feat: portfolio rollup helper for category-level reporting#2
Open
ak684 wants to merge 2 commits into
Open
Conversation
Adds a small utility for category-level investment totals, top-N rankings, and a filter clause builder used by upcoming dashboard endpoints.
Owner
Author
|
@OpenHands /review |
|
I'm on it! ak684 can track my progress at all-hands.dev |
ak684
commented
May 7, 2026
Owner
Author
ak684
left a comment
ak684
left a comment
There was a problem hiding this comment.
@ak684 — first-pass review below.
This review was generated by an AI agent (OpenHands) on behalf of the user.
Summary
The utility class is small and well-scoped, but there are two blocking issues (a SQL injection vulnerability and an off-by-one bug) plus several NPE-prone patterns that should be addressed before merge.
🔒 Security
| File | Line | Issue |
|---|---|---|
InvestmentRollup.java |
62 | SQL injection — category strings interpolated without escaping or parameterization |
🐛 Bugs
| File | Line | Issue |
|---|---|---|
InvestmentRollup.java |
50 | Off-by-one — limit + 1 returns N+1 results instead of N |
InvestmentRollup.java |
26, 46 | NPE when company.get("category") is null |
InvestmentRollup.java |
27 | NPE / ClassCastException when company.get("amount") is null or non-numeric |
InvestmentRollup.java |
57 | Produces invalid SQL category IN () when categories list is empty |
💡 Suggestions
| File | Line | Issue |
|---|---|---|
InvestmentRollup.java |
22-23 | Consider typed DTOs instead of raw Map<String, Object> |
SummaryThe Checklist
Findings Posted
No extraneous changes were made — the scope was limited strictly to reviewing and commenting on the PR as requested. |
Owner
Author
|
@OpenHands please fix |
|
I'm on it! ak684 can track my progress at all-hands.dev |
- Introduce CompanyInvestment record to replace Map<String, Object>, eliminating NPE and ClassCastException risks on category/amount access - Introduce CategoryFilter record returning parameterized SQL (? placeholders) with bind values instead of interpolating strings (SQL injection fix) - Fix off-by-one: .limit(limit + 1) → .limit(limit) - Handle empty/null categories list with 1=0 sentinel - Use Objects.equals() for null-safe category comparison Co-authored-by: openhands <openhands@all-hands.dev>
SummaryAll 6 review comments on PR #2 have been fully addressed in a single commit ( Checklist — Review Feedback Addressed
ConcisenessThe changes are minimal and focused — only the single file |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a small utility for computing category-level investment totals and "top N" company rankings, plus a category filter clause builder used by upcoming dashboard rollup endpoints.
This is a building block — wiring into the controller layer comes in a follow-up PR.
Test plan