package com.contrastsecurity.agent.plugins.protect.rules.xxe;

import com.contrastsecurity.agent.Sensor;
import com.contrastsecurity.agent.config.ConfigProperty;
import com.contrastsecurity.agent.instr.InstrumentationContext;
import com.contrastsecurity.agent.instr.p;
import com.contrastsecurity.agent.messages.app.activity.protect.AttackResult;
import com.contrastsecurity.agent.messages.app.activity.protect.details.ExternalEntityWrapperDTM;
import com.contrastsecurity.agent.messages.app.activity.protect.details.UserInputDTM;
import com.contrastsecurity.agent.messages.app.activity.protect.details.XMLMatchDTM;
import com.contrastsecurity.agent.plugins.protect.AttackBlockedException;
import com.contrastsecurity.agent.plugins.protect.InterfaceC0182d;
import com.contrastsecurity.agent.plugins.protect.P;
import com.contrastsecurity.agent.plugins.protect.ProtectManager;
import com.contrastsecurity.agent.plugins.protect.T;
import com.contrastsecurity.agent.plugins.protect.V;
import com.contrastsecurity.agent.plugins.protect.rules.l;
import com.contrastsecurity.agent.plugins.protect.rules.xxe.a.a.a.b;
import com.contrastsecurity.agent.plugins.protect.rules.xxe.a.a.a.c;
import com.contrastsecurity.agent.plugins.protect.rules.xxe.c.b;
import com.contrastsecurity.agent.plugins.protect.rules.xxe.c.c;
import com.contrastsecurity.agent.plugins.protect.rules.xxe.d.d;
import com.contrastsecurity.agent.plugins.protect.rules.xxe.d.e;
import com.contrastsecurity.agent.plugins.protect.rules.xxe.d.f;
import com.contrastsecurity.agent.plugins.protect.rules.xxe.d.h;
import com.contrastsecurity.agent.util.N;
import com.contrastsecurity.agent.z;
import com.contrastsecurity.thirdparty.com.rabbitmq.client.ConnectionFactory;
import com.contrastsecurity.thirdparty.javax.inject.Inject;
import com.contrastsecurity.thirdparty.javax.inject.Singleton;
import com.contrastsecurity.thirdparty.jregex.MatchIterator;
import com.contrastsecurity.thirdparty.jregex.MatchResult;
import com.contrastsecurity.thirdparty.jregex.Pattern;
import com.contrastsecurity.thirdparty.jregex.WildcardPattern;
import com.contrastsecurity.thirdparty.org.apache.commons.lang.StringEscapeUtils;
import com.contrastsecurity.thirdparty.org.apache.commons.lang.StringUtils;
import com.contrastsecurity.thirdparty.org.objectweb.asm.ClassVisitor;
import com.contrastsecurity.thirdparty.org.slf4j.Logger;
import com.contrastsecurity.thirdparty.org.slf4j.LoggerFactory;
import java.io.InputStream;
import java.io.Reader;
import java.net.URLDecoder;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import org.xml.sax.InputSource;

@Singleton
@Sensor
/* loaded from: input_file:com/contrastsecurity/agent/plugins/protect/rules/xxe/XXEProtectRule.class */
public final class XXEProtectRule extends T<XXEDetailsDTM> implements l<XXEDetailsDTM, ContrastXXEProtectDispatcher> {
    public static final String ID = "xxe";
    private final InterfaceC0182d e;
    private final p<ContrastXXEProtectDispatcher> f;
    private final ProtectManager g;
    private final Map<String, i<?>> h = new HashMap();
    private final V<XXEDetailsDTM> i;
    private static final String j = "xercesDocParsingStart";

    @z
    static final String c = "xxe_woodstox";

    @z
    static final String d = "xxe_xerces";
    private static final String k = "xxe_xerces_stax";
    private static final String l = "xxe_ibm_xlxp";
    public static final int MAX_EVIDENCE_LENGTH = 2048;
    private static final String r = "XML Prolog";

    @z
    static final Pattern a = new Pattern("(<!ENTITY(?:\\s+)[a-zA-Z0-f]+(?:\\s+)(?:SYSTEM|PUBLIC)(?:\\s+)(.*?)>)");

