package com.contrastsecurity.agent.plugins.rasp.rules.xxe;

import com.contrastsecurity.agent.A;
import com.contrastsecurity.agent.Sensor;
import com.contrastsecurity.agent.config.ConfigProperty;
import com.contrastsecurity.agent.http.HttpRequest;
import com.contrastsecurity.agent.instr.InstrumentationContext;
import com.contrastsecurity.agent.messages.app.activity.defend.AttackResult;
import com.contrastsecurity.agent.messages.app.activity.defend.details.ExternalEntityWrapperDTM;
import com.contrastsecurity.agent.messages.app.activity.defend.details.UserInputDTM;
import com.contrastsecurity.agent.messages.app.activity.defend.details.XMLMatchDTM;
import com.contrastsecurity.agent.plugins.rasp.AttackBlockedException;
import com.contrastsecurity.agent.plugins.rasp.InterfaceC0094d;
import com.contrastsecurity.agent.plugins.rasp.ProtectManager;
import com.contrastsecurity.agent.plugins.rasp.R;
import com.contrastsecurity.agent.plugins.rasp.X;
import com.contrastsecurity.agent.plugins.rasp.Z;
import com.contrastsecurity.agent.plugins.rasp.rules.l;
import com.contrastsecurity.agent.plugins.rasp.rules.xxe.a.a.a.b;
import com.contrastsecurity.agent.plugins.rasp.rules.xxe.a.a.a.c;
import com.contrastsecurity.agent.plugins.rasp.rules.xxe.c.b;
import com.contrastsecurity.agent.plugins.rasp.rules.xxe.c.c;
import com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.d;
import com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.e;
import com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.f;
import com.contrastsecurity.agent.util.E;
import com.contrastsecurity.agent.util.L;
import com.contrastsecurity.thirdparty.com.rabbitmq.client.ConnectionFactory;
import com.contrastsecurity.thirdparty.javax.inject.Inject;
import com.contrastsecurity.thirdparty.jregex.MatchIterator;
import com.contrastsecurity.thirdparty.jregex.MatchResult;
import com.contrastsecurity.thirdparty.jregex.Matcher;
import com.contrastsecurity.thirdparty.jregex.Pattern;
import com.contrastsecurity.thirdparty.jregex.WildcardPattern;
import com.contrastsecurity.thirdparty.org.apache.commons.lang.StringEscapeUtils;
import com.contrastsecurity.thirdparty.org.apache.commons.lang.StringUtils;
import com.contrastsecurity.thirdparty.org.objectweb.asm.ClassVisitor;
import com.contrastsecurity.thirdparty.org.slf4j.Logger;
import com.contrastsecurity.thirdparty.org.slf4j.LoggerFactory;
import java.io.InputStream;
import java.io.Reader;
import java.net.URLDecoder;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import org.xml.sax.InputSource;

@Sensor
/* loaded from: input_file:com/contrastsecurity/agent/plugins/rasp/rules/xxe/XXEProtectRule.class */
public final class XXEProtectRule extends X<XXEDetailsDTM> implements l<XXEDetailsDTM, ContrastXXEProtectDispatcher> {
    public static final String ID = "xxe";
    private final InterfaceC0094d d;
    private final com.contrastsecurity.agent.instr.h<ContrastXXEProtectDispatcher> e;
    private final ProtectManager f;
    private final Map<String, i<?>> g = new HashMap();
    private final Z<XXEDetailsDTM> h;
    private static final String j = "xercesDocParsingStart";

    @A
    static final String b = "xxe_woodstox";

