package com.contrastsecurity.agent.plugins.security.policy.rules.providers.internal.csrf;

import com.contrastsecurity.agent.Sensor;
import com.contrastsecurity.agent.commons.m;
import com.contrastsecurity.agent.config.ConfigProperty;
import com.contrastsecurity.agent.config.g;
import com.contrastsecurity.agent.http.HttpManager;
import com.contrastsecurity.agent.http.HttpRequest;
import com.contrastsecurity.agent.instr.InstrumentationContext;
import com.contrastsecurity.agent.instr.i;
import com.contrastsecurity.agent.messages.app.activity.assessment.StateChangingActionDTM;
import com.contrastsecurity.agent.plugins.security.policy.rules.providers.ApplicationAnalyzer;
import com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher;
import com.contrastsecurity.agent.plugins.security.policy.rules.providers.ProviderUtil;
import com.contrastsecurity.agent.plugins.security.policy.rules.providers.RuleProvider;
import com.contrastsecurity.agent.util.C;
import com.contrastsecurity.agent.util.EnumC0209g;
import com.contrastsecurity.agent.util.SimplePattern;
import com.contrastsecurity.thirdparty.org.apache.commons.io.FileUtils;
import com.contrastsecurity.thirdparty.org.apache.commons.lang.StringUtils;
import com.contrastsecurity.thirdparty.org.objectweb.asm.ClassVisitor;
import com.contrastsecurity.thirdparty.org.slf4j.Logger;
import com.contrastsecurity.thirdparty.org.slf4j.LoggerFactory;
import java.io.File;
import java.io.IOException;
import java.lang.ContrastAssessDispatcherLocator;
import java.util.LinkedList;
import java.util.List;

@Sensor
/* loaded from: input_file:com/contrastsecurity/agent/plugins/security/policy/rules/providers/internal/csrf/CSRFRule.class */
public class CSRFRule extends RuleProvider {
    private SimplePattern[] c;
    private a d;
    private final ProviderUtil e;
    private final i<ContrastAssessDispatcherLocator> f;
    private final HttpManager g;
    private final g h;
    static final String a = "csrf";
    static final String b = "csrf.token.checked";
    private static final int i = 50;
    private static final String[] j = {"insert", "update", "delete", "drop", "create", "alter", "upsert"};
    private static final Logger k = LoggerFactory.getLogger(CSRFRule.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/contrastsecurity/agent/plugins/security/policy/rules/providers/internal/csrf/CSRFRule$a.class */
    public enum a {
        KNOWN_IDEMPOTENT,
        KNOWN_NEED_PROTECTING,
        HEURISTICS
    }

    @Deprecated
    public CSRFRule(ProviderUtil providerUtil) {
        this(providerUtil, i.a(ContrastAssessDispatcherLocator.Singleton.class, ContrastAssessDispatcherLocator.class), providerUtil.getHttpManager(), providerUtil.getConfig());
    }

    public CSRFRule(ProviderUtil providerUtil, i<ContrastAssessDispatcherLocator> iVar, HttpManager httpManager, g gVar) {
        m.a(providerUtil);
        m.a(iVar);
        m.a(gVar);
        m.a(httpManager);
        this.h = gVar;
        this.e = providerUtil;
        this.f = iVar;
        this.g = httpManager;
        a();
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.RuleProvider
    public String getId() {
        return a;
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.RuleProvider
    public ClassVisitor getVisitor(ClassVisitor classVisitor, InstrumentationContext instrumentationContext) {
        String className = instrumentationContext.getClassName();
        if ("org.owasp.csrfguard.CsrfGuard".equals(className)) {
            instrumentationContext.setRequiresTransforming(true);
            instrumentationContext.getChanger().addAdapter(e.class.getName());
            classVisitor = new e(classVisitor, instrumentationContext, this.f);
        } else if ("org.springframework.security.web.csrf.CsrfFilter".equals(className)) {
            instrumentationContext.setRequiresTransforming(true);
            instrumentationContext.getChanger().addAdapter(f.class.getName());
            classVisitor = new f(classVisitor, instrumentationContext, this.f);
        }
        return classVisitor;
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.RuleProvider
    public HttpWatcher getResponseWatcher() {
        return new c(this.d, this.c, this.e);
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.RuleProvider
    public ApplicationAnalyzer getApplicationAnalyzer() {
        return null;
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.RuleProvider
    public void onDatabaseQueryIssued(EnumC0209g enumC0209g, String str) {
        if (StringUtils.isEmpty(str)) {
            return;
        }
        try {
            a(str);
        } catch (Exception e) {
            k.error("Problem watching CSRF query", (Throwable) e);
        }
    }

    private void a(String str) {
        HttpRequest currentRequest = this.g.getCurrentRequest();
        if (currentRequest == null || com.contrastsecurity.agent.plugins.security.policy.rules.providers.internal.csrf.a.b(currentRequest) || !b(str)) {
            return;
        }
        if (str.length() > 50) {
            str = str.substring(0, 50);
        }
        com.contrastsecurity.agent.plugins.security.policy.rules.providers.internal.csrf.a.a(currentRequest, new StateChangingActionDTM(StateChangingActionDTM.Type.DB_QUERY, str));
    }

    private boolean b(String str) {
        for (String str2 : j) {
            if (StringUtils.startsWithIgnoreCase(str, str2)) {
                return true;
            }
        }
        return false;
    }

    private void a() {
        String b2 = this.h.b(ConfigProperty.CSRF_IDEMPOTENT_URLS);
        String b3 = this.h.b(ConfigProperty.CSRF_PROTECTED_URLS);
        if (!StringUtils.isEmpty(b2) && !StringUtils.isEmpty(b3)) {
            C.a("Can't specify both protected and unprotected URL patterns for CSRF rule -- choose one! Rule currently using heuristics instead of patterns.");
            k.warn("Can't specify both protected and unprotected URL patterns for CSRF rule -- choose one! Rule currently using heuristics instead of patterns.");
        } else if (!StringUtils.isEmpty(b2)) {
            this.c = c(b2);
            this.d = a.KNOWN_IDEMPOTENT;
        } else if (StringUtils.isEmpty(b3)) {
            this.d = a.HEURISTICS;
        } else {
            this.c = c(b3);
            this.d = a.KNOWN_NEED_PROTECTING;
        }
    }

    private SimplePattern[] c(String str) {
        LinkedList linkedList = new LinkedList();
        try {
            List<String> readLines = FileUtils.readLines(new File(str));
            for (int i2 = 0; i2 < readLines.size(); i2++) {
                SimplePattern d = d(readLines.get(i2));
                if (d != null) {
                    linkedList.add(d);
                }
            }
        } catch (IOException e) {
            k.error("Couldn't read CSRF pattern file at {}", str, e);
        }
        return (SimplePattern[]) linkedList.toArray(new SimplePattern[0]);
    }

    private SimplePattern d(String str) {
        SimplePattern simplePattern = null;
        try {
            simplePattern = new SimplePattern(str);
        } catch (Exception e) {
            k.error("Problem parsing CSRF URL pattern {}", str, e);
        }
        return simplePattern;
    }
}
