', 'el-GR', 'en-AU', 'en-GB', 'en-HK', 'en-IN', 'en-NZ', 'en-US', 'en-ZA', 'en-ZM', 'es-ES', 'fa', 'fa-AF', 'fa-IR', 'fr-FR', 'fr-CA', 'hu-HU', 'id-ID', 'it-IT', 'ku-IQ', 'nb-NO', 'nl-NL', 'nn-NO', 'pl-PL', 'pl-Pl', 'pt-BR', 'pt-PT', 'ru-RU', 'sl-SI', 'sr-RS', 'sr-RS@latin', 'sv-SE', 'tr-TR', 'uk-UA', 'vi-VN']`.
**Note:** `decimal_digits` is given as a range like '1,3', a specific value like '3' or min like '1,'. **isDivisibleBy(str, number)** | check if the string is a number that's divisible by another. **isEAN(str)** | check if the string is an EAN (European Article Number). -**isEmail(str [, options])** | check if the string is an email.

`options` is an object which defaults to `{ allow_display_name: false, require_display_name: false, allow_utf8_local_part: true, require_tld: true, allow_ip_domain: false, domain_specific_validation: false, blacklisted_chars: '', host_blacklist: [] }`. If `allow_display_name` is set to true, the validator will also match `Display Name `. If `require_display_name` is set to true, the validator will reject strings without the format `Display Name `. If `allow_utf8_local_part` is set to false, the validator will not allow any non-English UTF8 character in email address' local part. If `require_tld` is set to false, e-mail addresses without having TLD in their domain will also be matched. If `ignore_max_length` is set to true, the validator will not check for the standard max length of an email. If `allow_ip_domain` is set to true, the validator will allow IP addresses in the host part. If `domain_specific_validation` is true, some additional validation will be enabled, e.g. disallowing certain syntactically valid email addresses that are rejected by GMail. If `blacklisted_chars` receives a string, then the validator will reject emails that include any of the characters in the string, in the name part. If `host_blacklist` is set to an array of strings and the part of the email after the `@` symbol matches one of the strings defined in it, the validation fails. +**isEmail(str [, options])** | check if the string is an email.

`options` is an object which defaults to `{ allow_display_name: false, require_display_name: false, allow_utf8_local_part: true, require_tld: true, allow_ip_domain: false, domain_specific_validation: false, blacklisted_chars: '', host_blacklist: [] }`. If `allow_display_name` is set to true, the validator will also match `Display Name `. If `require_display_name` is set to true, the validator will reject strings without the format `Display Name `. If `allow_utf8_local_part` is set to false, the validator will not allow any non-English UTF8 character in email address' local part. If `require_tld` is set to false, e-mail addresses without having TLD in their domain will also be matched. If `ignore_max_length` is set to true, the validator will not check for the standard max length of an email. If `allow_ip_domain` is set to true, the validator will allow IP addresses in the host part. If `domain_specific_validation` is true, some additional validation will be enabled, e.g. disallowing certain syntactically valid email addresses that are rejected by GMail. If `blacklisted_chars` receives a string, then the validator will reject emails that include any of the characters in the string, in the name part. If `host_blacklist` is set to an array of strings and the part of the email after the `@` symbol matches one of the strings defined in it, the validation fails. **isEmpty(str [, options])** | check if the string has a length of zero.

`options` is an object which defaults to `{ ignore_whitespace:false }`. **isEthereumAddress(str)** | check if the string is an [Ethereum](https://ethereum.org/) address using basic regex. Does not validate address checksums. **isFloat(str [, options])** | check if the string is a float.

`options` is an object which can contain the keys `min`, `max`, `gt`, and/or `lt` to validate the float is within boundaries (e.g. `{ min: 7.22, max: 9.55 }`) it also has `locale` as an option.

`min` and `max` are equivalent to 'greater or equal' and 'less or equal', respectively while `gt` and `lt` are their strict counterparts.

`locale` determine the decimal separator and is one of `['ar', 'ar-AE', 'ar-BH', 'ar-DZ', 'ar-EG', 'ar-IQ', 'ar-JO', 'ar-KW', 'ar-LB', 'ar-LY', 'ar-MA', 'ar-QA', 'ar-QM', 'ar-SA', 'ar-SD', 'ar-SY', 'ar-TN', 'ar-YE', 'bg-BG', 'cs-CZ', 'da-DK', 'de-DE', 'en-AU', 'en-GB', 'en-HK', 'en-IN', 'en-NZ', 'en-US', 'en-ZA', 'en-ZM', 'es-ES', 'fr-CA', 'fr-FR', 'hu-HU', 'it-IT', 'nb-NO', 'nl-NL', 'nn-NO', 'pl-PL', 'pt-BR', 'pt-PT', 'ru-RU', 'sl-SI', 'sr-RS', 'sr-RS@latin', 'sv-SE', 'tr-TR', 'uk-UA']`. Locale list is `validator.isFloatLocales`. @@ -162,7 +162,7 @@ Validator | Description **isUppercase(str)** | check if the string is uppercase. **isSlug** | Check if the string is of type slug. `Options` allow a single hyphen between string. e.g. [`cn-cn`, `cn-c-c`] **isStrongPassword(str [, options])** | Check if a password is strong or not. Allows for custom requirements or scoring rules. If `returnScore` is true, then the function returns an integer score for the password rather than a boolean.
Default options:
`{ minLength: 8, minLowercase: 1, minUppercase: 1, minNumbers: 1, minSymbols: 1, returnScore: false, pointsPerUnique: 1, pointsPerRepeat: 0.5, pointsForContainingLower: 10, pointsForContainingUpper: 10, pointsForContainingNumber: 10, pointsForContainingSymbol: 10 }` -**isTaxID(str, locale)** | Check if the given value is a valid Tax Identification Number. Default locale is `en-US`.