    @A
    static final String c = "xxe_xerces";
    private static final String k = "xxe_xerces_stax";
    private static final String l = "xxe_ibm_xlxp";
    public static final int MAX_EVIDENCE_LENGTH = 2048;
    private static final String q = "XML Prolog";
    private static final Pattern i = new Pattern("(<!ENTITY(?:\\s+)[a-zA-Z0-f]+(?:\\s+)(?:SYSTEM|PUBLIC)(?:\\s+)(.*?)>)");
    private static final String[] m = {"../", "..\\"};
    private static final String[] n = {ConnectionFactory.DEFAULT_VHOST, WildcardPattern.ANY_CHAR};
    private static final Pattern o = new Pattern("^[\\\\]*[a-zA-Z]{1,3}:.*");
    private static final Logger p = LoggerFactory.getLogger(XXEProtectRule.class);

    @Inject
    public XXEProtectRule(InterfaceC0094d interfaceC0094d, com.contrastsecurity.agent.instr.h<ContrastXXEProtectDispatcher> hVar, ProtectManager protectManager) {
        this.d = interfaceC0094d;
        this.e = hVar;
        this.f = protectManager;
        d.a aVar = new d.a();
        e.a aVar2 = new e.a();
        f.a aVar3 = new f.a();
        b.a aVar4 = new b.a();
        c.a aVar5 = new c.a();
        c.a aVar6 = new c.a();
        b.a aVar7 = new b.a();
        this.g.put(com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.c.c, aVar3);
        this.g.put(com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.c.d, aVar3);
        this.g.put(com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.c.a, aVar3);
        this.g.put(com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.c.b, aVar3);
        this.g.put(com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.c.e, aVar2);
        this.g.put(com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.c.f, aVar2);
        this.g.put(com.contrastsecurity.agent.plugins.rasp.rules.xxe.a.a.a.a.a, aVar6);
        this.g.put(com.contrastsecurity.agent.plugins.rasp.rules.xxe.a.a.a.a.b, aVar7);
        this.g.put(com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.c.g, aVar);
        this.g.put(com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.c.h, aVar);
        this.g.put(com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.c.i, aVar);
        this.g.put(com.contrastsecurity.agent.plugins.rasp.rules.xxe.c.a.b, aVar4);
        this.g.put(com.contrastsecurity.agent.plugins.rasp.rules.xxe.c.a.c, aVar5);
        this.h = Z.a(ID, XXEDetailsDTM.class);
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.i
    public Z<XXEDetailsDTM> getRuleId() {
        return this.h;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.i
    public ConfigProperty getModeOverrideKey() {
        return ConfigProperty.PROTECT_XXE_MODE;
    }

    @Sensor
    public void onXercesDocumentParsingStart(R r, Object obj) {
        try {
            a(r, (InputSource) obj);
        } catch (Throwable th) {
            com.contrastsecurity.agent.i.c.a(j, p, "Problem handling Xerces document parsing start", th);
        }
    }

    private void a(R r, InputSource inputSource) {
        if (p.isDebugEnabled()) {
            p.debug("Starting parsing context for input {} / {}", L.a(inputSource), inputSource.getClass().getName());
        }
        com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.g gVar = new com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.g();
        InputStream byteStream = inputSource.getByteStream();
        if (byteStream != null) {
            com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.a a = a(byteStream);
            inputSource.setByteStream(a);
            gVar.a(a);
            if (p.isDebugEnabled()) {
                p.debug("Created wrapper for bytestream {} for context {}", L.a(byteStream), L.a(gVar));
            }
        } else if (p.isDebugEnabled()) {
            p.debug("Bytestream was null -- no wrapper created for input {} for context {}", L.a(inputSource), L.a(gVar));
        }
        Reader characterStream = inputSource.getCharacterStream();
        if (characterStream != null) {
            com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.b a2 = a(characterStream);
            inputSource.setCharacterStream(a2);
            gVar.a(a2);
            if (p.isDebugEnabled()) {
                p.debug("Created wrapper for reader {} for context {}", L.a(characterStream), L.a(gVar));
            }
        } else if (p.isDebugEnabled()) {
            p.debug("reader was null -- no wrapper created for input {} for context {}", L.a(inputSource), L.a(gVar));
        }
        p.debug("Saving the context {}", gVar);
        r.a(c, gVar);
    }

