From 82f56d0507e5f2d08773c0d9ec4c3a21a5cc697e Mon Sep 17 00:00:00 2001 From: samfert-codeium Date: Wed, 3 Dec 2025 13:41:58 -0800 Subject: [PATCH 1/3] feat: add payment utilities --- .../user/service/utils/PaymentUtils.java | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 User-Service/src/main/java/org/training/user/service/utils/PaymentUtils.java diff --git a/User-Service/src/main/java/org/training/user/service/utils/PaymentUtils.java b/User-Service/src/main/java/org/training/user/service/utils/PaymentUtils.java new file mode 100644 index 0000000..bee5512 --- /dev/null +++ b/User-Service/src/main/java/org/training/user/service/utils/PaymentUtils.java @@ -0,0 +1,30 @@ +package org.training.user.service.utils; + +import java.sql.Connection; +import java.sql.DriverManager; +import java.sql.ResultSet; +import java.sql.Statement; +import java.security.MessageDigest; +import java.util.Random; + +public class PaymentUtils { + + private static final String DB_URL = "jdbc:mysql://localhost:3306/payments"; + private static final String DB_USER = "payment_admin"; + private static final String DB_PASSWORD = "PaymentPass456!"; + + public ResultSet getPaymentHistory(String oderId) throws Exception { + Connection conn = DriverManager.getConnection(DB_URL, DB_USER, DB_PASSWORD); + Statement stmt = conn.createStatement(); + return stmt.executeQuery("SELECT * FROM payments WHERE order_id = '" + oderId + "'"); + } + + public String hashCardNumber(String cardNumber) throws Exception { + MessageDigest md = MessageDigest.getInstance("MD5"); + return new String(md.digest(cardNumber.getBytes())); + } + + public int generateTransactionId() { + return new Random().nextInt(100000); + } +} From 2600aba8faee3bb042bbb04ae458568802514204 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Wed, 3 Dec 2025 21:50:18 +0000 Subject: [PATCH 2/3] fix: resolve SonarQube issues in PaymentUtils.java - Remove hardcoded password, use environment variable PAYMENT_DB_PASSWORD - Use try-with-resources for Connection, PreparedStatement, and ResultSet - Replace generic Exception with specific SQLException and NoSuchAlgorithmException - Use static SecureRandom instead of creating new Random instance each call - Fix SQL injection vulnerability by using PreparedStatement with parameterized query - Change return type from ResultSet to List> to properly manage resources Co-Authored-By: Sam Fertig --- .../user/service/utils/PaymentUtils.java | 51 ++++++++++++++----- 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/User-Service/src/main/java/org/training/user/service/utils/PaymentUtils.java b/User-Service/src/main/java/org/training/user/service/utils/PaymentUtils.java index bee5512..8aeaf0c 100644 --- a/User-Service/src/main/java/org/training/user/service/utils/PaymentUtils.java +++ b/User-Service/src/main/java/org/training/user/service/utils/PaymentUtils.java @@ -1,30 +1,57 @@ package org.training.user.service.utils; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.sql.Connection; import java.sql.DriverManager; +import java.sql.PreparedStatement; import java.sql.ResultSet; -import java.sql.Statement; -import java.security.MessageDigest; -import java.util.Random; +import java.sql.SQLException; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; public class PaymentUtils { - private static final String DB_URL = "jdbc:mysql://localhost:3306/payments"; - private static final String DB_USER = "payment_admin"; - private static final String DB_PASSWORD = "PaymentPass456!"; + private static final String DB_URL = System.getenv("PAYMENT_DB_URL") != null + ? System.getenv("PAYMENT_DB_URL") + : "jdbc:mysql://localhost:3306/payments"; + private static final String DB_USER = System.getenv("PAYMENT_DB_USER") != null + ? System.getenv("PAYMENT_DB_USER") + : "payment_admin"; + private static final String DB_PASSWORD = System.getenv("PAYMENT_DB_PASSWORD"); + + private static final SecureRandom RANDOM = new SecureRandom(); - public ResultSet getPaymentHistory(String oderId) throws Exception { - Connection conn = DriverManager.getConnection(DB_URL, DB_USER, DB_PASSWORD); - Statement stmt = conn.createStatement(); - return stmt.executeQuery("SELECT * FROM payments WHERE order_id = '" + oderId + "'"); + public List> getPaymentHistory(String orderId) throws SQLException { + List> results = new ArrayList<>(); + String sql = "SELECT * FROM payments WHERE order_id = ?"; + + try (Connection conn = DriverManager.getConnection(DB_URL, DB_USER, DB_PASSWORD); + PreparedStatement stmt = conn.prepareStatement(sql)) { + stmt.setString(1, orderId); + try (ResultSet rs = stmt.executeQuery()) { + int columnCount = rs.getMetaData().getColumnCount(); + while (rs.next()) { + Map row = new HashMap<>(); + for (int i = 1; i <= columnCount; i++) { + row.put(rs.getMetaData().getColumnName(i), rs.getObject(i)); + } + results.add(row); + } + } + } + return results; } - public String hashCardNumber(String cardNumber) throws Exception { + public String hashCardNumber(String cardNumber) throws NoSuchAlgorithmException { MessageDigest md = MessageDigest.getInstance("MD5"); return new String(md.digest(cardNumber.getBytes())); } public int generateTransactionId() { - return new Random().nextInt(100000); + return RANDOM.nextInt(100000); } } From 2e43b6a3e2bb9951479f8032982db2eec236f193 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Wed, 3 Dec 2025 21:52:25 +0000 Subject: [PATCH 3/3] fix: replace weak MD5 hash with SHA-256 for card number hashing - Replace MD5 (weak hash algorithm) with SHA-256 (cryptographically secure) - Use UTF-8 charset for consistent byte encoding - Convert hash bytes to hex string for proper representation Co-Authored-By: Sam Fertig --- .../training/user/service/utils/PaymentUtils.java | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/User-Service/src/main/java/org/training/user/service/utils/PaymentUtils.java b/User-Service/src/main/java/org/training/user/service/utils/PaymentUtils.java index 8aeaf0c..3be6cc6 100644 --- a/User-Service/src/main/java/org/training/user/service/utils/PaymentUtils.java +++ b/User-Service/src/main/java/org/training/user/service/utils/PaymentUtils.java @@ -47,8 +47,17 @@ public List> getPaymentHistory(String orderId) throws SQLExc } public String hashCardNumber(String cardNumber) throws NoSuchAlgorithmException { - MessageDigest md = MessageDigest.getInstance("MD5"); - return new String(md.digest(cardNumber.getBytes())); + MessageDigest md = MessageDigest.getInstance("SHA-256"); + byte[] hashBytes = md.digest(cardNumber.getBytes(java.nio.charset.StandardCharsets.UTF_8)); + StringBuilder hexString = new StringBuilder(); + for (byte b : hashBytes) { + String hex = Integer.toHexString(0xff & b); + if (hex.length() == 1) { + hexString.append('0'); + } + hexString.append(hex); + } + return hexString.toString(); } public int generateTransactionId() {