More info about exact TIN support can be found in `src/lib/isTaxID.js`

Supported locales: `[ 'bg-BG', 'cs-CZ', 'de-AT', 'de-DE', 'dk-DK', 'el-CY', 'el-GR', 'en-GB', 'en-IE', 'en-US', 'es-ES', 'et-EE', 'fi-FI', 'fr-BE', 'fr-FR', 'fr-LU', 'hr-HR', 'hu-HU', 'it-IT', 'lb-LU', 'lt-LT', 'lv-LV' 'mt-MT', 'nl-BE', 'nl-NL', 'pl-PL', 'pt-BR', 'pt-PT', 'ro-RO', 'sk-SK', 'sl-SI', 'sv-SE' ]` +**isTaxID(str, locale)** | Check if the given value is a valid Tax Identification Number. Default locale is `en-US`.

More info about exact TIN support can be found in `src/lib/isTaxID.js`

Supported locales: `[ 'bg-BG', 'cs-CZ', 'de-AT', 'de-DE', 'dk-DK', 'el-CY', 'el-GR', 'en-CA', 'en-GB', 'en-IE', 'en-US', 'es-ES', 'et-EE', 'fi-FI', 'fr-BE', 'fr-CA', 'fr-FR', 'fr-LU', 'hr-HR', 'hu-HU', 'it-IT', 'lb-LU', 'lt-LT', 'lv-LV' 'mt-MT', 'nl-BE', 'nl-NL', 'pl-PL', 'pt-BR', 'pt-PT', 'ro-RO', 'sk-SK', 'sl-SI', 'sv-SE' ]` **isURL(str [, options])** | check if the string is an URL.

`options` is an object which defaults to `{ protocols: ['http','https','ftp'], require_tld: true, require_protocol: false, require_host: true, require_port: false, require_valid_protocol: true, allow_underscores: false, host_whitelist: false, host_blacklist: false, allow_trailing_dot: false, allow_protocol_relative_urls: false, allow_fragments: true, allow_query_components: true, disallow_auth: false, validate_length: true }`.

