package org.sonar.java.checks.security;

import com.sun.xml.bind.v2.util.XmlFactory;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.function.Predicate;
import javax.annotation.CheckForNull;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.stream.XMLInputFactory;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;
import org.apache.commons.lang.StringUtils;
import org.sonar.check.Rule;
import org.sonar.java.checks.helpers.ConstantUtils;
import org.sonar.java.matcher.MethodMatcher;
import org.sonar.java.matcher.TypeCriteria;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.tree.Arguments;
import org.sonar.plugins.java.api.tree.BaseTreeVisitor;
import org.sonar.plugins.java.api.tree.ExpressionTree;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.MethodTree;
import org.sonar.plugins.java.api.tree.Tree;
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.XMLReaderFactory;

@Rule(key = "S2755")
/* loaded from: input_file:org/sonar/java/checks/security/XmlExternalEntityProcessingCheck.class */
public class XmlExternalEntityProcessingCheck extends IssuableSubscriptionVisitor {
    private static final String XML_INPUT_FACTORY_CLASS_NAME = XMLInputFactory.class.getName();
    private static final String SAX_PARSER_FACTORY_CLASS_NAME = SAXParserFactory.class.getName();
    private static final String XML_READER_FACTORY_CLASS_NAME = XMLReaderFactory.class.getName();
    private static final String XML_READER_CLASS_NAME = XMLReader.class.getName();
    private static final String DOCUMENT_BUILDER_FACTORY_CLASS_NAME = DocumentBuilderFactory.class.getName();
    private static final String VALIDATOR_CLASS_NAME = Validator.class.getName();
    private static final String SCHEMA_CLASS_NAME = Schema.class.getName();
    private static final MethodMatcher CREATE_XML_READER_MATCHER = MethodMatcher.create().typeDefinition(XML_READER_FACTORY_CLASS_NAME).name("createXMLReader").withAnyParameters();
    private static final MethodMatcher CREATE_VALIDATOR = MethodMatcher.create().typeDefinition(SCHEMA_CLASS_NAME).name("newValidator").withAnyParameters();
    private static final String JAVA_LANG_STRING = "java.lang.String";
    private final List<XxeCheck> xxeChecks = Arrays.asList(new XxeCheck(newInstanceMethod(XML_INPUT_FACTORY_CLASS_NAME), new XMLInputFactorySecuringPredicate()), new XxeCheck(newInstanceMethod(SAX_PARSER_FACTORY_CLASS_NAME), new SecureProcessingFeaturePredicate(SAX_PARSER_FACTORY_CLASS_NAME)), new XxeCheck(newInstanceMethod(DOCUMENT_BUILDER_FACTORY_CLASS_NAME), new SecureProcessingFeaturePredicate(DOCUMENT_BUILDER_FACTORY_CLASS_NAME)), new XxeCheck(CREATE_XML_READER_MATCHER, new SecureProcessingFeaturePredicate(XML_READER_CLASS_NAME)), new XxeCheck(CREATE_VALIDATOR, new AccessExternalDTDOrSchemaPredicate(VALIDATOR_CLASS_NAME)));

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/java/checks/security/XmlExternalEntityProcessingCheck$AccessExternalDTDOrSchemaPredicate.class */
    public static class AccessExternalDTDOrSchemaPredicate implements Predicate<MethodInvocationTree> {
        private final MethodMatcher methodMatcher;
        private boolean externalDTDDisabled;
        private boolean externalSchemaDisabled;

        private AccessExternalDTDOrSchemaPredicate(String str) {
            this.externalDTDDisabled = false;
            this.externalSchemaDisabled = false;
            this.methodMatcher = setPropertyMethodMatcher(str);
        }

        @Override // java.util.function.Predicate
        public boolean test(MethodInvocationTree methodInvocationTree) {
            if (!this.methodMatcher.matches(methodInvocationTree)) {
                return false;
            }
            Arguments arguments = methodInvocationTree.arguments();
            String resolveAsStringConstant = ConstantUtils.resolveAsStringConstant((ExpressionTree) arguments.get(0));
            String resolveAsStringConstant2 = ConstantUtils.resolveAsStringConstant((ExpressionTree) arguments.get(1));
            if (StringUtils.EMPTY.equals(resolveAsStringConstant2) && XmlFactory.ACCESS_EXTERNAL_DTD.equals(resolveAsStringConstant)) {
                this.externalDTDDisabled = true;
            }
            if (StringUtils.EMPTY.equals(resolveAsStringConstant2) && XmlFactory.ACCESS_EXTERNAL_SCHEMA.equals(resolveAsStringConstant)) {
                this.externalSchemaDisabled = true;
            }
            return this.externalDTDDisabled && this.externalSchemaDisabled;
        }

        private static MethodMatcher setPropertyMethodMatcher(String str) {
            return MethodMatcher.create().typeDefinition(TypeCriteria.subtypeOf(str)).name("setProperty").parameters(XmlExternalEntityProcessingCheck.JAVA_LANG_STRING, "java.lang.Object");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/java/checks/security/XmlExternalEntityProcessingCheck$MethodVisitor.class */
    public static class MethodVisitor extends BaseTreeVisitor {
        private final Predicate<MethodInvocationTree> securingInvocationPredicate;
        private boolean isExternalEntityProcessingDisabled;

        private MethodVisitor(Predicate<MethodInvocationTree> predicate) {
            this.isExternalEntityProcessingDisabled = false;
            this.securingInvocationPredicate = predicate;
        }

