package org.sonar.java.checks;

import java.util.Iterator;
import org.sonar.check.Priority;
import org.sonar.check.Rule;
import org.sonar.java.checks.methods.MethodInvocationMatcher;
import org.sonar.plugins.java.api.tree.ExpressionTree;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.NewArrayTree;
import org.sonar.plugins.java.api.tree.Tree;
import org.sonar.squidbridge.annotations.SqaleConstantRemediation;
import org.sonar.squidbridge.annotations.SqaleSubCharacteristic;

@SqaleSubCharacteristic("INPUT_VALIDATION_AND_REPRESENTATION")
@Rule(key = "S2078", name = "Values passed to LDAP queries should be sanitized", tags = {"cwe", "owasp-top10", "security"}, priority = Priority.CRITICAL)
@SqaleConstantRemediation("30min")
/* loaded from: input_file:org/sonar/java/checks/LDAPInjectionCheck.class */
public class LDAPInjectionCheck extends AbstractInjectionChecker {
    private static final MethodInvocationMatcher LDAP_SEARCH_MATCHER = MethodInvocationMatcher.create().typeDefinition("javax.naming.directory.DirContext").name("search").withNoParameterConstraint();
    private static final MethodInvocationMatcher SEARCH_CONTROLS_MATCHER = MethodInvocationMatcher.create().typeDefinition("javax.naming.directory.SearchControls").name("setReturningAttributes").addParameter("java.lang.String[]");

    public void visitNode(Tree tree) {
        MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree;
        if (isDirContextSearchCall(methodInvocationTree)) {
            checkDirContextArg((ExpressionTree) methodInvocationTree.arguments().get(0), methodInvocationTree);
            checkDirContextArg((ExpressionTree) methodInvocationTree.arguments().get(1), methodInvocationTree);
        } else if (isSearchControlCall(methodInvocationTree)) {
            ExpressionTree expressionTree = (ExpressionTree) methodInvocationTree.arguments().get(0);
            if (isDynamicArray(expressionTree, methodInvocationTree)) {
                createIssue(expressionTree);
            }
        }
    }

    private void checkDirContextArg(ExpressionTree expressionTree, MethodInvocationTree methodInvocationTree) {
        if (expressionTree.symbolType().is("java.lang.String") && isDynamicString(methodInvocationTree, expressionTree, null)) {
            createIssue(expressionTree);
        }
    }

    private void createIssue(Tree tree) {
        addIssue(tree, "Make sure that \"" + this.parameterName + "\" is sanitized before use in this LDAP request.");
    }

    private boolean isDynamicArray(ExpressionTree expressionTree, MethodInvocationTree methodInvocationTree) {
        if (!expressionTree.is(new Tree.Kind[]{Tree.Kind.NEW_ARRAY})) {
            setParameterNameFromArgument(expressionTree);
            return true;
        }
        Iterator it = ((NewArrayTree) expressionTree).initializers().iterator();
        while (it.hasNext()) {
            if (isDynamicString(methodInvocationTree, (ExpressionTree) it.next(), null)) {
                return true;
            }
        }
        return false;
    }

    private boolean isDirContextSearchCall(MethodInvocationTree methodInvocationTree) {
        return hasSemantic() && LDAP_SEARCH_MATCHER.matches(methodInvocationTree);
    }

    private boolean isSearchControlCall(MethodInvocationTree methodInvocationTree) {
        return hasSemantic() && SEARCH_CONTROLS_MATCHER.matches(methodInvocationTree);
    }
}