    @z
    static final Pattern b = new Pattern("(:include(?:\\s+)href=(?:['\"]((?:\\w:)*(?:\\/)*(?:[A-z0-9.-_+]+(?:\\/)*)+)['\"])(?:\\s*)(?:parse=)*)", 1);
    private static final String[] m = {"../", "..\\"};
    private static final String[] n = {ConnectionFactory.DEFAULT_VHOST, WildcardPattern.ANY_CHAR};
    private static final String[] o = {"#", "?"};
    private static final Pattern p = new Pattern("^[\\\\]*[a-zA-Z]{1,3}:.*");
    private static final Logger q = LoggerFactory.getLogger((Class<?>) XXEProtectRule.class);

    @Inject
    public XXEProtectRule(InterfaceC0182d interfaceC0182d, p<ContrastXXEProtectDispatcher> pVar, ProtectManager protectManager) {
        this.e = interfaceC0182d;
        this.f = pVar;
        this.g = protectManager;
        d.a aVar = new d.a();
        e.a aVar2 = new e.a();
        f.a aVar3 = new f.a();
        b.a aVar4 = new b.a();
        c.a aVar5 = new c.a();
        c.a aVar6 = new c.a();
        b.a aVar7 = new b.a();
        h.a aVar8 = new h.a();
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.d.c.c, aVar3);
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.d.c.d, aVar3);
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.d.c.a, aVar3);
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.d.c.b, aVar3);
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.d.c.e, aVar2);
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.d.c.f, aVar2);
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.d.c.j, aVar8);
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.d.c.k, aVar8);
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.a.a.a.a.a, aVar6);
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.a.a.a.a.b, aVar7);
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.d.c.g, aVar);
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.d.c.h, aVar);
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.d.c.i, aVar);
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.c.a.b, aVar4);
        this.h.put(com.contrastsecurity.agent.plugins.protect.rules.xxe.c.a.c, aVar5);
        this.i = V.a(ID, XXEDetailsDTM.class);
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.i
    public V<XXEDetailsDTM> getRuleId() {
        return this.i;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.i
    public ConfigProperty getModeOverrideKey() {
        return ConfigProperty.PROTECT_XXE_MODE;
    }

    @Sensor
    public void onXercesDocumentParsingStart(P p2, Object obj) {
        try {
            a(p2, (InputSource) obj);
        } catch (Throwable th) {
            com.contrastsecurity.agent.logging.a.a(j, q, "Problem handling Xerces document parsing start", th);
        }
    }

    private void a(P p2, InputSource inputSource) {
        if (q.isDebugEnabled()) {
            q.debug("Starting parsing context for input {} / {}", N.a(inputSource), inputSource.getClass().getName());
        }
        com.contrastsecurity.agent.plugins.protect.rules.xxe.d.g gVar = new com.contrastsecurity.agent.plugins.protect.rules.xxe.d.g();
        InputStream byteStream = inputSource.getByteStream();
        if (byteStream != null) {
            com.contrastsecurity.agent.plugins.protect.rules.xxe.d.a a2 = a(byteStream);
            inputSource.setByteStream(a2);
            gVar.a(a2);
            if (q.isDebugEnabled()) {
                q.debug("Created wrapper for bytestream {} for context {}", N.a(byteStream), N.a(gVar));
            }
        } else if (q.isDebugEnabled()) {
            q.debug("Bytestream was null -- no wrapper created for input {} for context {}", N.a(inputSource), N.a(gVar));
        }
        Reader characterStream = inputSource.getCharacterStream();
        if (characterStream != null) {
            com.contrastsecurity.agent.plugins.protect.rules.xxe.d.b a3 = a(characterStream);
            inputSource.setCharacterStream(a3);
            gVar.a(a3);
            if (q.isDebugEnabled()) {
                q.debug("Created wrapper for reader {} for context {}", N.a(characterStream), N.a(gVar));
            }
        } else if (q.isDebugEnabled()) {
            q.debug("reader was null -- no wrapper created for input {} for context {}", N.a(inputSource), N.a(gVar));
        }
        q.debug("Saving the context {}", gVar);
        p2.a(d, gVar);
    }

