package org.sonar.java.checks;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.Lists;
import java.util.Iterator;
import java.util.List;
import org.sonar.check.Priority;
import org.sonar.check.Rule;
import org.sonar.java.tag.Tag;
import org.sonar.plugins.java.api.JavaFileScannerContext;
import org.sonar.plugins.java.api.semantic.Symbol;
import org.sonar.plugins.java.api.tree.ExpressionTree;
import org.sonar.plugins.java.api.tree.IdentifierTree;
import org.sonar.plugins.java.api.tree.LiteralTree;
import org.sonar.plugins.java.api.tree.MemberSelectExpressionTree;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.Tree;
import org.sonar.plugins.java.api.tree.VariableTree;
import org.sonar.squidbridge.annotations.ActivatedByDefault;
import org.sonar.squidbridge.annotations.SqaleConstantRemediation;
import org.sonar.squidbridge.annotations.SqaleSubCharacteristic;

@SqaleSubCharacteristic("SECURITY_FEATURES")
@Rule(key = "S2092", name = "Cookies should be \"secure\"", priority = Priority.CRITICAL, tags = {"cwe", Tag.OWASP_A2, Tag.OWASP_A6, "security"})
@ActivatedByDefault
@SqaleConstantRemediation("5min")
/* loaded from: input_file:META-INF/lib/java-checks-3.10.jar:org/sonar/java/checks/SecureCookieCheck.class */
public class SecureCookieCheck extends SubscriptionBaseVisitor {
    private List<Symbol.VariableSymbol> unsecuredCookies = Lists.newArrayList();

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public List<Tree.Kind> nodesToVisit() {
        return ImmutableList.of(Tree.Kind.VARIABLE, Tree.Kind.METHOD_INVOCATION);
    }

    @Override // org.sonar.java.checks.SubscriptionBaseVisitor, org.sonar.java.ast.visitors.SubscriptionVisitor, org.sonar.plugins.java.api.JavaFileScanner
    public void scanFile(JavaFileScannerContext javaFileScannerContext) {
        this.unsecuredCookies.clear();
        super.scanFile(javaFileScannerContext);
        Iterator<Symbol.VariableSymbol> it = this.unsecuredCookies.iterator();
        while (it.hasNext()) {
            reportIssue(it.next().declaration().simpleName(), "Add the \"secure\" attribute to this cookie");
        }
    }

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public void visitNode(Tree tree) {
        if (hasSemantic()) {
            if (tree.is(Tree.Kind.VARIABLE)) {
                addToUnsecuredCookies((VariableTree) tree);
            } else if (tree.is(Tree.Kind.METHOD_INVOCATION)) {
                checkSecureCall((MethodInvocationTree) tree);
            }
        }
    }

    private void addToUnsecuredCookies(VariableTree variableTree) {
        if (variableTree.type().symbolType().is("javax.servlet.http.Cookie") && isConstructorInitialized(variableTree)) {
            Symbol symbol = variableTree.symbol();
            if (symbol.isVariableSymbol() && symbol.owner().isMethodSymbol()) {
                this.unsecuredCookies.add((Symbol.VariableSymbol) symbol);
            }
        }
    }

    private void checkSecureCall(MethodInvocationTree methodInvocationTree) {
        if (isSetSecureCall(methodInvocationTree) && methodInvocationTree.methodSelect().is(Tree.Kind.MEMBER_SELECT)) {
            MemberSelectExpressionTree memberSelectExpressionTree = (MemberSelectExpressionTree) methodInvocationTree.methodSelect();
            if (memberSelectExpressionTree.expression().is(Tree.Kind.IDENTIFIER)) {
                this.unsecuredCookies.remove(((IdentifierTree) memberSelectExpressionTree.expression()).symbol());
            }
        }
    }

    private static boolean isConstructorInitialized(VariableTree variableTree) {
        ExpressionTree initializer = variableTree.initializer();
        return initializer != null && initializer.is(Tree.Kind.NEW_CLASS);
    }

    private static boolean isSetSecureCall(MethodInvocationTree methodInvocationTree) {
        Symbol symbol = methodInvocationTree.symbol();
        if (!(methodInvocationTree.arguments().size() == 1) || !isCallSiteCookie(symbol)) {
            return false;
        }
        ExpressionTree expressionTree = (ExpressionTree) methodInvocationTree.arguments().get(0);
        if (expressionTree.is(Tree.Kind.BOOLEAN_LITERAL) && "false".equals(((LiteralTree) expressionTree).value())) {
            return false;
        }
        return "setSecure".equals(getIdentifier(methodInvocationTree).name());
    }

    private static boolean isCallSiteCookie(Symbol symbol) {
        return symbol.isMethodSymbol() && symbol.owner().type().is("javax.servlet.http.Cookie");
    }

    private static IdentifierTree getIdentifier(MethodInvocationTree methodInvocationTree) {
        return methodInvocationTree.methodSelect().is(Tree.Kind.IDENTIFIER) ? (IdentifierTree) methodInvocationTree.methodSelect() : ((MemberSelectExpressionTree) methodInvocationTree.methodSelect()).identifier();
    }
}