    @Sensor
    public void onXercesDoctypeDeclarationFinished(R r) {
        try {
            a(r);
        } catch (Exception e) {
            p.error("Problem handling Xerces doctype declaration end", (Throwable) e);
        }
    }

    private void a(R r) {
        com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.g gVar = (com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.g) r.d(c);
        p.debug("Xerces doctype declaration finishing for context {}", r);
        if (gVar == null) {
            p.debug("No xerces parsing context when doctype declaration finished");
        } else {
            gVar.k();
            b(gVar);
        }
    }

    @Sensor
    public void onXercesEntityResolved(R r, String str, Object obj, boolean z, boolean z2) {
        try {
            a(r, str, obj, z, z2);
        } catch (AttackBlockedException e) {
            throw e;
        } catch (Exception e2) {
            p.error("Problem handling Xerces entity resolution", (Throwable) e2);
        }
    }

    private void a(R r, String str, Object obj, boolean z, boolean z2) {
        e eVar = (e) r.d(c);
        if (p.isDebugEnabled()) {
            p.debug("Entity {} name resolved for context {}", str, L.a(eVar));
        }
        boolean z3 = false;
        if (eVar == null) {
            eVar = (e) r.d(k);
            z3 = true;
        }
        if (eVar == null) {
            if (!z3) {
                p.debug("No xerces parsing context when entity resolved");
                return;
            } else {
                eVar = new e();
                eVar.a(a(str, obj));
            }
        }
        d dVar = new d(obj);
        if (!a(dVar.a()) || eVar.h()) {
            return;
        }
        eVar.a(dVar);
        eVar.g();
        b(eVar);
        a(eVar);
    }

    @Sensor
    public void onXercesDocumentParsingEnd(R r) {
        try {
            b(r);
        } catch (AttackBlockedException e) {
            throw e;
        } catch (Exception e2) {
            p.error("Problem handling Xerces document parsing end", (Throwable) e2);
        }
    }

    private void b(R r) {
        com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.g gVar = (com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.g) r.e(c);
        p.debug("Xerces document parsing ends");
        if (gVar == null) {
            p.debug("No xerces parsing context when document parsing ends");
            return;
        }
        List<d> d = gVar.d();
        List<XMLMatchDTM> c2 = gVar.c();
        if (d.isEmpty() || c2.isEmpty() || gVar.h()) {
            return;
        }
        if (!gVar.e()) {
            b(gVar);
        }
        a((e) gVar);
    }

    @Sensor
    public void onStAXEventRead(R r, Object obj, Object obj2) {
        try {
            a(r, obj, obj2);
        } catch (Exception e) {
            p.error("Problem handling StAX event read", (Throwable) e);
        }
    }

    private void a(R r, Object obj, Object obj2) {
        p.debug("Analyzing reader {} and event {}", obj, obj2);
        e eVar = (e) r.d(k);
        if (eVar == null) {
            eVar = new e();
            r.a(k, eVar);
        }
        String simpleName = obj2.getClass().getSimpleName();
        if ("DTDEvent".equals(simpleName)) {
            eVar.a(obj2.toString());
            b(eVar);
        } else if ("EndDocumentEvent".equals(simpleName)) {
            r.e(k);
        }
    }

    @Sensor
    public void onWoodstoxStAXEventRead(R r, Object obj) {
        try {
            a(r, obj);
        } catch (Exception e) {
            p.error("Problem handling Woodstox/StAX event read", (Throwable) e);
        }
    }

    private void a(R r, Object obj) {
        p.debug("Analyzing reader {}", obj);
        e eVar = (e) r.d(b);
        if (eVar == null) {
            eVar = new e();
            r.a(b, eVar);
        }
        com.contrastsecurity.agent.plugins.rasp.rules.xxe.c.d dVar = new com.contrastsecurity.agent.plugins.rasp.rules.xxe.c.d(obj);
        int a = dVar.a();
        if (11 == a) {
            eVar.a(com.contrastsecurity.agent.plugins.rasp.rules.xxe.c.a.a + dVar.b());
            b(eVar);
        } else if (8 == a) {
            r.e(b);
        }
    }

