Only calculate hex string for valid HTTP responses (#6763)

timtebeek · Tim te Beek · web-flow · commit 37aca85c4a03 · 2026-02-18T13:09:59.000+01:00
* Add tests for Checksum hex validation and HTTP error handling * Validate checksum HTTP responses and hex input `Checksum.fromUri()` did not check the HTTP response status before parsing the body as hex. When a proxy, CDN, or missing endpoint returned an HTML/XML error page, `fromHex()` threw a cryptic `NumberFormatException: For input string: "<?"`. - Check `response.isSuccessful()` in `fromUri()` before parsing - Trim response body to handle trailing newlines in checksum files - Validate hex characters in `fromHex()` with a clear error message - Catch failures in `DistributionInfos.fetchChecksum()` and return null so the recipe proceeds without checksum verification Fixes #6762 * Minimize API changes * Remove unused import --------- Co-authored-by: Tim te Beek <tim@mac.home>
diff --git a/rewrite-core/src/main/java/org/openrewrite/Checksum.java b/rewrite-core/src/main/java/org/openrewrite/Checksum.java
@@ -25,6 +25,7 @@
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.UncheckedIOException;
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
@@ -83,6 +84,10 @@ public static Checksum fromUri(HttpSender httpSender, URI uri, String algorithm)
                 .withMethod(HttpSender.Method.GET)
                 .build();
         try (HttpSender.Response response = httpSender.send(request)) {
+            if (!response.isSuccessful()) {
+                throw new UncheckedIOException(new IOException(
+                        "Failed to download checksum from " + uri + ": HTTP " + response.getCode()));
+            }
             String hexString = new String(response.getBodyAsBytes(), StandardCharsets.UTF_8);
             return Checksum.fromHex(algorithm, hexString);
         }
diff --git a/rewrite-core/src/test/java/org/openrewrite/ChecksumTest.java b/rewrite-core/src/test/java/org/openrewrite/ChecksumTest.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2025 the original author or authors.
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * https://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.openrewrite;
+
+import org.junit.jupiter.api.Test;
+import org.openrewrite.ipc.http.HttpSender;
+
+import java.io.ByteArrayInputStream;
+import java.io.UncheckedIOException;
+import java.net.URI;
+import java.nio.charset.StandardCharsets;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+class ChecksumTest {
+
+    @Test
+    void fromHexWithValidInput() {
+        Checksum checksum = Checksum.fromHex("SHA-256", "abcdef01");
+        assertThat(checksum.getHexValue()).isEqualTo("abcdef01");
+    }
+
+    @Test
+    void fromUriRejectsNonSuccessfulResponse() {
+        HttpSender httpSender = request -> new HttpSender.Response(
+          403,
+          new ByteArrayInputStream("<?xml version=\"1.0\"?>".getBytes(StandardCharsets.UTF_8)),
+          () -> {
+          });
+
+        assertThatThrownBy(() -> Checksum.fromUri(httpSender, URI.create("https://example.com/checksum.sha256")))
+          .isInstanceOf(UncheckedIOException.class)
+          .hasMessageContaining("403");
+    }
+}
