Validate checksum HTTP responses and hex input

`Checksum.fromUri()` did not check the HTTP response status before
parsing the body as hex. When a proxy, CDN, or missing endpoint
returned an HTML/XML error page, `fromHex()` threw a cryptic
`NumberFormatException: For input string: "<?"`.

- Check `response.isSuccessful()` in `fromUri()` before parsing
- Trim response body to handle trailing newlines in checksum files
- Validate hex characters in `fromHex()` with a clear error message
- Catch failures in `DistributionInfos.fetchChecksum()` and return
  null so the recipe proceeds without checksum verification

Fixes #6762

Author: Tim te Beek

rewrite-core/src/main/java/org/openrewrite/Checksum.java

@@ -25,6 +25,7 @@
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.UncheckedIOException;
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
@@ -53,6 +54,15 @@ public static Checksum fromHex(String algorithm, String hex) {
         if (hex.length() % 2 != 0) {
             throw new IllegalArgumentException("Hex string must contain a set of hex pairs (length divisible by 2).");
         }
+        for (int i = 0; i < hex.length(); i++) {
+            char c = hex.charAt(i);
+            if (!((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F'))) {
+                throw new IllegalArgumentException(
+                        "Input is not valid hexadecimal at position " + i + ": '" +
+                        hex.substring(0, Math.min(hex.length(), 40)) +
+                        (hex.length() > 40 ? "..." : "") + "'");
+            }
+        }
 
         byte[] value = new byte[hex.length() / 2];
         for (int i = 0; i < value.length; i++) {
@@ -83,7 +93,11 @@ public static Checksum fromUri(HttpSender httpSender, URI uri, String algorithm)
                 .withMethod(HttpSender.Method.GET)
                 .build();
         try (HttpSender.Response response = httpSender.send(request)) {
-            String hexString = new String(response.getBodyAsBytes(), StandardCharsets.UTF_8);
+            if (!response.isSuccessful()) {
+                throw new UncheckedIOException(new IOException(
+                        "Failed to download checksum from " + uri + ": HTTP " + response.getCode()));
+            }
+            String hexString = new String(response.getBodyAsBytes(), StandardCharsets.UTF_8).trim();
             return Checksum.fromHex(algorithm, hexString);
         }
     }

rewrite-core/src/test/java/org/openrewrite/ChecksumTest.java

@@ -36,7 +36,7 @@ void fromHexWithValidInput() {
 
     @Test
     void fromHexRejectsNonHexInput() {
-        assertThatThrownBy(() -> Checksum.fromHex("SHA-256", "<?xml version"))
+        assertThatThrownBy(() -> Checksum.fromHex("SHA-256", "<?"))
                 .isInstanceOf(IllegalArgumentException.class)
                 .hasMessageContaining("not valid hexadecimal");
     }

rewrite-gradle/src/main/java/org/openrewrite/gradle/util/DistributionInfos.java

@@ -23,6 +23,7 @@
 import org.openrewrite.ipc.http.HttpSender;
 
 import java.io.IOException;
+import java.io.UncheckedIOException;
 import java.net.URI;
 
 @Value
@@ -47,7 +48,12 @@ public static DistributionInfos fetch(GradleWrapper.GradleVersion gradleVersion,
         return new DistributionInfos(gradleVersion.getDownloadUrl(), checksum, jarChecksum);
     }
 
+    @Nullable
     private static Checksum fetchChecksum(HttpSender httpSender, String checksumUrl) {
-        return Checksum.fromUri(httpSender, URI.create(checksumUrl));
+        try {
+            return Checksum.fromUri(httpSender, URI.create(checksumUrl));
+        } catch (UncheckedIOException | IllegalArgumentException e) {
+            return null;
+        }
     }
 }