    @Sensor
    public void onWoodstoxEntityResolved(R r, Object obj) {
        try {
            b(r, obj);
        } catch (AttackBlockedException e) {
            throw e;
        } catch (Exception e2) {
            p.error("Problem handling Woodtstox entity resolution", (Throwable) e2);
        }
    }

    private void b(R r, Object obj) {
        e eVar = (e) r.d(b);
        if (eVar == null) {
            p.debug("No woodstox parsing context when entity resolved");
            return;
        }
        d dVar = new d(obj);
        if (a(dVar.a())) {
            eVar.a(dVar);
            a(eVar);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Sensor
    public void onIbmXlxpDoctypeParsingEnd(R r, Object obj) {
        try {
            c(r, obj);
        } catch (Exception e) {
            p.error("Problem handling IBM XLMP doctype parsing", (Throwable) e);
        }
    }

    private void c(R r, Object obj) throws NoSuchFieldException, NoSuchMethodException, IllegalAccessException {
        String obj2 = E.b(obj, "fDoctypeString").get(obj).toString();
        if (obj2 == null) {
            p.debug("Null xml body received by Contrast IBM XLXP listener");
            return;
        }
        if (obj2.contains("DTDScanner")) {
            throw new NoSuchMethodException("toString is implemented on the Object rather than StAXDTDScanner and thus dont return the string representation we want");
        }
        e eVar = (e) r.d(l);
        if (eVar == null) {
            eVar = new e();
            r.a(l, eVar);
        }
        eVar.a(obj2);
        b(eVar);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Sensor
    public void onIbmXlxpExternalEntityResolved(R r, Object obj, Object obj2) {
        try {
            b(r, obj, obj2);
        } catch (AttackBlockedException e) {
            throw e;
        } catch (Exception e2) {
            p.error("Problem handling IBM XLMP entity resolution", (Throwable) e2);
        }
    }

    private void b(R r, Object obj, Object obj2) {
        String obj3 = obj != null ? obj.toString() : null;
        String obj4 = obj2.toString();
        e eVar = (e) r.d(l);
        if (eVar == null) {
            eVar = new e();
            r.a(l, eVar);
        }
        if (a(obj4)) {
            eVar.a(new d(obj4, obj3));
            a(eVar);
        }
    }

    boolean a(String str) {
        if (str == null || StringUtils.endsWithIgnoreCase(str, ".dtd") || StringUtils.endsWithIgnoreCase(str, ".xsd") || StringUtils.endsWithIgnoreCase(str, ".ent")) {
            return false;
        }
        if (StringUtils.startsWithIgnoreCase(str, "http:") || StringUtils.startsWithIgnoreCase(str, "https:") || StringUtils.startsWithIgnoreCase(str, com.contrastsecurity.agent.g.g.a) || StringUtils.startsWithIgnoreCase(str, "ftp:") || StringUtils.startsWithIgnoreCase(str, "jar:") || StringUtils.startsWithIgnoreCase(str, "gopher:") || StringUtils.startsWithAny(str, n)) {
            return true;
        }
        String decode = URLDecoder.decode(str);
        for (String str2 : m) {
            if (decode.contains(str2)) {
                return true;
            }
        }
        return o.matches(str);
    }

    private void a(e eVar) {
        String b2 = eVar.b();
        ArrayList arrayList = new ArrayList(eVar.d());
        boolean canBlock = this.f.canBlock(this);
        this.d.a(this.h, a(eVar.c(), arrayList, b2), UserInputDTM.builder().value(b2).name(q).type(UserInputDTM.InputType.UNKNOWN).time(eVar.a()).build(), canBlock ? AttackResult.BLOCKED : AttackResult.EXPLOITED);
        if (canBlock) {
            throw new AttackBlockedException("XXE attack detected");
        }
    }