    @Sensor
    public void onXercesDoctypeDeclarationFinished(P p2) {
        try {
            a(p2);
        } catch (Exception e) {
            q.error("Problem handling Xerces doctype declaration end", (Throwable) e);
        }
    }

    private void a(P p2) {
        com.contrastsecurity.agent.plugins.protect.rules.xxe.d.g gVar = (com.contrastsecurity.agent.plugins.protect.rules.xxe.d.g) p2.d(d);
        q.debug("Xerces doctype declaration finishing for context {}", p2);
        if (gVar == null) {
            q.debug("No xerces parsing context when doctype declaration finished");
        } else {
            gVar.k();
            a(gVar, a);
        }
    }

    @Sensor
    public void onXercesEntityResolved(P p2, String str, Object obj, boolean z, boolean z2) {
        try {
            a(p2, str, obj, z, z2);
        } catch (AttackBlockedException e) {
            throw e;
        } catch (Exception e2) {
            q.error("Problem handling Xerces entity resolution", (Throwable) e2);
        }
    }

    private void a(P p2, String str, Object obj, boolean z, boolean z2) {
        e eVar = (e) p2.d(d);
        if (q.isDebugEnabled()) {
            q.debug("Entity {} name resolved for context {}", str, N.a(eVar));
        }
        boolean z3 = false;
        if (eVar == null) {
            eVar = (e) p2.d(k);
            z3 = true;
        }
        if (eVar == null) {
            if (!z3) {
                q.debug("No xerces parsing context when entity resolved");
                return;
            } else {
                eVar = new e();
                eVar.a(a(str, obj));
            }
        }
        d dVar = new d(obj);
        if (!a(dVar.a()) || eVar.h()) {
            return;
        }
        eVar.a(dVar);
        eVar.g();
        a(eVar, a);
        a(eVar);
    }

    @Sensor
    public void onXercesDocumentParsingEnd(P p2) {
        try {
            b(p2);
        } catch (AttackBlockedException e) {
            throw e;
        } catch (Exception e2) {
            q.error("Problem handling Xerces document parsing end", (Throwable) e2);
        }
    }

    private void b(P p2) {
        com.contrastsecurity.agent.plugins.protect.rules.xxe.d.g gVar = (com.contrastsecurity.agent.plugins.protect.rules.xxe.d.g) p2.e(d);
        q.debug("Xerces document parsing ends");
        if (gVar == null) {
            q.debug("No xerces parsing context when document parsing ends");
            return;
        }
        List<d> d2 = gVar.d();
        List<XMLMatchDTM> c2 = gVar.c();
        if (d2.isEmpty() || c2.isEmpty() || gVar.h()) {
            return;
        }
        if (!gVar.e()) {
            a(gVar, a);
        }
        a((e) gVar);
    }

    @Sensor
    public void onStAXEventRead(P p2, Object obj, Object obj2) {
        try {
            a(p2, obj, obj2);
        } catch (Exception e) {
            q.error("Problem handling StAX event read", (Throwable) e);
        }
    }

    private void a(P p2, Object obj, Object obj2) {
        q.debug("Analyzing reader {} and event {}", obj, obj2);
        e eVar = (e) p2.d(k);
        if (eVar == null) {
            eVar = new e();
            p2.a(k, eVar);
        }
        String simpleName = obj2.getClass().getSimpleName();
        if ("DTDEvent".equals(simpleName)) {
            eVar.a(obj2.toString());
            a(eVar, a);
        } else if ("EndDocumentEvent".equals(simpleName)) {
            p2.e(k);
        }
    }

    @Sensor
    public void onWoodstoxStAXEventRead(P p2, Object obj) {
        try {
            a(p2, obj);
        } catch (Exception e) {
            q.error("Problem handling Woodstox/StAX event read", (Throwable) e);
        }
    }

    private void a(P p2, Object obj) {
        q.debug("Analyzing reader {}", obj);
        e eVar = (e) p2.d(c);
        if (eVar == null) {
            eVar = new e();
            p2.a(c, eVar);
        }
        com.contrastsecurity.agent.plugins.protect.rules.xxe.c.d dVar = new com.contrastsecurity.agent.plugins.protect.rules.xxe.c.d(obj);
        int a2 = dVar.a();
        if (11 == a2) {
            eVar.a(com.contrastsecurity.agent.plugins.protect.rules.xxe.c.a.a + dVar.b());
            a(eVar, a);
        } else if (8 == a2) {
            p2.e(c);
        }
    }

