package io.leopard.web.nobug.xss;

import java.lang.reflect.Field;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:io/leopard/web/nobug/xss/XssAttributeCheckUtil.class */
public class XssAttributeCheckUtil {
    public static final String IGNORE_XSS_ATTRIBUTE_NAME = "xss-ignore";
    protected static final Log logger = LogFactory.getLog(XssAttributeCheckUtil.class);
    private static final Set<String> IGNORE_NAME_SET = new HashSet();

    public static void checkAttribute(String str, Object obj) {
        if (IGNORE_NAME_SET.contains(str)) {
            return;
        }
        checkObject(obj);
    }

    public static void checkObject(Object obj) {
        if (obj == null) {
            return;
        }
        if (obj instanceof String) {
            checkString((String) obj);
        }
        if (isSafeValue(obj)) {
            return;
        }
        if (obj instanceof List) {
            checkList(obj);
            return;
        }
        if (obj instanceof Set) {
            checkSet(obj);
        } else if (obj instanceof Map) {
            checkMap(obj);
        } else if (CustomBeanUtil.isCustomBean(obj.getClass())) {
            checkBean(obj);
        }
    }

    protected static boolean isSafeValue(Object obj) {
        return (obj instanceof Integer) || (obj instanceof Long) || (obj instanceof Float) || (obj instanceof Double) || (obj instanceof Date);
    }

    protected static boolean isSafeType(Class<?> cls) {
        return cls.equals(Integer.TYPE) || cls.equals(Integer.class) || cls.equals(Long.TYPE) || cls.equals(Long.class) || cls.equals(Float.TYPE) || cls.equals(Float.class) || cls.equals(Double.TYPE) || cls.equals(Double.class) || cls.equals(Date.class);
    }

    protected static void checkList(Object obj) {
        for (Object obj2 : (List) obj) {
            if (obj2 instanceof String) {
                checkString((String) obj2);
            } else if (!isSafeValue(obj2) && CustomBeanUtil.isCustomBean(obj2.getClass())) {
                checkBean(obj2);
            }
        }
    }

    protected static void checkSet(Object obj) {
        for (Object obj2 : (Set) obj) {
            if (obj2 instanceof String) {
                checkString((String) obj2);
            } else if (!isSafeValue(obj2) && CustomBeanUtil.isCustomBean(obj2.getClass())) {
                checkBean(obj2);
            }
        }
    }

    protected static void checkMap(Object obj) {
        for (Map.Entry entry : ((Map) obj).entrySet()) {
            Object key = entry.getKey();
            Object value = entry.getValue();
            checkObject(key);
            checkObject(value);
        }
    }

    protected static void checkBean(Object obj) {
        for (Field field : FieldCache.listFields(obj.getClass())) {
            if (field.getType().equals(String.class)) {
                field.setAccessible(true);
                try {
                    String str = (String) field.get(obj);
                    try {
                        checkString(str);
                    } catch (XssException e) {
                        if (((NoXss) field.getAnnotation(NoXss.class)) == null) {
                            logger.error("has xss json:" + str);
                            throw e;
                        }
                    }
                } catch (IllegalAccessException e2) {
                    throw new RuntimeException(e2.getMessage(), e2);
                }
            }
        }
    }

    protected static void checkString(String str) {
        if (str != null && XssCheckerImpl.getInstance().check(str)) {
            logger.error("has xss value:" + str);
            throw new XssException("页面属性有XSS风险.");
        }
    }

    static {
        IGNORE_NAME_SET.add("javax.servlet.include.request_uri");
        IGNORE_NAME_SET.add("javax.servlet.include.context_path");
        IGNORE_NAME_SET.add("javax.servlet.include.servlet_path");
        IGNORE_NAME_SET.add("org.springframework.web.servlet.HandlerMapping.pathWithinHandlerMapping");
        IGNORE_NAME_SET.add("org.springframework.web.context.request.async.WebAsyncManager.WEB_ASYNC_MANAGER");
        IGNORE_NAME_SET.add("org.springframework.web.servlet.DispatcherServlet.INPUT_FLASH_MAP");
        IGNORE_NAME_SET.add("org.springframework.web.servlet.DispatcherServlet.OUTPUT_FLASH_MAP");
        IGNORE_NAME_SET.add("org.springframework.web.servlet.View.pathVariables");
        IGNORE_NAME_SET.add("org.springframework.web.servlet.support.RequestContext.CONTEXT");
        IGNORE_NAME_SET.add("org.springframework.web.servlet.DispatcherServlet.CONTEXT");
        IGNORE_NAME_SET.add("org.springframework.web.servlet.DispatcherServlet.LOCALE_RESOLVER");
        IGNORE_NAME_SET.add("org.springframework.web.servlet.HandlerMapping.uriTemplateVariables");
        IGNORE_NAME_SET.add("javax.servlet.jsp.jstl.fmt.localizationContext.request");
        IGNORE_NAME_SET.add("javax.servlet.jsp.jstl.fmt.timeZone.request");
        IGNORE_NAME_SET.add("org.apache.catalina.jsp_file");
        IGNORE_NAME_SET.add(IGNORE_XSS_ATTRIBUTE_NAME);
    }
}
