package org.sonar.java.checks.security;

import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Pattern;
import org.sonar.check.Rule;
import org.sonar.java.matcher.MethodMatcher;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.semantic.Type;
import org.sonar.plugins.java.api.tree.ExpressionTree;
import org.sonar.plugins.java.api.tree.IdentifierTree;
import org.sonar.plugins.java.api.tree.ListTree;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.NewArrayTree;
import org.sonar.plugins.java.api.tree.Tree;

@Rule(key = "S2612")
/* loaded from: input_file:org/sonar/java/checks/security/FilePermissionsCheck.class */
public class FilePermissionsCheck extends IssuableSubscriptionVisitor {
    private static final String ISSUE_MESSAGE = "Make sure this permission is safe.";
    private static final Set<String> POSIX_OTHER_PERMISSIONS = new HashSet(Arrays.asList("OTHERS_READ", "OTHERS_WRITE", "OTHERS_EXECUTE"));
    private static final String JAVA_LANG_STRING = "java.lang.String";
    private static final MethodMatcher POSIX_FILE_PERMISSIONS_FROM_STRING = MethodMatcher.create().name("fromString").typeDefinition("java.nio.file.attribute.PosixFilePermissions").parameters(new String[]{JAVA_LANG_STRING});
    private static final MethodMatcher RUNTIME_EXEC = MethodMatcher.create().name("exec").typeDefinition("java.lang.Runtime").withAnyParameters();
    private static final Pattern CHMOD_OCTAL_PATTERN = Pattern.compile("(^|\\s)[0-7]{2,3}[1-7](\\s|$)");
    private static final Pattern SIMPLIFIED_CHMOD_OTHER_PATTERN = Pattern.compile("(^|\\s|,)([ug]*+[ao][ugao]*+)?[+=][sStT]*+[rwxX][rwxXsStT]*+(\\s|,|$)");

    public List<Tree.Kind> nodesToVisit() {
        return Arrays.asList(Tree.Kind.IDENTIFIER, Tree.Kind.METHOD_INVOCATION);
    }

    public void visitNode(Tree tree) {
        if (tree.is(new Tree.Kind[]{Tree.Kind.IDENTIFIER})) {
            checkIdentifier((IdentifierTree) tree);
        } else {
            checkMethodInvocation((MethodInvocationTree) tree);
        }
    }

    private void checkIdentifier(IdentifierTree identifierTree) {
        if (isPosixPermission(identifierTree) && isBeingAdded(identifierTree)) {
            reportIssue(identifierTree, ISSUE_MESSAGE);
        }
    }

    private static boolean isPosixPermission(IdentifierTree identifierTree) {
        return POSIX_OTHER_PERMISSIONS.contains(identifierTree.name()) && identifierTree.symbolType().isSubtypeOf("java.nio.file.attribute.PosixFilePermission");
    }

    private static boolean isBeingAdded(IdentifierTree identifierTree) {
        MethodInvocationTree parent = identifierTree.parent();
        while (true) {
            MethodInvocationTree methodInvocationTree = parent;
            if (methodInvocationTree == null) {
                return false;
            }
            if (methodInvocationTree.is(new Tree.Kind[]{Tree.Kind.METHOD_INVOCATION}) && methodInvocationTree.symbol().name().contains("add")) {
                return true;
            }
            parent = methodInvocationTree.parent();
        }
    }

    private void checkMethodInvocation(MethodInvocationTree methodInvocationTree) {
        if (POSIX_FILE_PERMISSIONS_FROM_STRING.matches(methodInvocationTree)) {
            ExpressionTree expressionTree = (ExpressionTree) methodInvocationTree.arguments().get(0);
            if (sensitivePermissionsAsString(expressionTree)) {
                reportIssue(expressionTree, ISSUE_MESSAGE);
                return;
            }
            return;
        }
        if (RUNTIME_EXEC.matches(methodInvocationTree)) {
            ExpressionTree expressionTree2 = (ExpressionTree) methodInvocationTree.arguments().get(0);
            Type symbolType = expressionTree2.symbolType();
            if (symbolType.is(JAVA_LANG_STRING)) {
                checkExecSingleStringArgument(expressionTree2);
            } else if (symbolType.is("java.lang.String[]") && expressionTree2.is(new Tree.Kind[]{Tree.Kind.NEW_ARRAY})) {
                checkExecStringArrayArgument((NewArrayTree) expressionTree2);
            }
        }
    }

    private static boolean sensitivePermissionsAsString(ExpressionTree expressionTree) {
        return expressionTree.asConstant(String.class).filter(str -> {
            return str.length() == 9;
        }).filter(str2 -> {
            return !str2.endsWith("---");
        }).isPresent();
    }

    private void checkExecSingleStringArgument(ExpressionTree expressionTree) {
        if (chmodCommand(expressionTree).filter(FilePermissionsCheck::isSensisitiveChmodMode).isPresent()) {
            reportIssue(expressionTree, ISSUE_MESSAGE);
        }
    }

    private void checkExecStringArrayArgument(NewArrayTree newArrayTree) {
        ListTree initializers = newArrayTree.initializers();
        if (initializers.size() < 3 || !chmodCommand((ExpressionTree) initializers.get(0)).isPresent()) {
            return;
        }
        for (int i = 1; i < initializers.size(); i++) {
            ExpressionTree expressionTree = (ExpressionTree) initializers.get(i);
            if (expressionTree.asConstant(String.class).filter(FilePermissionsCheck::isSensisitiveChmodMode).isPresent()) {
                reportIssue(expressionTree, ISSUE_MESSAGE);
            }
        }
    }

    private static Optional<String> chmodCommand(ExpressionTree expressionTree) {
        return expressionTree.asConstant(String.class).filter(str -> {
            return str.contains("chmod");
        });
    }

    private static boolean isSensisitiveChmodMode(String str) {
        return CHMOD_OCTAL_PATTERN.matcher(str).find() || SIMPLIFIED_CHMOD_OTHER_PATTERN.matcher(str).find();
    }
}
