package com.contrastsecurity.agent.plugins.security.policy.rules.providers.internal.xss;

import com.contrastsecurity.agent.ScopedSensor;
import com.contrastsecurity.agent.Sensor;
import com.contrastsecurity.agent.apps.ApplicationManager;
import com.contrastsecurity.agent.p.k;
import com.contrastsecurity.agent.p.n;
import com.contrastsecurity.agent.plugins.security.AssessmentManager;
import com.contrastsecurity.agent.plugins.security.controller.TraceController;
import com.contrastsecurity.agent.plugins.security.controller.r;
import com.contrastsecurity.agent.plugins.security.model.TriggerEvent;
import com.contrastsecurity.agent.plugins.security.policy.j;
import com.contrastsecurity.agent.plugins.security.policy.rules.Event;
import com.contrastsecurity.agent.plugins.security.policy.rules.Parameter;
import com.contrastsecurity.agent.plugins.security.policy.rules.ParameterList;
import com.contrastsecurity.agent.plugins.security.policy.rules.Rule;
import com.contrastsecurity.agent.scope.GlobalScopeProvider;
import com.contrastsecurity.agent.scope.ScopeAggregator;
import com.contrastsecurity.agent.trace.CodeEvent;
import com.contrastsecurity.agent.trace.MethodDescription;
import com.contrastsecurity.agent.trace.Trace;
import com.contrastsecurity.agent.util.ObjectShare;
import com.contrastsecurity.thirdparty.javax.inject.Inject;
import com.contrastsecurity.thirdparty.javax.inject.Singleton;
import com.contrastsecurity.thirdparty.org.slf4j.Logger;
import com.contrastsecurity.thirdparty.org.slf4j.LoggerFactory;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Objects;

@Singleton
@Sensor
/* loaded from: input_file:com/contrastsecurity/agent/plugins/security/policy/rules/providers/internal/xss/ContrastFreemarkerDispatcherImpl.class */
final class ContrastFreemarkerDispatcherImpl implements ContrastFreemarkerDispatcher {
    private final TraceController a;
    private final ApplicationManager b;
    private final AssessmentManager c;
    private final com.contrastsecurity.agent.plugins.security.model.c d;
    private final ContrastDataFlowTriggerDispatcher e;
    private final k f;
    private static Event g;
    private static final String h = "unknown.ftl";
    private static final String j = "Renderer.java";
    private static final String k = "output";
    private static final int o = 10;
    private static final String p = "reflected-xss";
    private static final String i = "freemarker.core.Renderer";
    private static final String l = "print";
    private static final String m = "(Ljava/lang/String;)V";
    private static final MethodDescription n = new MethodDescription(i, l, m, 0);
    private static final Logger q = LoggerFactory.getLogger((Class<?>) ContrastFreemarkerDispatcherImpl.class);

    @Inject
    public ContrastFreemarkerDispatcherImpl(TraceController traceController, ApplicationManager applicationManager, AssessmentManager assessmentManager, com.contrastsecurity.agent.plugins.security.model.c cVar, ContrastDataFlowTriggerDispatcher contrastDataFlowTriggerDispatcher, k kVar) {
        this.a = traceController;
        this.b = applicationManager;
        this.c = assessmentManager;
        this.d = (com.contrastsecurity.agent.plugins.security.model.c) Objects.requireNonNull(cVar);
        this.e = contrastDataFlowTriggerDispatcher;
        this.f = kVar;
    }

    @Override // java.lang.ContrastFreemarkerDispatcher
    @ScopedSensor
    public void onVariableOutput(String str, Object obj, Object obj2) {
        ScopeAggregator enterScope = GlobalScopeProvider.enterScope();
        try {
            try {
                a(str, obj, obj2);
            } catch (Exception e) {
                q.error("Problem checking for XSS in freemarker", (Throwable) e);
            }
            th = null;
        } catch (Throwable th) {
            th = th;
        }
        enterScope.leaveScope();
        if (th != null) {
            throw th;
        }
    }

    private void a(String str, Object obj, Object obj2) {
        if (str == null || str.length() == 0 || obj == null || obj2 == null || !this.a.isTracked(str)) {
            return;
        }
        q.debug("TraceDispatcher.isTracked returned true");
        try {
            Object a = a(obj);
            if (a != null) {
                q.debug("Expression not null");
                a(str, obj, a, obj2);
            }
        } catch (Exception e) {
            q.error("Problem checking for freemarker XSS", (Throwable) e);
        }
    }

    private Object a(Object obj) throws Exception {
        boolean z = false;
        Object obj2 = com.contrastsecurity.agent.m.d.b(obj, "escapedExpression").get(obj);
        if (obj2 != null) {
            Class<?> cls = obj2.getClass();
            String obj3 = obj2.toString();
            z = obj3.contains("?url") || obj3.contains("?xhtml") || obj3.contains("?html") || obj3.contains("?xml") || obj3.contains("?json_string") || cls.getName().contains("Encoding");
        }
        if (z) {
            return null;
        }
        return obj2;
    }

