package com.contrastsecurity.agent.plugins.rasp.rules.cve.struts.b;

import com.contrastsecurity.agent.apps.Application;
import com.contrastsecurity.agent.apps.ApplicationManager;
import com.contrastsecurity.agent.config.ConfigProperty;
import com.contrastsecurity.agent.instr.InstrumentationContext;
import com.contrastsecurity.agent.instr.h;
import com.contrastsecurity.agent.messages.app.activity.defend.details.CveDetailsDTM;
import com.contrastsecurity.agent.messages.app.activity.defend.details.UserInputDTM;
import com.contrastsecurity.agent.plugins.rasp.A;
import com.contrastsecurity.agent.plugins.rasp.E;
import com.contrastsecurity.agent.plugins.rasp.InterfaceC0094d;
import com.contrastsecurity.agent.plugins.rasp.ProtectManager;
import com.contrastsecurity.agent.plugins.rasp.R;
import com.contrastsecurity.agent.plugins.rasp.Z;
import com.contrastsecurity.agent.plugins.rasp.an;
import com.contrastsecurity.agent.plugins.rasp.rules.b.g;
import com.contrastsecurity.agent.plugins.rasp.rules.k;
import com.contrastsecurity.agent.plugins.rasp.rules.l;
import com.contrastsecurity.agent.util.C0203a;
import com.contrastsecurity.thirdparty.javax.inject.Inject;
import com.contrastsecurity.thirdparty.org.apache.commons.lang.StringUtils;
import com.contrastsecurity.thirdparty.org.objectweb.asm.ClassVisitor;
import com.contrastsecurity.thirdparty.org.slf4j.Logger;
import com.contrastsecurity.thirdparty.org.slf4j.LoggerFactory;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;

/* compiled from: DefaultActionInvocationRule.java */
/* loaded from: input_file:com/contrastsecurity/agent/plugins/rasp/rules/cve/struts/b/d.class */
public final class d extends com.contrastsecurity.agent.plugins.rasp.rules.cve.struts.c implements k<CveDetailsDTM>, l<CveDetailsDTM, ContrastDefaultActionInvocationDispatcher> {
    public static final String e = "cve-2016-4438";
    private static final String f = "cve-2016-4438-user-input";
    private static final String g = "com/opensymphony/xwork2/DefaultActionInvocation";
    private final ApplicationManager h;
    private final h<ContrastDefaultActionInvocationDispatcher> i;
    private final ProtectManager j;
    private final Z<CveDetailsDTM> k;
    public static final Logger b = LoggerFactory.getLogger(com.contrastsecurity.agent.plugins.rasp.rules.cve.struts.c.e.class);
    private static final String[] l = {"2.3.20.jar", "2.3.20.1.jar", "2.3.20.3.jar", "2.3.24.jar", "2.3.24.1.jar", "2.3.24.3.jar", "2.3.28.jar", "2.3.28.1.jar"};

    @Inject
    public d(ApplicationManager applicationManager, ProtectManager protectManager, InterfaceC0094d interfaceC0094d, h<ContrastDefaultActionInvocationDispatcher> hVar) {
        super(interfaceC0094d, protectManager);
        this.h = applicationManager;
        this.i = hVar;
        this.j = protectManager;
        this.k = Z.a(e, CveDetailsDTM.class);
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.m
    public ClassVisitor onInstrumentingClass(com.contrastsecurity.agent.instr.f<ContrastDefaultActionInvocationDispatcher> fVar, ClassVisitor classVisitor, InstrumentationContext instrumentationContext) {
        if (!this.j.isSinksDisabled() && instrumentationContext.getCodeSource() != null && C0203a.b(instrumentationContext.getFlags()) && instrumentationContext.getInternalClassName().equals(g)) {
            classVisitor = new f(classVisitor, instrumentationContext, fVar);
            instrumentationContext.setRequiresTransforming(true);
            instrumentationContext.getChanger().addAdapter("DefaultActionInvocationVisitor");
        }
        return classVisitor;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.l
    public boolean isCodeExclusionSpecialCase() {
        return false;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.l
    public boolean requiresPrimordialInstrumentation(Class<?> cls) {
        return false;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.l
    public h<ContrastDefaultActionInvocationDispatcher> getDispatcherRegistration() {
        return this.i;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.k
    public boolean appliesToInputType(UserInputDTM.InputType inputType) {
        return UserInputDTM.InputType.URI.equals(inputType);
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.k
    public E evaluateInput(UserInputDTM.InputType inputType, String str, String str2, String str3, int i) {
        b.debug("Evaluating input {} {}", inputType, str2);
        E e2 = null;
        if (UserInputDTM.InputType.URI.equals(inputType)) {
            try {
                String decode = URLDecoder.decode(str2, "UTF-8");
                if (g.c(decode)) {
                    R currentContext = this.j.currentContext();
                    if (currentContext != null) {
                        currentContext.a(f, decode);
                    }
                    b.debug("Evaluating input {}", str2);
                    e2 = new E(A.MATCHED_ATTACK_SIGNATURE);
                }
            } catch (UnsupportedEncodingException e3) {
                b.error("Error decoding value {}", com.contrastsecurity.agent.e.c.a(b, str2), e3);
            } catch (IllegalArgumentException e4) {
                b.error("Error decoding value {}", com.contrastsecurity.agent.e.c.a(b, str2), e4);
            }
        }
        return e2;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.i
    public Z<CveDetailsDTM> getRuleId() {
        return this.k;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.i
    public ConfigProperty getModeOverrideKey() {
        return ConfigProperty.PROTECT_CVE_2016_4438_MODE;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.cve.struts.c
    protected String[] a() {
        return l;
    }

    public boolean a(String str) {
        boolean z = false;
        Application current = this.h.current();
        if (current == null) {
            return false;
        }
        boolean c = c(current);
        com.contrastsecurity.agent.plugins.rasp.rules.A vulnerabilityAnalysis = getVulnerabilityAnalysis(current);
        if (vulnerabilityAnalysis == null) {
            b.warn("Not analyzing request for {} because Contrast has not yet analyzed the application's libraries to see if the application is vulnerable", e);
            return false;
        }
        if (!vulnerabilityAnalysis.a()) {
            return false;
        }
        String c2 = vulnerabilityAnalysis.c();
        if (StringUtils.isNotEmpty(c2)) {
            z = a(str, c2, c);
        }
        return z && c;
    }

    private boolean a(String str, String str2, boolean z) {
        boolean z2 = false;
        String str3 = str;
        if (str.endsWith("()")) {
            str3 = str.substring(0, str.lastIndexOf("()"));
        }
        an f2 = this.j.currentContext().f(e);
        if (f2 != null) {
            String value = f2.a().getValue();
            if (!StringUtils.isEmpty(value)) {
                String str4 = "";
                try {
                    R currentContext = this.j.currentContext();
                    if (currentContext != null) {
                        Object d = currentContext.d(f);
                        if (d instanceof String) {
                            str4 = (String) d;
                        }
                    }
                    if (StringUtils.isEmpty(str4)) {
                        str4 = URLDecoder.decode(value, "UTF-8");
                    }
                    if (str4.contains(str) || str4.contains(str3) || value.contains(str) || value.contains(str3)) {
                        z2 = true;
                        a(f2, str2, z);
                    }
                } catch (UnsupportedEncodingException e2) {
                    b.error("Error decoding {}", com.contrastsecurity.agent.e.c.a(b, value), e2);
                }
            }
        }
        return z2;
    }
}
