package com.contrastsecurity.agent.plugins.protect.rules.e;

import com.contrastsecurity.agent.apps.ApplicationManager;
import com.contrastsecurity.agent.config.ConfigProperty;
import com.contrastsecurity.agent.messages.app.activity.protect.AttackResult;
import com.contrastsecurity.agent.messages.app.activity.protect.details.SQLInjectionDTM;
import com.contrastsecurity.agent.messages.app.activity.protect.details.SQLInjectionInputTracingDTM;
import com.contrastsecurity.agent.messages.app.activity.protect.details.UserInputDTM;
import com.contrastsecurity.agent.plugins.protect.AttackBlockedException;
import com.contrastsecurity.agent.plugins.protect.EnumC0250y;
import com.contrastsecurity.agent.plugins.protect.InterfaceC0182d;
import com.contrastsecurity.agent.plugins.protect.P;
import com.contrastsecurity.agent.plugins.protect.ProtectManager;
import com.contrastsecurity.agent.plugins.protect.V;
import com.contrastsecurity.agent.plugins.protect.ai;
import com.contrastsecurity.agent.telemetry.b.i;
import com.contrastsecurity.agent.util.EnumC0303g;
import com.contrastsecurity.agent.util.N;
import com.contrastsecurity.thirdparty.javax.inject.Inject;
import com.contrastsecurity.thirdparty.javax.inject.Singleton;
import com.contrastsecurity.thirdparty.org.apache.commons.lang.StringUtils;
import java.time.Duration;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;

/* compiled from: SQLInjectionProtectRule.java */
@Singleton
/* loaded from: input_file:com/contrastsecurity/agent/plugins/protect/rules/e/B.class */
public final class B extends com.contrastsecurity.agent.plugins.protect.rules.s<SQLInjectionDTM> {
    public static final String a = "sql-injection";
    private final n b;
    private final s c;
    private final ApplicationManager d;
    private final InterfaceC0182d e;
    private final ProtectManager f;
    private final V<SQLInjectionDTM> g;
    private final com.contrastsecurity.agent.plugins.protect.rules.e.a.u h;
    private final com.contrastsecurity.agent.telemetry.b.l i;
    private final com.contrastsecurity.agent.telemetry.b.c j;
    private static final String k = "AUTH-BYPASS-1";
    private static final int l = 2;
    private static final Pattern m = Pattern.compile("^[a-zA-Z@\\.-]+(\\s)*('|\")(\\s*)(\\-\\-|#|/\\*)(\\s*)$", 2);
    private static final Pattern n = Pattern.compile("(\\s+)or(\\s+)", 2);

    /* JADX INFO: Access modifiers changed from: package-private */
    @Inject
    public B(ApplicationManager applicationManager, InterfaceC0182d interfaceC0182d, ProtectManager protectManager, V<SQLInjectionDTM> v, n nVar, com.contrastsecurity.agent.plugins.protect.rules.e.a.u uVar, s sVar, @u com.contrastsecurity.agent.plugins.protect.rules.q qVar, com.contrastsecurity.agent.telemetry.b.i iVar) {
        super(qVar);
        this.g = v;
        this.d = applicationManager;
        this.e = interfaceC0182d;
        this.f = protectManager;
        this.b = nVar;
        this.h = uVar;
        this.c = sVar;
        this.i = iVar.b("sqlInjectionEvaluationTime", i.a.TESTING, 1.0d, Double.POSITIVE_INFINITY).a("Records distribution information on the time it takes for Protect to evaluate an input for SQL Injection.").a(Duration.ofMillis(1L), Duration.ofMillis(5L), Duration.ofMillis(10L), Duration.ofMillis(100L), Duration.ofMillis(250L), Duration.ofMillis(500L), Duration.ofSeconds(1L), Duration.ofSeconds(10L), Duration.ofSeconds(60L), Duration.ofNanos(Long.MAX_VALUE)).h();
        this.j = iVar.a("sqlInjectionInputSize", i.a.TESTING, 1.0d, Double.POSITIVE_INFINITY).a("Records distribution information on the sizes of inputs handled by Protect when evaluating for SQL Injection.").a(10.0d, 100.0d, 1000.0d, 10000.0d, 100000.0d, 1000000.0d, 1.0E7d, Double.POSITIVE_INFINITY).i();
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.i
    public V<SQLInjectionDTM> getRuleId() {
        return this.g;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.i
    public ConfigProperty getModeOverrideKey() {
        return ConfigProperty.PROTECT_SQLI_MODE;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.k
    public boolean appliesToInputType(UserInputDTM.InputType inputType) {
        return (UserInputDTM.InputType.PARAMETER_NAME.equals(inputType) || UserInputDTM.InputType.URI.equals(inputType)) ? false : true;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.k
    public com.contrastsecurity.agent.plugins.protect.A evaluateInput(UserInputDTM.InputType inputType, String str, String str2, String str3, int i) {
        int length;
        if (str3 == null) {
            return null;
        }
        this.j.a(str3.length());
        if (a(inputType, str, str3) || "$WSXCTCONTEXTID".equals(str) || b(str3) || (length = str3.length()) < 3 || ai.a(i, 4)) {
            return null;
        }
        if (length == 3 && str3.indexOf(35) == -1) {
            return null;
        }
        if (length < 8) {
            if (e(str3) || a(str3)) {
                return new com.contrastsecurity.agent.plugins.protect.A(EnumC0250y.WORTH_WATCHING);
            }
            return null;
        }
        if (length < 15 && ai.a(i, 32) && !d(str3)) {
            return null;
        }
        long nanoTime = System.nanoTime();
        com.contrastsecurity.agent.plugins.protect.A a2 = a(this.c, str, str3, i);
        if (a2 == null && c(str3)) {
            a2 = new com.contrastsecurity.agent.plugins.protect.A(EnumC0250y.WORTH_WATCHING);
            a2.a(k, 2);
        }
        if (a2 == null && f(str3)) {
            a2 = new com.contrastsecurity.agent.plugins.protect.A(EnumC0250y.WORTH_WATCHING);
        }
        this.i.a(System.nanoTime() - nanoTime, TimeUnit.NANOSECONDS);
        return a2;
    }

