package org.sonar.java.checks.security;

import org.apache.xerces.impl.xs.SchemaSymbols;
import org.sonar.check.Rule;
import org.sonar.java.checks.helpers.ExpressionsHelper;
import org.sonar.java.checks.methods.AbstractMethodDetection;
import org.sonar.java.model.ExpressionUtils;
import org.sonar.java.model.LiteralUtils;
import org.sonar.plugins.java.api.semantic.MethodMatchers;
import org.sonar.plugins.java.api.tree.Arguments;
import org.sonar.plugins.java.api.tree.BaseTreeVisitor;
import org.sonar.plugins.java.api.tree.ExpressionTree;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.MethodTree;
import org.sonar.plugins.java.api.tree.Tree;

@Rule(key = "S4435")
/* loaded from: input_file:org/sonar/java/checks/security/SecureXmlTransformerCheck.class */
public class SecureXmlTransformerCheck extends AbstractMethodDetection {
    private static final String TRANSFORMER_FACTORY_CLASS_NAME = "javax.xml.transform.TransformerFactory";

    /* loaded from: input_file:org/sonar/java/checks/security/SecureXmlTransformerCheck$MethodBodyVisitor.class */
    private static class MethodBodyVisitor extends BaseTreeVisitor {
        private static final String FEATURE_SECURE_PROCESSING_PROPERTY = "http://javax.xml.XMLConstants/feature/secure-processing";
        private static final String ACCESS_EXTERNAL_DTD_PROPERTY = "http://javax.xml.XMLConstants/property/accessExternalDTD";
        private static final String ACCESS_EXTERNAL_STYLESHEET_PROPERTY = "http://javax.xml.XMLConstants/property/accessExternalStylesheet";
        private static final MethodMatchers SET_FEATURE = MethodMatchers.create().ofSubTypes(SecureXmlTransformerCheck.TRANSFORMER_FACTORY_CLASS_NAME).names("setFeature").addParametersMatcher("java.lang.String", SchemaSymbols.ATTVAL_BOOLEAN).build();
        private static final MethodMatchers SET_ATTRIBUTE = MethodMatchers.create().ofSubTypes(SecureXmlTransformerCheck.TRANSFORMER_FACTORY_CLASS_NAME).names("setAttribute").addParametersMatcher("java.lang.String", "java.lang.Object").build();
        private boolean hasSecureProcessingFeature;
        private boolean hasSecuredExternalDtd;
        private boolean hasSecuredExternalStylesheet;

        private MethodBodyVisitor() {
            this.hasSecureProcessingFeature = false;
            this.hasSecuredExternalDtd = false;
            this.hasSecuredExternalStylesheet = false;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean foundCallsToSecuringMethods() {
            return this.hasSecureProcessingFeature || (this.hasSecuredExternalDtd && this.hasSecuredExternalStylesheet);
        }

        @Override // org.sonar.plugins.java.api.tree.BaseTreeVisitor, org.sonar.plugins.java.api.tree.TreeVisitor
        public void visitMethodInvocation(MethodInvocationTree methodInvocationTree) {
            Arguments arguments = methodInvocationTree.arguments();
            if (SET_FEATURE.matches(methodInvocationTree) && "http://javax.xml.XMLConstants/feature/secure-processing".equals(ExpressionsHelper.getConstantValueAsString((ExpressionTree) arguments.get(0)).value()) && LiteralUtils.isTrue((Tree) arguments.get(1))) {
                this.hasSecureProcessingFeature = true;
            }
            if (SET_ATTRIBUTE.matches(methodInvocationTree)) {
                String value = ExpressionsHelper.getConstantValueAsString((ExpressionTree) arguments.get(0)).value();
                if ("".equals(ExpressionsHelper.getConstantValueAsString((ExpressionTree) arguments.get(1)).value())) {
                    if (ACCESS_EXTERNAL_DTD_PROPERTY.equals(value)) {
                        this.hasSecuredExternalDtd = true;
                    } else if (ACCESS_EXTERNAL_STYLESHEET_PROPERTY.equals(value)) {
                        this.hasSecuredExternalStylesheet = true;
                    }
                }
            }
            super.visitMethodInvocation(methodInvocationTree);
        }
    }

    @Override // org.sonar.java.checks.methods.AbstractMethodDetection
    protected MethodMatchers getMethodInvocationMatchers() {
        return MethodMatchers.create().ofSubTypes(TRANSFORMER_FACTORY_CLASS_NAME).names("newInstance").withAnyParameters().build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.sonar.java.checks.methods.AbstractMethodDetection
    public void onMethodInvocationFound(MethodInvocationTree methodInvocationTree) {
        MethodTree enclosingMethod = ExpressionUtils.getEnclosingMethod(methodInvocationTree);
        if (enclosingMethod == null) {
            return;
        }
        MethodBodyVisitor methodBodyVisitor = new MethodBodyVisitor();
        enclosingMethod.accept(methodBodyVisitor);
        if (methodBodyVisitor.foundCallsToSecuringMethods()) {
            return;
        }
        reportIssue(methodInvocationTree.methodSelect(), "Secure this \"Transformer\" by either disabling external DTDs or enabling secure processing.");
    }
}
