package org.sonar.java.checks;

import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.annotation.CheckForNull;
import net.sf.cglib.core.Constants;
import org.sonar.check.Rule;
import org.sonar.java.checks.methods.AbstractMethodDetection;
import org.sonar.java.matcher.MethodMatcher;
import org.sonar.plugins.java.api.JavaFileScannerContext;
import org.sonar.plugins.java.api.tree.BaseTreeVisitor;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.NewClassTree;
import org.sonar.plugins.java.api.tree.Tree;

@Rule(key = "S4510")
/* loaded from: input_file:org/sonar/java/checks/XmlDeserializationCheck.class */
public class XmlDeserializationCheck extends AbstractMethodDetection {
    private static final MethodMatcher READ_OBJECT = MethodMatcher.create().typeDefinition("java.beans.XMLDecoder").name("readObject").withAnyParameters();
    private static final String MESSAGE = "Make sure deserializing with XMLDecoder is safe here.";

    @Override // org.sonar.java.checks.methods.AbstractMethodDetection
    protected List<MethodMatcher> getMethodInvocationMatchers() {
        return Collections.singletonList(MethodMatcher.create().typeDefinition("java.beans.XMLDecoder").name(Constants.CONSTRUCTOR_NAME).withAnyParameters());
    }

    @Override // org.sonar.java.checks.methods.AbstractMethodDetection
    protected void onConstructorFound(NewClassTree newClassTree) {
        reportIssue(newClassTree.identifier(), MESSAGE, collectSecondaryLocations(newClassTree), null);
    }

    private static List<JavaFileScannerContext.Location> collectSecondaryLocations(NewClassTree newClassTree) {
        Tree parentMethod = parentMethod(newClassTree);
        if (parentMethod == null) {
            return Collections.emptyList();
        }
        final ArrayList arrayList = new ArrayList();
        parentMethod.accept(new BaseTreeVisitor() { // from class: org.sonar.java.checks.XmlDeserializationCheck.1
            @Override // org.sonar.plugins.java.api.tree.BaseTreeVisitor, org.sonar.plugins.java.api.tree.TreeVisitor
            public void visitMethodInvocation(MethodInvocationTree methodInvocationTree) {
                if (XmlDeserializationCheck.READ_OBJECT.matches(methodInvocationTree)) {
                    arrayList.add(new JavaFileScannerContext.Location("Possible data execution", methodInvocationTree));
                }
            }
        });
        return arrayList;
    }

    @CheckForNull
    private static Tree parentMethod(NewClassTree newClassTree) {
        Tree tree;
        Tree parent = newClassTree.parent();
        while (true) {
            tree = parent;
            if (tree == null || tree.is(Tree.Kind.METHOD, Tree.Kind.CLASS)) {
                break;
            }
            parent = tree.parent();
        }
        return tree;
    }
}