    private boolean b(String str) {
        if (str.length() == 7 && str.charAt(0) == '#') {
            return N.b(str, 1);
        }
        return false;
    }

    private boolean a(UserInputDTM.InputType inputType, String str, String str2) {
        if (UserInputDTM.InputType.HEADER == inputType && "Content-Type".equalsIgnoreCase(str)) {
            return str2.startsWith("multipart/form-data;");
        }
        return false;
    }

    private boolean c(String str) {
        return m.matcher(str).matches();
    }

    private boolean d(String str) {
        return (StringUtils.indexOfIgnoreCase(str, "true") == -1 && StringUtils.indexOfIgnoreCase(str, "false") == -1) ? false : true;
    }

    boolean a(String str) {
        return n.matcher(str).find();
    }

    private boolean e(String str) {
        return str.indexOf(35) != -1 || str.contains("//") || str.contains("--") || str.contains("/*");
    }

    private static boolean f(String str) {
        if (str == null || str.length() < 10) {
            return false;
        }
        int i = 0;
        int i2 = 0;
        boolean z = false;
        int i3 = 0;
        while (i3 < str.length()) {
            char charAt = str.charAt(i3);
            int i4 = i3 + 1;
            if (charAt == '/') {
                if (i4 >= str.length() || str.charAt(i4) != '*') {
                    i3++;
                } else {
                    i++;
                    z = true;
                    i3 += 2;
                }
            } else if (charAt == '*') {
                if (i4 >= str.length() || str.charAt(i4) != '/') {
                    i3++;
                } else {
                    if (z) {
                        return true;
                    }
                    i++;
                    i3 += 2;
                }
            } else if (a(charAt)) {
                i++;
                i3++;
            } else if (Character.isWhitespace(charAt)) {
                i2++;
                i3++;
            } else {
                i3++;
            }
            if (i >= 2 && i2 >= 1) {
                return true;
            }
        }
        return false;
    }

    private static boolean a(char c) {
        for (int i = 0; i < "\"'`;-%,()|{}".length(); i++) {
            if ("\"'`;-%,()|{}".charAt(i) == c) {
                return true;
            }
        }
        return false;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.T
    public void onDatabaseQueryAction(P p, EnumC0303g enumC0303g, String str) {
        if (this.d.current() == null) {
            return;
        }
        this.b.a(new q(enumC0303g, str, p, this.f.canBlock(this), this));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void a(SQLInjectionDTM sQLInjectionDTM, boolean z) {
        com.contrastsecurity.agent.plugins.protect.rules.e.a.s e = this.h.e();
        if (e != null && e.a()) {
            e.d();
        }
        this.e.a(this.g, sQLInjectionDTM, sQLInjectionDTM instanceof SQLInjectionInputTracingDTM ? ((SQLInjectionInputTracingDTM) sQLInjectionDTM).getInput() : UserInputDTM.builder().type(UserInputDTM.InputType.UNKNOWN).value(sQLInjectionDTM.getQuery()).build(), z ? AttackResult.BLOCKED : AttackResult.EXPLOITED);
        if (z) {
            throw new AttackBlockedException("SQL injection detected");
        }
    }
}
