Skip to content

Fix: anchor MasterCard credit-card pattern (missing ^ regressed in 94a79c033)#1774

Merged
henriquemoody merged 2 commits into
Respect:3.1from
nikkoenggaliano:patch-1
Jun 2, 2026
Merged

Fix: anchor MasterCard credit-card pattern (missing ^ regressed in 94a79c033)#1774
henriquemoody merged 2 commits into
Respect:3.1from
nikkoenggaliano:patch-1

Conversation

@nikkoenggaliano

Copy link
Copy Markdown
Contributor

The MasterCard entry in CreditCard's BRAND_REGEX_LIST is the only one of the eight brand patterns missing a leading ^ anchor. Because of this, v::creditCard('MasterCard') accepts inputs that are not valid MasterCard numbers specifically, Luhn-valid digit strings longer than 16 digits whose trailing 16 digits match the MasterCard pattern.

use Respect\Validation\Validator as v;

// 16-digit MasterCard from the docs — correctly accepted
var_dump(v::creditCard('MasterCard')->isValid('5376747397208720')); // true (OK)

// 17-digit, Luhn-valid, NOT a MasterCard — wrongly accepted today
var_dump(v::creditCard('MasterCard')->isValid('05105105105105100')); // true (BUG; should be false and rejected? No?)

Self-contained demonstration (no Composer needed), mirroring evaluate() +
Luhn::isValid() and using the verbatim shipped regex:

input                | luhn  | shipped  | fixed   | expectation
--------------------------------------------------------------------------------
5376747397208720     | pass  | ACCEPT   | ACCEPT  | valid 16-digit MasterCard -> must ACCEPT
05105105105105100    | pass  | ACCEPT   | reject  | INVALID 17-digit number   -> must REJECT

Fix

- self::MASTERCARD => '/(5[1-5]|2[2-7])\d{14}$/',
+ self::MASTERCARD => '/^(5[1-5]|2[2-7])\d{14}$/',

Regression test

Add to providerForInvalidInput() in tests/unit/Validators/CreditCardTest.php (alongside the other $masternegatives):

[$master, '05105105105105100'], // 17-digit (over-long): regression for missing ^ anchor

The `MasterCard` entry in `CreditCard`'s `BRAND_REGEX_LIST` is the only one of
the eight brand patterns missing a leading `^` anchor. Because of this,
`v::creditCard('MasterCard')` accepts inputs that are **not** valid MasterCard
numbers specifically, Luhn-valid digit strings **longer than 16 digits**
whose trailing 16 digits match the MasterCard pattern.
@codecov

codecov Bot commented May 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.41%. Comparing base (7d833fb) to head (9b97868).

Additional details and impacted files
@@            Coverage Diff            @@
##                3.1    #1774   +/-   ##
=========================================
  Coverage     99.41%   99.41%           
  Complexity     1020     1020           
=========================================
  Files           194      194           
  Lines          2387     2387           
=========================================
  Hits           2373     2373           
  Misses           14       14           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@henriquemoody

Copy link
Copy Markdown
Member

Hey @nikkoenggaliano! Great catch!

Could you add a test so we can ensure we won't have that issue again? As soon as you write them I can merge and release a PATCH version.

Adds an over-long (17-digit) Luhn-valid number to providerForInvalidInput.
This input is wrongly accepted by the pre-fix unanchored regex and correctly
rejected once the leading ^ anchor is present, guarding against the regression.
@henriquemoody henriquemoody merged commit 5750941 into Respect:3.1 Jun 2, 2026
7 checks passed
@henriquemoody

Copy link
Copy Markdown
Member

Thanks for contributing, @nikkoenggaliano!

Version 3.1.2 is been released and it contains your fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants