package org.owasp.webgoat.plugin;

import com.google.common.base.Function;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileFilter;
import java.io.FileReader;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.HR;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.apache.xalan.templates.Constants;
import org.apache.xml.serializer.SerializerConstants;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;

/* loaded from: input_file:WebGoat.war:plugin_lessons/path-based-access-control-1.0.jar:org/owasp/webgoat/plugin/PathBasedAccessControl.class */
public class PathBasedAccessControl extends LessonAdapter {
    private static final String FILE = "File";
    private static final Integer DEFAULT_RANKING = new Integer(115);

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.session.Screen
    public Element createContent(WebSession webSession) {
        ElementContainer elementContainer = new ElementContainer();
        try {
            Table align = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center");
            if (webSession.isColor()) {
                align.setBorder(1);
            }
            List<File> findHtmlFiles = findHtmlFiles(LessonUtil.getLessonDirectory(webSession, this).getParentFile());
            ArrayList newArrayList = Lists.newArrayList(Iterables.transform(findHtmlFiles, new Function<File, String>() { // from class: org.owasp.webgoat.plugin.PathBasedAccessControl.1
                @Override // com.google.common.base.Function
                public String apply(File file) {
                    return file.getName();
                }
            }));
            String[] strArr = (String[]) newArrayList.toArray(new String[newArrayList.size()]);
            String str = " <p><B>" + getLabelManager().get("CurrentDirectory") + "</B> " + Encoding.urlDecode(findHtmlFiles.get(0).getParent()) + "<br><br>" + getLabelManager().get("ChooseFileToView") + "</p>";
            TR tr = new TR();
            tr.addElement(new TD().setColSpan(2).addElement(new StringElement(str)));
            align.addElement(tr);
            TR tr2 = new TR();
            tr2.addElement(new TD().setWidth("35%").addElement(ECSFactory.makePulldown(FILE, strArr, "", 15)));
            tr2.addElement(new TD().addElement(ECSFactory.makeButton(getLabelManager().get("ViewFile"))));
            align.addElement(tr2);
            elementContainer.addElement(align);
            String rawParameter = webSession.getParser().getRawParameter(FILE, "");
            if (!rawParameter.equals("")) {
                boolean z = true;
                if (upDirCount(rawParameter) == 3 && !rawParameter.endsWith("LICENSE")) {
                    webSession.setMessage(getLabelManager().get("AccessDenied"));
                    webSession.setMessage(getLabelManager().get("ItAppears1"));
                } else if (upDirCount(rawParameter) > 5) {
                    webSession.setMessage(getLabelManager().get("AccessDenied"));
                    webSession.setMessage(getLabelManager().get("ItAppears2"));
                } else {
                    z = false;
                }
                File guideTheAtack = guideTheAtack(webSession, rawParameter, findHtmlFiles);
                if (!z) {
                    File file = new File(LessonUtil.getLessonDirectory(webSession, this) + "/lessonPlans/en/" + rawParameter);
                    if (guideTheAtack != null) {
                        file = guideTheAtack;
                    } else if (rawParameter != null && file.isFile() && file.exists()) {
                        webSession.setMessage(getLabelManager().get("CongratsAccessToFileAllowed") + " ==> " + Encoding.urlDecode(file.getCanonicalPath()));
                        makeSuccess(webSession);
                    } else if (rawParameter != null && rawParameter.length() != 0) {
                        webSession.setMessage(getLabelManager().get("AccessToFileDenied1") + Encoding.urlDecode(rawParameter) + getLabelManager().get("AccessToFileDenied2"));
                    }
                    displayAttemptedFile(elementContainer, file);
                }
            }
        } catch (Exception e) {
            webSession.setMessage(getLabelManager().get("ErrorGenerating") + getClass().getName());
            e.printStackTrace();
        }
        return elementContainer;
    }

