package com.atlassian.jira.issue.customfields.manager.xml;

import com.atlassian.annotations.VisibleForTesting;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.core.JVM;
import com.thoughtworks.xstream.security.AnyTypePermission;
import java.io.InputStream;
import java.util.regex.Pattern;

/* loaded from: input_file:com/atlassian/jira/issue/customfields/manager/xml/BlocklistedXStreamFactory.class */
final class BlocklistedXStreamFactory {
    private final XStreamLegacySettings legacySettings;

    /* JADX INFO: Access modifiers changed from: package-private */
    public BlocklistedXStreamFactory() {
        this(new XStreamLegacySettings());
    }

    @VisibleForTesting
    BlocklistedXStreamFactory(XStreamLegacySettings xStreamLegacySettings) {
        this.legacySettings = xStreamLegacySettings;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public XStream create() {
        XStream xStream = new XStream();
        xStream.addPermission(AnyTypePermission.ANY);
        fillDefaults(xStream);
        fillWorkaround(xStream);
        this.legacySettings.fill(xStream);
        return xStream;
    }

    private void fillDefaults(XStream xStream) {
        xStream.denyTypes(new String[]{"java.beans.EventHandler", "java.lang.ProcessBuilder", "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString", "com.sun.corba.se.impl.activation.ServerTableEntry", "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator", "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", "sun.swing.SwingLazyValue"});
        xStream.denyTypesByRegExp(new Pattern[]{Pattern.compile(".*\\$LazyIterator"), Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*"), Pattern.compile(".*\\$GetterSetterReflection"), Pattern.compile(".*\\$PrivilegedGetter"), Pattern.compile("(?:java|sun)\\.rmi\\..*"), Pattern.compile("javax\\.crypto\\..*"), Pattern.compile(".*\\$ServiceNameIterator"), Pattern.compile("javafx\\.collections\\.ObservableList\\$.*"), Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader")});
        xStream.denyTypeHierarchy(InputStream.class);
        denyHierarchy(xStream, "java.nio.channels.Channel");
        denyHierarchy(xStream, "javax.activation.DataSource");
        denyHierarchy(xStream, "javax.sql.rowset.BaseRowSet");
        xStream.allowTypeHierarchy(Exception.class);
    }

    private void fillWorkaround(XStream xStream) {
        xStream.denyTypesByWildcard(new String[]{"sun.reflect.**", "sun.tracing.**", "com.sun.corba.**"});
        xStream.denyTypesByRegExp(new String[]{".*\\.ws\\.client\\.sei\\..*", ".*\\$ProxyLazyValue", "com\\.sun\\.jndi\\..*Enumerat(?:ion|tor)", ".*\\$URLData", ".*\\.xsltc\\.trax\\.TemplatesImpl"});
        xStream.denyTypes(new String[]{"org.apache.commons.collections.comparators.TransformingComparator", "org.apache.commons.collections.comparators.ComparableComparator", "org.apache.commons.collections.functors.InvokerTransformer", "org.apache.xalan.xsltc.trax.TemplatesImpl"});
    }

    private void denyHierarchy(XStream xStream, String str) {
        Class loadClassForName = JVM.loadClassForName(str);
        if (loadClassForName != null) {
            xStream.denyTypeHierarchy(loadClassForName);
        }
    }
}