    @Sensor
    public void onWoodstoxEntityResolved(P p2, Object obj) {
        try {
            b(p2, obj);
        } catch (AttackBlockedException e) {
            throw e;
        } catch (Exception e2) {
            q.error("Problem handling Woodtstox entity resolution", (Throwable) e2);
        }
    }

    private void b(P p2, Object obj) {
        e eVar = (e) p2.d(c);
        if (eVar == null) {
            q.debug("No woodstox parsing context when entity resolved");
            return;
        }
        d dVar = new d(obj);
        if (a(dVar.a())) {
            eVar.a(dVar);
            a(eVar);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Sensor
    public void onIbmXlxpDoctypeParsingEnd(P p2, Object obj) {
        try {
            c(p2, obj);
        } catch (Exception e) {
            q.error("Problem handling IBM XLMP doctype parsing", (Throwable) e);
        }
    }

    private void c(P p2, Object obj) throws NoSuchFieldException, NoSuchMethodException, IllegalAccessException {
        String obj2 = com.contrastsecurity.agent.m.d.b(obj, "fDoctypeString").get(obj).toString();
        if (obj2 == null) {
            q.debug("Null xml body received by Contrast IBM XLXP listener");
            return;
        }
        if (obj2.contains("DTDScanner")) {
            throw new NoSuchMethodException("toString is implemented on the Object rather than StAXDTDScanner and thus dont return the string representation we want");
        }
        e eVar = (e) p2.d(l);
        if (eVar == null) {
            eVar = new e();
            p2.a(l, eVar);
        }
        eVar.a(obj2);
        a(eVar, a);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Sensor
    public void onIbmXlxpExternalEntityResolved(P p2, Object obj, Object obj2) {
        try {
            b(p2, obj, obj2);
        } catch (AttackBlockedException e) {
            throw e;
        } catch (Exception e2) {
            q.error("Problem handling IBM XLMP entity resolution", (Throwable) e2);
        }
    }

    private void b(P p2, Object obj, Object obj2) {
        String obj3 = obj != null ? obj.toString() : null;
        String obj4 = obj2.toString();
        e eVar = (e) p2.d(l);
        if (eVar == null) {
            eVar = new e();
            p2.a(l, eVar);
        }
        if (a(obj4)) {
            eVar.a(new d(obj4, obj3));
            a(eVar);
        }
    }

    boolean a(String str) {
        if (str == null) {
            return false;
        }
        if ((StringUtils.endsWithIgnoreCase(str, ".dtd") || StringUtils.endsWithIgnoreCase(str, ".xsd") || StringUtils.endsWithIgnoreCase(str, ".ent")) && !b(str)) {
            return false;
        }
        if (StringUtils.startsWithIgnoreCase(str, "http:") || StringUtils.startsWithIgnoreCase(str, "https:") || StringUtils.startsWithIgnoreCase(str, com.contrastsecurity.agent.h.h.a) || StringUtils.startsWithIgnoreCase(str, "ftp:") || StringUtils.startsWithIgnoreCase(str, "jar:") || StringUtils.startsWithIgnoreCase(str, "gopher:") || StringUtils.startsWithAny(str, n)) {
            return true;
        }
        String decode = URLDecoder.decode(str);
        for (String str2 : m) {
            if (decode.contains(str2)) {
                return true;
            }
        }
        return p.matches(str);
    }

    private boolean b(String str) {
        String decode = URLDecoder.decode(str);
        for (String str2 : o) {
            if (str.contains(str2) || decode.contains(str2)) {
                return true;
            }
        }
        return false;
    }

    private void a(e eVar) {
        String b2 = eVar.b();
        ArrayList arrayList = new ArrayList(eVar.d());
        boolean canBlock = this.g.canBlock(this);
        this.e.a(this.i, a(eVar.c(), arrayList, b2), UserInputDTM.builder().value(b2).name(r).type(UserInputDTM.InputType.UNKNOWN).time(eVar.a()).build(), canBlock ? AttackResult.BLOCKED : AttackResult.EXPLOITED);
        if (canBlock) {
            throw new AttackBlockedException("XXE attack detected");
        }
    }