require_protocol - if set as true isURL will return false if protocol is not present in the URL.
require_valid_protocol - isURL will check if the URL's protocol is present in the protocols option.
protocols - valid protocols can be modified with this option.
require_host - if set as false isURL will not check if host is present in the URL.
require_port - if set as true isURL will check if port is present in the URL.
allow_protocol_relative_urls - if set as true protocol relative URLs will be allowed.
allow_fragments - if set as false isURL will return false if fragments are present.
allow_query_components - if set as false isURL will return false if query components are present.
validate_length - if set as false isURL will skip string length validation (2083 characters is IE max URL length). **isUUID(str [, version])** | check if the string is a UUID (version 1, 2, 3, 4 or 5). **isVariableWidth(str)** | check if the string contains a mixture of full and half-width chars. diff --git a/src/lib/isTaxID.js b/src/lib/isTaxID.js index ee66ca326..f43c61a15 100644 --- a/src/lib/isTaxID.js +++ b/src/lib/isTaxID.js @@ -60,6 +60,36 @@ function bgBgCheck(tin) { return checksum === digits[9]; } +/** + * Check if an input is a valid Canadian SIN (Social Insurance Number) + * + * The Social Insurance Number (SIN) is a 9 digit number that + * you need to work in Canada or to have access to government programs and benefits. + * + * https://en.wikipedia.org/wiki/Social_Insurance_Number + * https://www.canada.ca/en/employment-social-development/services/sin.html + * https://www.codercrunch.com/challenge/819302488/sin-validator + * + * @param {string} input + * @return {boolean} + */ +function isCanadianSIN(input) { + const digitsArray = input.split(''); + const even = digitsArray + .filter((_, idx) => idx % 2) + .map(i => Number(i) * 2) + .join('') + .split(''); + + const total = digitsArray + .filter((_, idx) => !(idx % 2)) + .concat(even) + .map(i => Number(i)) + .reduce((acc, cur) => acc + cur); + + return (total % 10 === 0); +} + /* * cs-CZ validation function * (Rodné číslo (RČ), persons only) @@ -1096,7 +1126,6 @@ function svSeCheck(tin) { * uppercase and lowercase letters are acceptable. */ const taxIdFormat = { - 'bg-BG': /^\d{10}$/, 'cs-CZ': /^\d{6}\/{0,1}\d{3,4}$/, 'de-AT': /^\d{9}$/, @@ -1104,6 +1133,7 @@ const taxIdFormat = { 'dk-DK': /^\d{6}-{0,1}\d{4}$/, 'el-CY': /^[09]\d{7}[A-Z]$/, 'el-GR': /^([0-4]|[7-9])\d{8}$/, + 'en-CA': /^\d{9}$/, 'en-GB': /^\d{10}$|^(?!GB|NK|TN|ZZ)(?![DFIQUV])[A-Z](?![DFIQUVO])[A-Z]\d{6}[ABCD ]$/i, 'en-IE': /^\d{7}[A-W][A-IW]{0,1}$/i, 'en-US': /^\d{2}[- ]{0,1}\d{7}$/, @@ -1126,16 +1156,15 @@ const taxIdFormat = { 'sk-SK': /^\d{6}\/{0,1}\d{3,4}$/, 'sl-SI': /^[1-9]\d{7}$/, 'sv-SE': /^(\d{6}[-+]{0,1}\d{4}|(18|19|20)\d{6}[-+]{0,1}\d{4})$/, - }; // taxIdFormat locale aliases taxIdFormat['lb-LU'] = taxIdFormat['fr-LU']; taxIdFormat['lt-LT'] = taxIdFormat['et-EE']; taxIdFormat['nl-BE'] = taxIdFormat['fr-BE']; +taxIdFormat['fr-CA'] = taxIdFormat['en-CA']; // Algorithmic tax id check functions for various locales const taxIdCheck = { - 'bg-BG': bgBgCheck, 'cs-CZ': csCzCheck, 'de-AT': deAtCheck, @@ -1143,6 +1172,7 @@ const taxIdCheck = { 'dk-DK': dkDkCheck, 'el-CY': elCyCheck, 'el-GR': elGrCheck, + 'en-CA': isCanadianSIN, 'en-IE': enIeCheck, 'en-US': enUsCheck, 'es-ES': esEsCheck, @@ -1164,12 +1194,12 @@ const taxIdCheck = { 'sk-SK': skSkCheck, 'sl-SI': slSiCheck, 'sv-SE': svSeCheck, - }; // taxIdCheck locale aliases taxIdCheck['lb-LU'] = taxIdCheck['fr-LU']; taxIdCheck['lt-LT'] = taxIdCheck['et-EE']; taxIdCheck['nl-BE'] = taxIdCheck['fr-BE']; +taxIdCheck['fr-CA'] = taxIdCheck['en-CA']; // Regexes for locales where characters should be omitted before checking format const allsymbols = /[-\\\/!@#$%\^&\*\(\)\+\=\[\]]+/g; diff --git a/test/validators.js b/test/validators.js index be8a4df60..61ffe09d9 100644 --- a/test/validators.js +++ b/test/validators.js @@ -10312,6 +10312,23 @@ describe('Validators', () => { 'A1A 1A1', 'X0A-0H0', 'V5K 0A1', + 'A1C 3S4', + 'A1C3S4', + 'a1c 3s4', + 'V9A 7N2', + 'B3K 5X5', + 'K8N 5W6', + 'K1A 0B1', + 'B1Z 0B9', + ], + invalid: [ + ' ', + 'invalid value', + 'a1a1a', + 'A1A 1A1', + 'K1A 0D1', + 'W1A 0B1', + 'Z1A 0B1', ], }, { @@ -10517,6 +10534,8 @@ describe('Validators', () => { '78-399', '39-490', '38-483', + '05-800', + '54-060', ], }, { @@ -10575,6 +10594,9 @@ describe('Validators', () => { '65000', '65080', '01000', + '51901', + '51909', + '49125', ], }, { @@ -10950,6 +10972,43 @@ describe('Validators', () => { '658426713', '558426713'], }); + test({ + validator: 'isTaxID', + args: ['en-CA'], + valid: [ + '000000000', + '521719666', + '469317481', + '120217450', + '480534858', + '325268597', + '336475660', + '744797853', + '130692544', + '046454286', + ], + invalid: [ + ' ', + 'any value', + '012345678', + '111111111', + '999999999', + '657449110', + '74 47 978 53', + '744 797 853', + '744-797-853', + '981062432', + '267500713', + '2675o0713', + '70597312', + '7058973122', + '069437151', + '046454281', + '146452286', + '30x92544', + '30692544', + ], + }); test({ validator: 'isTaxID', args: ['en-GB'], From c1b21a9c8c5e6bd1597e26354c829ad232251f12 Mon Sep 17 00:00:00 2001 From: Ezrqn Kemboi Date: Thu, 17 Feb 2022 09:02:32 +0300 Subject: [PATCH 4/4] chore(maintainers): update list of maintainers (#1887) --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 321f7122e..b2b6416ca 100644 --- a/README.md +++ b/README.md @@ -227,6 +227,8 @@ $ npm test - [chriso](https://github.com/chriso) - **Chris O'Hara** (author) - [profnandaa](https://github.com/profnandaa) - **Anthony Nandaa** +- [ezkemboi](https://github.com/ezkemboi) - **Ezrqn Kemboi** +- [tux-tn](https://github.com/tux-tn) - **Sarhan Aissi** ## Reading