    private XXEDetailsDTM a(List<XMLMatchDTM> list, List<d> list2, String str) {
        HashSet hashSet = new HashSet();
        LinkedList linkedList = new LinkedList();
        if (list2 != null) {
            for (int i2 = 0; i2 < list2.size(); i2++) {
                String a = list2.get(i2).a();
                String b2 = list2.get(i2).b();
                String str2 = a + b2;
                if (!hashSet.contains(str2)) {
                    hashSet.add(str2);
                    linkedList.add(new ExternalEntityWrapperDTM(a, b2));
                }
            }
        }
        return new XXEDetailsDTM(str, list, linkedList);
    }

    private void b(e eVar) {
        String b2 = eVar.b();
        if (b2 != null) {
            MatchIterator findAll = b(b2).findAll();
            while (findAll.hasMore()) {
                MatchResult nextMatch = findAll.nextMatch();
                eVar.a(new XMLMatchDTM(nextMatch.start(2), nextMatch.end(2)));
            }
        }
        eVar.f();
    }

    @A
    Matcher b(String str) {
        return i.matcher(StringEscapeUtils.unescapeHtml(str));
    }

    private String a(String str, Object obj) {
        String a = a(obj);
        StringBuilder sb = new StringBuilder();
        sb.append("...[<!ENTITY ");
        sb.append(str);
        if (a != null) {
            sb.append(" SYSTEM ");
            sb.append(a);
        } else {
            sb.append(" ... ");
        }
        sb.append(">]...");
        return sb.toString();
    }

    private String a(Object obj) {
        String str = null;
        try {
            str = (String) E.b(obj, "fSystemId").get(obj);
        } catch (Throwable th) {
            p.error("Problem inspecting XML input source during external entity resolution", th);
        }
        return str;
    }

    private com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.b a(Reader reader) {
        return new com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.b(reader);
    }

    private com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.a a(InputStream inputStream) {
        return new com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.a(inputStream);
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.m
    public ClassVisitor onInstrumentingClass(com.contrastsecurity.agent.instr.f<ContrastXXEProtectDispatcher> fVar, ClassVisitor classVisitor, InstrumentationContext instrumentationContext) {
        if (!this.f.isSinksDisabled()) {
            String internalClassName = instrumentationContext.getInternalClassName();
            if (instrumentationContext.getAncestors().contains("javax/xml/stream/util/XMLEventAllocator")) {
                instrumentationContext.getChanger().addAdapter("StaxEventVisitor");
                instrumentationContext.setRequiresTransforming(true);
                classVisitor = new com.contrastsecurity.agent.plugins.rasp.rules.xxe.b.a(fVar, instrumentationContext, classVisitor);
            }
            i<?> iVar = this.g.get(internalClassName);
            if (iVar != null) {
                try {
                    classVisitor = iVar.a(fVar, instrumentationContext, classVisitor);
                    instrumentationContext.getChanger().addAdapter("BaseXXEClassVisitor");
                    instrumentationContext.setRequiresTransforming(true);
                } catch (Exception e) {
                    p.error("Couldn't build visitor for type {}", internalClassName);
                }
            }
        }
        return classVisitor;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.l
    public boolean isCodeExclusionSpecialCase() {
        return false;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.l
    public boolean requiresPrimordialInstrumentation(Class<?> cls) {
        return StringUtils.startsWithAny(cls.getName(), com.contrastsecurity.agent.plugins.rasp.rules.xxe.d.c.j);
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.l
    public com.contrastsecurity.agent.instr.h<ContrastXXEProtectDispatcher> getDispatcherRegistration() {
        return this.e;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.X
    public void onParametersResolved(HttpRequest httpRequest) {
    }
}
