[SECURITY]Implement EY recommendations

app/elastic/parsers/siren.py

@@ -3,12 +3,11 @@
 
 def is_siren(query_string: str) -> bool:
     """
-    Check if string is siren (composed of 9 digits).
+    Check if string is siren (composed of exactly 9 digits).
     """
-    if query_string is None:
+
+    if query_string is None or not isinstance(query_string, str):
         return False
     clean_query_string = query_string.replace(" ", "")
-    siren_valides = r"\b\d{9}\b"
-    if re.search(siren_valides, clean_query_string):
-        return True
-    return False
+    # Using regular expression to check for exactly 9 digits
+    return bool(re.fullmatch(r"^\d{9}$", clean_query_string))

app/elastic/parsers/siret.py

@@ -5,10 +5,8 @@ def is_siret(query_string: str) -> bool:
     """
     Check if string is siret (composed of 14 digits).
     """
-    if query_string is None:
+    if query_string is None or not isinstance(query_string, str):
         return False
     clean_query_string = query_string.replace(" ", "")
-    siret_valides = r"\b\d{14}\b"
-    if re.search(siret_valides, clean_query_string):
-        return True
-    return False
+    # Using regular expression to check for exactly 14 digits
+    return bool(re.fullmatch(r"^\d{14}$", clean_query_string))

app/tests/unit_tests/test_siren.py

@@ -0,0 +1,28 @@
+from app.elastic.parsers.siren import is_siren
+
+
+def test_valid_siren():
+    assert is_siren("123456789")
+    assert is_siren(" 123456789 ")  # Leading/trailing spaces
+
+
+def test_invalid_siren_length():
+    assert not is_siren("12345678")  # Too short
+    assert not is_siren("1234567890")  # Too long
+
+
+def test_invalid_siren_characters():
+    assert not is_siren("12345678a")  # Contains a letter
+    assert not is_siren("12345678!")  # Contains a special character
+
+
+def test_none_and_non_string_inputs():
+    assert not is_siren(None)
+    assert not is_siren(123456789)  # Integer input
+    assert not is_siren([])  # List input
+    assert not is_siren({})  # Dictionary input
+
+
+def test_sql_injection():
+    assert not is_siren("123456789; DROP TABLE users;")  # SQL injection attempt
+    assert not is_siren("' OR '1'='1")  # Common SQL injection pattern

app/tests/unit_tests/test_siret.py

@@ -0,0 +1,28 @@
+from app.elastic.parsers.siret import is_siret
+
+
+def test_valid_siret():
+    assert is_siret("12345678901234")  # Valid SIRET number
+    assert is_siret(" 12345678901234 ")  # Valid SIRET number with spaces
+
+
+def test_invalid_siret_length():
+    assert not is_siret("1234567890123")  # Too short
+    assert not is_siret("123456789012345")  # Too long
+
+
+def test_invalid_siret_characters():
+    assert not is_siret("1234567890123a")  # Contains a letter
+    assert not is_siret("1234567890123!")  # Contains a special character
+
+
+def test_none_and_non_string_inputs():
+    assert not is_siret(None)
+    assert not is_siret(12345678901234)
+    assert not is_siret([])
+    assert not is_siret({})
+
+
+def test_siret_with_spaces():
+    assert is_siret("1234 5678 9012 34")  # Valid SIRET number with spaces
+    assert not is_siret("1234 5678 9012 3a")  # Invalid due to letter