    private XXEDetailsDTM a(List<XMLMatchDTM> list, List<d> list2, String str) {
        HashSet hashSet = new HashSet();
        LinkedList linkedList = new LinkedList();
        if (list2 != null) {
            for (int i = 0; i < list2.size(); i++) {
                String a2 = list2.get(i).a();
                String b2 = list2.get(i).b();
                String str2 = a2 + b2;
                if (!hashSet.contains(str2)) {
                    hashSet.add(str2);
                    linkedList.add(new ExternalEntityWrapperDTM(a2, b2));
                }
            }
        }
        return new XXEDetailsDTM(str, list, linkedList);
    }

    private void a(e eVar, Pattern pattern) {
        String b2 = eVar.b();
        if (b2 != null) {
            MatchIterator findAll = pattern.matcher(StringEscapeUtils.unescapeHtml(b2)).findAll();
            while (findAll.hasMore()) {
                MatchResult nextMatch = findAll.nextMatch();
                eVar.a(new XMLMatchDTM(nextMatch.start(2), nextMatch.end(2)));
            }
        }
        if (pattern.equals(a)) {
            eVar.f();
        }
    }

    private String a(String str, Object obj) {
        String a2 = a(obj);
        StringBuilder sb = new StringBuilder();
        sb.append("...[<!ENTITY ");
        sb.append(str);
        if (a2 != null) {
            sb.append(" SYSTEM ");
            sb.append(a2);
        } else {
            sb.append(" ... ");
        }
        sb.append(">]...");
        return sb.toString();
    }

    private String a(Object obj) {
        String str = null;
        try {
            str = (String) com.contrastsecurity.agent.m.d.b(obj, "fSystemId").get(obj);
        } catch (Throwable th) {
            q.error("Problem inspecting XML input source during external entity resolution", th);
        }
        return str;
    }

    private com.contrastsecurity.agent.plugins.protect.rules.xxe.d.b a(Reader reader) {
        return new com.contrastsecurity.agent.plugins.protect.rules.xxe.d.b(reader);
    }

    private com.contrastsecurity.agent.plugins.protect.rules.xxe.d.a a(InputStream inputStream) {
        return new com.contrastsecurity.agent.plugins.protect.rules.xxe.d.a(inputStream);
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.m
    public ClassVisitor onInstrumentingClass(com.contrastsecurity.agent.instr.i<ContrastXXEProtectDispatcher> iVar, ClassVisitor classVisitor, InstrumentationContext instrumentationContext) {
        if (!this.g.isSinksDisabled()) {
            String internalClassName = instrumentationContext.getInternalClassName();
            if (instrumentationContext.getAncestors().contains("javax/xml/stream/util/XMLEventAllocator")) {
                classVisitor = new com.contrastsecurity.agent.plugins.protect.rules.xxe.b.a(iVar, instrumentationContext, classVisitor);
            }
            i<?> iVar2 = this.h.get(internalClassName);
            if (iVar2 != null) {
                try {
                    classVisitor = iVar2.a(iVar, instrumentationContext, classVisitor);
                } catch (Exception e) {
                    q.error("Couldn't build visitor for type {}", internalClassName);
                }
            }
        }
        return classVisitor;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.l
    public boolean requiresPrimordialInstrumentation(Class<?> cls) {
        return StringUtils.startsWithAny(cls.getName(), com.contrastsecurity.agent.plugins.protect.rules.xxe.d.c.l);
    }

    @Override // com.contrastsecurity.agent.instr.q
    public p<ContrastXXEProtectDispatcher> dispatcherRegistration() {
        return this.f;
    }

    @Sensor
    public void onXercesXIncludeGetReaderCallResolved(P p2, Object obj) {
        try {
            d(p2, obj);
        } catch (AttackBlockedException e) {
            throw e;
        } catch (Exception e2) {
            q.error("Problem handling XInclude getReader call resolved", (Throwable) e2);
        }
    }

    private void d(P p2, Object obj) {
        com.contrastsecurity.agent.plugins.protect.rules.xxe.d.g gVar = (com.contrastsecurity.agent.plugins.protect.rules.xxe.d.g) p2.d(d);
        if (gVar == null) {
            gVar = new com.contrastsecurity.agent.plugins.protect.rules.xxe.d.g();
            p2.a(d, gVar);
        }
        d dVar = new d(obj);
        if (!a(dVar.a()) || gVar.h()) {
            return;
        }
        gVar.a(dVar);
        gVar.g();
        gVar.k();
        a(gVar, b);
        a((e) gVar);
    }
}