    private void a(String str, Object obj, Object obj2, Object obj3) throws j {
        Rule ruleById;
        Trace trace = this.a.getTrace(str);
        if (trace == null || this.b.current() == null || (ruleById = this.c.currentPolicy().getRuleById("reflected-xss")) == null || !ruleById.isEnabled()) {
            return;
        }
        com.contrastsecurity.agent.p.j a = n.a(a(this.f.a(), obj, obj3));
        com.contrastsecurity.agent.plugins.security.model.n nVar = (com.contrastsecurity.agent.plugins.security.model.n) ((com.contrastsecurity.agent.plugins.security.model.n) ((com.contrastsecurity.agent.plugins.security.model.n) ((com.contrastsecurity.agent.plugins.security.model.n) ((com.contrastsecurity.agent.plugins.security.model.n) this.d.b().a(n)).a(ruleById).e("P0")).a(new Object[]{str})).a(obj)).a(a);
        CodeEvent lastEvent = trace.getLastEvent();
        if (lastEvent != null) {
            nVar.d(lastEvent);
        }
        TriggerEvent e = nVar.e();
        r rVar = new r();
        rVar.a(true);
        rVar.a(trace);
        rVar.a(a);
        this.c.currentContext().setLastTriggerEvent(e);
        com.contrastsecurity.agent.plugins.security.policy.rules.providers.internal.a aVar = new com.contrastsecurity.agent.plugins.security.policy.rules.providers.internal.a();
        aVar.a(n);
        aVar.a(e);
        aVar.a(rVar);
        aVar.a(a(ruleById, n));
        q.debug("Tracing trigger");
        this.e.traceTrigger(l, m, 1, obj3, obj3.getClass(), new Object[]{str}, ObjectShare.SINGLE_STRING_ARRAY, null, Void.TYPE, "reflected-xss", (short) -1, aVar);
    }

    private Event a(Rule rule, MethodDescription methodDescription) throws j {
        if (g == null) {
            g = new Event(rule, methodDescription.getSignature());
            g.setExpressionType(null);
            g.setObjectRequiresTracking(false);
            ParameterList parameterList = new ParameterList();
            parameterList.setMode(ParameterList.Mode.Or);
            parameterList.setParameters(new Parameter[]{a()});
            g.setParameterList(parameterList);
        }
        return g;
    }

    private Parameter a() {
        Parameter parameter = new Parameter(0, true);
        parameter.setDisallowedTags(new String[]{"http-token-limited-chars", "numeric-limited-chars", "custom-validated", "base64-encoded", "css-encoded", "ftl-encoded", "html-encoded", "js-encoded", "json-encoded", "ldap-encoded", "os-encoded", "sql-encoded", "url-encoded", "vbscript-encoded", "xml-encoded", "xpath-encoded", "xss-encoded"});
        return parameter;
    }

    private List<StackTraceElement> a(com.contrastsecurity.agent.p.j jVar, Object obj, Object obj2) {
        int c = c(obj);
        String b = b(obj2);
        String a = a(b);
        List<StackTraceElement> emptyList = jVar == null ? Collections.emptyList() : jVar.a();
        ArrayList arrayList = new ArrayList(emptyList.size() + 2);
        arrayList.add(new StackTraceElement(i, k, j, 10));
        arrayList.add(new StackTraceElement(a, l, b, c));
        arrayList.addAll(emptyList);
        return arrayList;
    }

    private String a(String str) {
        return str.substring(Math.max(str.lastIndexOf(47), str.lastIndexOf(92)) + 1);
    }

    private String b(Object obj) {
        String str = h;
        try {
            Object invoke = com.contrastsecurity.agent.m.d.f(obj.getClass(), "getTemplate").invoke(obj, ObjectShare.EMPTY_OBJ_ARRAY);
            str = (String) com.contrastsecurity.agent.m.d.f(invoke.getClass(), "getName").invoke(invoke, ObjectShare.EMPTY_OBJ_ARRAY);
            if (str == null) {
                str = h;
            }
        } catch (Exception e) {
            q.error("Problem reading template name", (Throwable) e);
        }
        return str;
    }

    private int c(Object obj) {
        Class<?> cls = obj.getClass();
        int i2 = -1;
        while (true) {
            try {
                Class<? super Object> superclass = cls.getSuperclass();
                cls = superclass;
                if (superclass == null) {
                    break;
                }
                if (cls.getSimpleName().equals("TemplateObject")) {
                    i2 = ((Integer) com.contrastsecurity.agent.m.d.d(cls, "beginLine").get(obj)).intValue();
                }
            } catch (Exception e) {
                q.error("Problem generating line number", (Throwable) e);
            }
        }
        return i2;
    }
}
