package com.contrastsecurity.agent.plugins.protect.rules.cve.struts.b;

import com.contrastsecurity.agent.apps.Application;
import com.contrastsecurity.agent.apps.ApplicationManager;
import com.contrastsecurity.agent.config.ConfigProperty;
import com.contrastsecurity.agent.instr.InstrumentationContext;
import com.contrastsecurity.agent.instr.i;
import com.contrastsecurity.agent.instr.p;
import com.contrastsecurity.agent.messages.app.activity.protect.details.CveDetailsDTM;
import com.contrastsecurity.agent.messages.app.activity.protect.details.UserInputDTM;
import com.contrastsecurity.agent.plugins.protect.A;
import com.contrastsecurity.agent.plugins.protect.EnumC0250y;
import com.contrastsecurity.agent.plugins.protect.InterfaceC0182d;
import com.contrastsecurity.agent.plugins.protect.P;
import com.contrastsecurity.agent.plugins.protect.ProtectManager;
import com.contrastsecurity.agent.plugins.protect.V;
import com.contrastsecurity.agent.plugins.protect.aj;
import com.contrastsecurity.agent.plugins.protect.rules.c.g;
import com.contrastsecurity.agent.plugins.protect.rules.k;
import com.contrastsecurity.agent.plugins.protect.rules.l;
import com.contrastsecurity.thirdparty.javax.inject.Inject;
import com.contrastsecurity.thirdparty.javax.inject.Singleton;
import com.contrastsecurity.thirdparty.org.apache.commons.lang.StringUtils;
import com.contrastsecurity.thirdparty.org.objectweb.asm.ClassVisitor;
import com.contrastsecurity.thirdparty.org.slf4j.Logger;
import com.contrastsecurity.thirdparty.org.slf4j.LoggerFactory;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.Modifier;
import java.net.URLDecoder;

/* compiled from: DefaultActionInvocationRule.java */
@Singleton
/* loaded from: input_file:com/contrastsecurity/agent/plugins/protect/rules/cve/struts/b/d.class */
public final class d extends com.contrastsecurity.agent.plugins.protect.rules.cve.struts.c implements k<CveDetailsDTM>, l<CveDetailsDTM, ContrastDefaultActionInvocationDispatcher> {
    public static final String d = "cve-2016-4438";
    private static final String e = "cve-2016-4438-user-input";
    private static final String f = "com/opensymphony/xwork2/DefaultActionInvocation";
    private final ApplicationManager g;
    private final p<ContrastDefaultActionInvocationDispatcher> h;
    private final ProtectManager i;
    private final V<CveDetailsDTM> j;
    public static final Logger a = LoggerFactory.getLogger((Class<?>) com.contrastsecurity.agent.plugins.protect.rules.cve.struts.c.e.class);
    private static final String[] k = {"2.3.20.jar", "2.3.20.1.jar", "2.3.20.3.jar", "2.3.24.jar", "2.3.24.1.jar", "2.3.24.3.jar", "2.3.28.jar", "2.3.28.1.jar"};

    @Inject
    public d(ApplicationManager applicationManager, ProtectManager protectManager, InterfaceC0182d interfaceC0182d, p<ContrastDefaultActionInvocationDispatcher> pVar) {
        super(interfaceC0182d, protectManager);
        this.g = applicationManager;
        this.h = pVar;
        this.i = protectManager;
        this.j = V.a(d, CveDetailsDTM.class);
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.m
    public ClassVisitor onInstrumentingClass(i<ContrastDefaultActionInvocationDispatcher> iVar, ClassVisitor classVisitor, InstrumentationContext instrumentationContext) {
        if (!this.i.isSinksDisabled() && instrumentationContext.getCodeSource() != null && !Modifier.isAbstract(instrumentationContext.getFlags()) && instrumentationContext.getInternalClassName().equals(f)) {
            classVisitor = new f(classVisitor, instrumentationContext, iVar);
        }
        return classVisitor;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.l
    public boolean requiresPrimordialInstrumentation(Class<?> cls) {
        return false;
    }

    @Override // com.contrastsecurity.agent.instr.q
    public p<ContrastDefaultActionInvocationDispatcher> dispatcherRegistration() {
        return this.h;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.k
    public boolean appliesToInputType(UserInputDTM.InputType inputType) {
        return UserInputDTM.InputType.URI.equals(inputType);
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.k
    public A evaluateInput(UserInputDTM.InputType inputType, String str, String str2, String str3, int i) {
        a.debug("Evaluating input {} {}", inputType, str2);
        A a2 = null;
        if (UserInputDTM.InputType.URI.equals(inputType)) {
            try {
                String decode = URLDecoder.decode(str2, "UTF-8");
                if (g.c(decode)) {
                    P currentContext = this.i.currentContext();
                    if (currentContext != null) {
                        currentContext.a(e, decode);
                    }
                    a.debug("Evaluating input {}", str2);
                    a2 = new A(EnumC0250y.MATCHED_ATTACK_SIGNATURE);
                }
            } catch (UnsupportedEncodingException | IllegalArgumentException e2) {
                a.error("Error decoding value {}", com.contrastsecurity.agent.f.c.a(a, str2), e2);
            }
        }
        return a2;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.i
    public V<CveDetailsDTM> getRuleId() {
        return this.j;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.i
    public ConfigProperty getModeOverrideKey() {
        return ConfigProperty.PROTECT_CVE_2016_4438_MODE;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.cve.struts.c
    protected String[] d() {
        return k;
    }

    public boolean a(String str) {
        boolean z = false;
        Application current = this.g.current();
        if (current == null) {
            return false;
        }
        boolean c = c(current);
        com.contrastsecurity.agent.plugins.protect.rules.A vulnerabilityAnalysis = getVulnerabilityAnalysis(current);
        if (vulnerabilityAnalysis == null) {
            a.warn("Not analyzing request for {} because Contrast has not yet analyzed the application's libraries to see if the application is vulnerable", d);
            return false;
        }
        if (!vulnerabilityAnalysis.a()) {
            return false;
        }
        String c2 = vulnerabilityAnalysis.c();
        if (StringUtils.isNotEmpty(c2)) {
            z = a(str, c2, c);
        }
        return z && c;
    }

    private boolean a(String str, String str2, boolean z) {
        boolean z2 = false;
        String str3 = str;
        if (str.endsWith("()")) {
            str3 = str.substring(0, str.lastIndexOf("()"));
        }
        aj f2 = this.i.currentContext().f(d);
        if (f2 != null) {
            String value = f2.a().getValue();
            if (!StringUtils.isEmpty(value)) {
                String str4 = "";
                try {
                    P currentContext = this.i.currentContext();
                    if (currentContext != null) {
                        Object d2 = currentContext.d(e);
                        if (d2 instanceof String) {
                            str4 = (String) d2;
                        }
                    }
                    if (StringUtils.isEmpty(str4)) {
                        str4 = URLDecoder.decode(value, "UTF-8");
                    }
                    if (str4.contains(str) || str4.contains(str3) || value.contains(str) || value.contains(str3)) {
                        z2 = true;
                        a(f2, str2, z);
                    }
                } catch (UnsupportedEncodingException e2) {
                    a.error("Error decoding {}", com.contrastsecurity.agent.f.c.a(a, value), e2);
                }
            }
        }
        return z2;
    }
}
