package com.atlassian.jira.webtests.ztests.dashboard.reports.security.xss;

import com.atlassian.integrationtesting.runner.restore.Restore;
import com.atlassian.jira.functest.framework.Administration;
import com.atlassian.jira.functest.framework.BaseJiraFuncTest;
import com.atlassian.jira.functest.framework.FunctTestConstants;
import com.atlassian.jira.functest.framework.LoginAs;
import com.atlassian.jira.functest.framework.RestoreBlankInstance;
import com.atlassian.jira.functest.framework.admin.CustomFields;
import com.atlassian.jira.functest.framework.suite.Category;
import com.atlassian.jira.functest.framework.suite.WebTest;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.inject.Inject;
import org.junit.Assert;
import org.junit.Test;
import org.w3c.dom.html.HTMLSelectElement;

@LoginAs(user = "admin")
@WebTest({Category.FUNC_TEST, Category.REPORTS, Category.SECURITY})
/* loaded from: input_file:com/atlassian/jira/webtests/ztests/dashboard/reports/security/xss/TestXssInConfigureReport.class */
public class TestXssInConfigureReport extends BaseJiraFuncTest {
    private static final String XSS_ID = "__xss_script_injected_into_the_page__";
    private static final String XSS = "\"/><script id='__xss_script_injected_into_the_page__'></script>";
    private static final String XSS_ENCODED = "&quot;/&gt;&lt;script id=&#39;__xss_script_injected_into_the_page__&#39;&gt;&lt;/script&gt;";

    @Inject
    private Administration administration;

    @Test
    @Restore("TestConfigureReport.xml")
    public void testConfigureReportXSS() {
        assertXssNotInPage("/secure/ConfigureReport.jspa?atl_token=Pi7Pim9fcC&versionId=10000&sortingOrder=least&completedFilter=all&subtaskInclusion='all\"\"/><script id='__xss_script_injected_into_the_page__'></script>'&selectedProjectId=10000&reportKey=com.atlassian.jira.jira-core-reports-plugin:time-tracking&Next=Next");
    }

    @Test
    @RestoreBlankInstance
    public void testConfigureReportXssFromCustomFieldName() {
        this.backdoor.customFields().createCustomField(XSS, "", CustomFields.builtInCustomFieldKey(FunctTestConstants.CUSTOM_FIELD_TYPE_USERPICKER), CustomFields.builtInCustomFieldKey(FunctTestConstants.CUSTOM_FIELD_USER_PICKER_GROUP_SEARCHER));
        assertXssNotInPage("/secure/ConfigureReport!default.jspa?reportKey=com.atlassian.jira.jira-core-reports-plugin:pie-report");
    }

    private void assertXssNotInPage(String str) {
        this.tester.gotoPage(str);
        this.tester.assertElementNotPresent(XSS_ID);
        this.tester.assertTextNotPresent(XSS);
        List<String> readOptionLabels = readOptionLabels("statistictype_select");
        if (readOptionLabels.isEmpty()) {
            this.tester.assertTextPresent(XSS_ENCODED);
        } else {
            Assert.assertTrue("Option &quot;/&gt;&lt;script id=&#39;__xss_script_injected_into_the_page__&#39;&gt;&lt;/script&gt; not found in page from " + readOptionLabels, readOptionLabels.stream().anyMatch(str2 -> {
                return str2.contains(XSS_ENCODED);
            }));
        }
    }

    private List<String> readOptionLabels(String str) {
        ArrayList arrayList = new ArrayList();
        HTMLSelectElement element = this.tester.getDialog().getElement(str);
        if (element == null) {
            return Collections.emptyList();
        }
        for (int i = 0; i < element.getOptions().getLength(); i++) {
            arrayList.add(element.getOptions().item(i).getText());
        }
        return arrayList;
    }
}
