Do not blindly accept just any month for CreditCard expiry

Fixes #4971
Passerby · Jul 17, 2014 · ef41f25 · ef41f25
1 parent 93d946a
commit ef41f25
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 3 deletions.
diff --git a/core/app/models/spree/credit_card.rb b/core/app/models/spree/credit_card.rb
@@ -126,9 +126,13 @@ def to_active_merchant
 
     def expiry_not_in_the_past
       if year.present? && month.present?
-        time = Time.zone.parse("#{year}-#{month}-1")
-        if time < Time.zone.now.to_time.beginning_of_month
-          errors.add(:base, :card_expired)
+        if month.to_i < 1 || month.to_i > 12
+          errors.add(:base, :expiry_invalid)
+        else
+          time = Time.zone.parse("#{year}-#{month}-1")
+          if time < Time.zone.now.to_time.beginning_of_month
+            errors.add(:base, :card_expired)
+          end
         end
       end
     end

diff --git a/core/config/locales/en.yml b/core/config/locales/en.yml
@@ -238,6 +238,7 @@ en:
           attributes:
             base:
               card_expired: "Card has expired"
+              expiry_invalid: "Card expiration is invalid"
         spree/line_item:
           attributes:
             currency:

diff --git a/core/spec/models/spree/credit_card_spec.rb b/core/spec/models/spree/credit_card_spec.rb
@@ -93,6 +93,14 @@ def stub_rails_env(environment)
       expect(credit_card).to have(1).error_on(:name)
     end
 
+    # Regression spec for #4971
+    it "should not bomb out when given an invalid expiry" do
+      credit_card.month = 13
+      credit_card.year = Time.now.year + 1
+      credit_card.should_not be_valid
+      credit_card.errors[:base].should == ["Card expiration is invalid"]
+    end
+
     it "should validate expiration is not in the past" do
       credit_card.month = 1.month.ago.month
       credit_card.year = 1.month.ago.year