    private void displayAttemptedFile(ElementContainer elementContainer, File file) {
        try {
            elementContainer.addElement(new BR());
            elementContainer.addElement(new BR());
            elementContainer.addElement(new HR().setWidth("100%"));
            if (file.isFile()) {
                elementContainer.addElement(getLabelManager().get("ViewingFile") + file.getCanonicalPath());
            } else {
                elementContainer.addElement(getLabelManager().get("ViewingFile") + file.getName());
            }
            elementContainer.addElement(new HR().setWidth("100%"));
            if (file.length() > 80000) {
                throw new Exception(getLabelManager().get("FileTooLarge"));
            }
            String fileText = getFileText(new BufferedReader(new FileReader(file)), false);
            if (fileText.indexOf(0) != -1) {
                throw new Exception(getLabelManager().get("FileBinary"));
            }
            elementContainer.addElement(new StringElement(fileText.replaceAll(System.getProperty("line.separator"), "<br>").replaceAll("(?s)<!DOCTYPE.*/head>", "").replaceAll("<br><br>", "<br>").replaceAll("<br>\\s<br>", "<br>").replaceAll("<\\?", SerializerConstants.ENTITY_LT).replaceAll("<(r|u|t)", "&lt;$1")));
        } catch (Exception e) {
            elementContainer.addElement(new BR());
            elementContainer.addElement(getLabelManager().get("TheFollowingError"));
            elementContainer.addElement(e.getMessage());
        }
    }

    private File guideTheAtack(WebSession webSession, String str, List<File> list) throws Exception {
        int lastIndexOf = str.lastIndexOf(System.getProperty("file.separator"));
        if (lastIndexOf == -1) {
            lastIndexOf = 0;
        }
        String substring = str.substring(lastIndexOf);
        if (substring.length() >= ".html".length()) {
            substring = substring.substring(0, substring.length() - ".html".length());
        }
        File file = new File(LessonUtil.getLessonDirectory(webSession, this).getParent() + "/" + substring + "/lessonPlans/en/" + str);
        File file2 = null;
        for (File file3 : list) {
            if (file3.getName().equals(str) || file3.getName().equals(file.getName())) {
                file2 = file3;
            }
        }
        if (file2 != null && file2.isFile() && file2.exists()) {
            if (upDirCount(str) >= 1) {
                webSession.setMessage(getLabelManager().get("OnTheRightPath") + " ==> " + Encoding.urlDecode(file2.getCanonicalPath()));
            } else {
                webSession.setMessage(getLabelManager().get("FileInAllowedDirectory") + " ==> " + Encoding.urlDecode(file2.getCanonicalPath()));
            }
        }
        if (webSession.isDebug()) {
            webSession.setMessage(getLabelManager().get(FILE) + str);
            if (file2 != null) {
                webSession.setMessage(getLabelManager().get("Dir") + file2.getParentFile());
                webSession.setMessage(getLabelManager().get("IsFile") + file2.isFile());
                webSession.setMessage(getLabelManager().get("Exists") + file2.exists());
            }
        }
        return file2;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public List<File> findHtmlFiles(File file) {
        final ArrayList newArrayList = Lists.newArrayList();
        file.listFiles(new FileFilter() { // from class: org.owasp.webgoat.plugin.PathBasedAccessControl.2
            @Override // java.io.FileFilter
            public boolean accept(File file2) {
                if (file2.isDirectory()) {
                    if (newArrayList.size() > 20) {
                        return false;
                    }
                    newArrayList.addAll(PathBasedAccessControl.this.findHtmlFiles(file2));
                    return false;
                }
                if (!file2.isFile() || !file2.getName().endsWith("html") || !file2.getParentFile().getName().equals("en") || !file2.getParentFile().getParentFile().getName().equals("lessonPlans")) {
                    return false;
                }
                newArrayList.add(file2);
                return false;
            }
        });
        return newArrayList;
    }

    private int upDirCount(String str) {
        int i = 0;
        int indexOf = str.indexOf(Constants.ATTRVAL_PARENT);
        while (true) {
            int i2 = indexOf;
            if (i2 == -1) {
                return i;
            }
            i++;
            indexOf = str.indexOf(Constants.ATTRVAL_PARENT, i2 + 1);
        }
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Category getDefaultCategory() {
        return Category.ACCESS_CONTROL;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(getLabelManager().get("PathBasedAccessControlHint1"));
        arrayList.add(getLabelManager().get("PathBasedAccessControlHint2"));
        arrayList.add(getLabelManager().get("PathBasedAccessControlHint3"));
        arrayList.add(getLabelManager().get("PathBasedAccessControlHint4"));
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    public String getInstructions(WebSession webSession) {
        return getLabelManager().get("PathBasedAccessControlInstr1") + webSession.getUserName() + getLabelManager().get("PathBasedAccessControlInstr2");
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "Bypass a Path Based Access Control Scheme";
    }
}