        @Override // org.sonar.plugins.java.api.tree.BaseTreeVisitor, org.sonar.plugins.java.api.tree.TreeVisitor
        public void visitMethodInvocation(MethodInvocationTree methodInvocationTree) {
            if (this.securingInvocationPredicate.test(methodInvocationTree)) {
                this.isExternalEntityProcessingDisabled = true;
            }
            super.visitMethodInvocation(methodInvocationTree);
        }
    }

    /* loaded from: input_file:org/sonar/java/checks/security/XmlExternalEntityProcessingCheck$SecureProcessingFeaturePredicate.class */
    private static class SecureProcessingFeaturePredicate implements Predicate<MethodInvocationTree> {
        private final MethodMatcher methodMatcher;

        private SecureProcessingFeaturePredicate(String str) {
            this.methodMatcher = setFeatureMethodMatcher(str);
        }

        @Override // java.util.function.Predicate
        public boolean test(MethodInvocationTree methodInvocationTree) {
            if (!this.methodMatcher.matches(methodInvocationTree)) {
                return false;
            }
            Arguments arguments = methodInvocationTree.arguments();
            String resolveAsStringConstant = ConstantUtils.resolveAsStringConstant((ExpressionTree) arguments.get(0));
            return Boolean.TRUE.equals(ConstantUtils.resolveAsBooleanConstant((ExpressionTree) arguments.get(1))) && ("http://javax.xml.XMLConstants/feature/secure-processing".equals(resolveAsStringConstant) || "http://apache.org/xml/features/disallow-doctype-decl".equals(resolveAsStringConstant));
        }

        private static MethodMatcher setFeatureMethodMatcher(String str) {
            return MethodMatcher.create().typeDefinition(TypeCriteria.subtypeOf(str)).name("setFeature").parameters(XmlExternalEntityProcessingCheck.JAVA_LANG_STRING, "boolean");
        }
    }

    /* loaded from: input_file:org/sonar/java/checks/security/XmlExternalEntityProcessingCheck$XMLInputFactorySecuringPredicate.class */
    private static class XMLInputFactorySecuringPredicate implements Predicate<MethodInvocationTree> {
        private static final MethodMatcher SET_PROPERTY = MethodMatcher.create().typeDefinition(TypeCriteria.subtypeOf(XmlExternalEntityProcessingCheck.XML_INPUT_FACTORY_CLASS_NAME)).name("setProperty").parameters(XmlExternalEntityProcessingCheck.JAVA_LANG_STRING, "java.lang.Object");

        private XMLInputFactorySecuringPredicate() {
        }

        @Override // java.util.function.Predicate
        public boolean test(MethodInvocationTree methodInvocationTree) {
            Arguments arguments = methodInvocationTree.arguments();
            if (!SET_PROPERTY.matches(methodInvocationTree)) {
                return false;
            }
            String resolveAsStringConstant = ConstantUtils.resolveAsStringConstant((ExpressionTree) arguments.get(0));
            if (!"javax.xml.stream.isSupportingExternalEntities".equals(resolveAsStringConstant) && !"javax.xml.stream.supportDTD".equals(resolveAsStringConstant)) {
                return false;
            }
            return Boolean.FALSE.equals(ConstantUtils.resolveAsBooleanConstant((ExpressionTree) arguments.get(1)));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/java/checks/security/XmlExternalEntityProcessingCheck$XxeCheck.class */
    public class XxeCheck {
        private final MethodMatcher triggeringInvocationMatcher;
        private final Predicate<MethodInvocationTree> securingInvocationPredicate;

        private XxeCheck(MethodMatcher methodMatcher, Predicate<MethodInvocationTree> predicate) {
            this.triggeringInvocationMatcher = methodMatcher;
            this.securingInvocationPredicate = predicate;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void checkMethodInvocation(MethodInvocationTree methodInvocationTree) {
            MethodTree enclosingMethod;
            if (!this.triggeringInvocationMatcher.matches(methodInvocationTree) || (enclosingMethod = enclosingMethod(methodInvocationTree)) == null) {
                return;
            }
            if (this.securingInvocationPredicate instanceof AccessExternalDTDOrSchemaPredicate) {
                ((AccessExternalDTDOrSchemaPredicate) this.securingInvocationPredicate).externalDTDDisabled = false;
                ((AccessExternalDTDOrSchemaPredicate) this.securingInvocationPredicate).externalSchemaDisabled = false;
            }
            MethodVisitor methodVisitor = new MethodVisitor(this.securingInvocationPredicate);
            enclosingMethod.accept(methodVisitor);
            if (methodVisitor.isExternalEntityProcessingDisabled) {
                return;
            }
            XmlExternalEntityProcessingCheck.this.reportIssue(methodInvocationTree.methodSelect(), "Disable XML external entity (XXE) processing.");
        }

        @CheckForNull
        private MethodTree enclosingMethod(Tree tree) {
            Tree tree2;
            Tree parent = tree.parent();
            while (true) {
                tree2 = parent;
                if (tree2.is(Tree.Kind.CLASS, Tree.Kind.METHOD)) {
                    break;
                }
                parent = tree2.parent();
            }
            if (tree2.is(Tree.Kind.CLASS)) {
                return null;
            }
            return (MethodTree) tree2;
        }
    }

    private static MethodMatcher newInstanceMethod(String str) {
        return MethodMatcher.create().typeDefinition(str).name("newInstance").withAnyParameters();
    }

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public List<Tree.Kind> nodesToVisit() {
        return Collections.singletonList(Tree.Kind.METHOD_INVOCATION);
    }

    @Override // org.sonar.java.ast.visitors.SubscriptionVisitor
    public void visitNode(Tree tree) {
        this.xxeChecks.forEach(xxeCheck -> {
            xxeCheck.checkMethodInvocation((MethodInvocationTree) tree);
        });
    }
}
