package org.sonar.python.checks;

import java.util.List;
import java.util.Objects;
import java.util.Optional;
import javax.annotation.CheckForNull;
import javax.annotation.Nullable;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.HasSymbol;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S2755")
/* loaded from: input_file:org/sonar/python/checks/XMLParserXXEVulnerableCheck.class */
public class XMLParserXXEVulnerableCheck extends PythonSubscriptionCheck {
    public static final String MESSAGE = "Disable access to external entities in XML parsing.";
    public static final String SECONDARY_MESSAGE = "This function loads the XML code and triggers the vulnerability.";
    private static final String LXML_XMLPARSER = "lxml.etree.XMLParser";
    private static final String LXML_XSLT = "lxml.etree.XSLT";
    private static final String LXML_PARSE = "lxml.etree.parse";
    private static final String LXML_ACCESS_CONTROL = "lxml.etree.XSLTAccessControl";
    private static final String XML_SAX_MAKE_PARSER = "xml.sax.make_parser";

    public void initialize(SubscriptionCheck.Context context) {
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, XMLParserXXEVulnerableCheck::checkLxmlParseCall);
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, XMLParserXXEVulnerableCheck::checkLxmlXsltCall);
        context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, XMLParserXXEVulnerableCheck::checkSetFeatureCall);
    }

    private static boolean checkCallExpressionFqn(CallExpression callExpression, String str) {
        Optional map = Optional.ofNullable(callExpression.calleeSymbol()).map((v0) -> {
            return v0.fullyQualifiedName();
        });
        Objects.requireNonNull(str);
        return map.filter((v1) -> {
            return r1.equals(v1);
        }).isPresent();
    }

    private static void checkLxmlParseCall(SubscriptionContext subscriptionContext) {
        CallExpression parserCall;
        CallExpression syntaxNode = subscriptionContext.syntaxNode();
        if (checkCallExpressionFqn(syntaxNode, LXML_PARSE) && (parserCall = getParserCall(getArgValueAsCallExpression(TreeUtils.nthArgumentOrKeyword(1, "parser", syntaxNode.arguments())))) != null && isUnsafeParserUsage(parserCall)) {
            subscriptionContext.addIssue(parserCall, MESSAGE).secondary(syntaxNode, SECONDARY_MESSAGE);
        }
    }

    @CheckForNull
    private static CallExpression getParserCall(@Nullable CallExpression callExpression) {
        if (callExpression == null || !checkCallExpressionFqn(callExpression, LXML_XMLPARSER)) {
            return null;
        }
        return callExpression;
    }

    @CheckForNull
    private static CallExpression getArgValueAsCallExpression(@Nullable RegularArgument regularArgument) {
        if (regularArgument == null || !regularArgument.expression().is(new Tree.Kind[]{Tree.Kind.NAME})) {
            if (regularArgument == null || !regularArgument.expression().is(new Tree.Kind[]{Tree.Kind.CALL_EXPR})) {
                return null;
            }
            return regularArgument.expression();
        }
        CallExpression singleAssignedValue = Expressions.singleAssignedValue(regularArgument.expression());
        if (singleAssignedValue == null || !singleAssignedValue.is(new Tree.Kind[]{Tree.Kind.CALL_EXPR})) {
            return null;
        }
        return singleAssignedValue;
    }

    private static boolean isUnsafeParserUsage(CallExpression callExpression) {
        RegularArgument argumentByKeyword;
        RegularArgument argumentByKeyword2 = TreeUtils.argumentByKeyword("no_network", callExpression.arguments());
        return (argumentByKeyword2 != null && Expressions.isFalsy(argumentByKeyword2.expression())) || (argumentByKeyword = TreeUtils.argumentByKeyword("resolve_entities", callExpression.arguments())) == null || !Expressions.isFalsy(argumentByKeyword.expression());
    }

    private static void checkLxmlXsltCall(SubscriptionContext subscriptionContext) {
        CallExpression syntaxNode = subscriptionContext.syntaxNode();
        if (checkCallExpressionFqn(syntaxNode, LXML_XSLT)) {
            RegularArgument argumentByKeyword = TreeUtils.argumentByKeyword("access_control", syntaxNode.arguments());
            if (argumentByKeyword == null) {
                subscriptionContext.addIssue(syntaxNode, MESSAGE);
                return;
            }
            CallExpression argValueAsCallExpression = getArgValueAsCallExpression(argumentByKeyword);
            if (argValueAsCallExpression == null || !checkCallExpressionFqn(argValueAsCallExpression, LXML_ACCESS_CONTROL)) {
                return;
            }
            RegularArgument argumentByKeyword2 = TreeUtils.argumentByKeyword("read_network", argValueAsCallExpression.arguments());
            if (argumentByKeyword2 == null || !Expressions.isFalsy(argumentByKeyword2.expression())) {
                subscriptionContext.addIssue(argValueAsCallExpression, MESSAGE).secondary(syntaxNode, SECONDARY_MESSAGE);
            }
        }
    }

    private static void checkSetFeatureCall(SubscriptionContext subscriptionContext) {
        CallExpression singleAssignedValue;
        CallExpression syntaxNode = subscriptionContext.syntaxNode();
        if (isCallToSetFeature(syntaxNode) && checkSettingFeatureGesToTrue(syntaxNode) && (singleAssignedValue = Expressions.singleAssignedValue(syntaxNode.callee().qualifier())) != null && singleAssignedValue.is(new Tree.Kind[]{Tree.Kind.CALL_EXPR}) && checkCallExpressionFqn(singleAssignedValue, XML_SAX_MAKE_PARSER)) {
            subscriptionContext.addIssue(syntaxNode, MESSAGE).secondary(singleAssignedValue, SECONDARY_MESSAGE);
        }
    }

    private static boolean checkSettingFeatureGesToTrue(CallExpression callExpression) {
        Symbol symbol;
        List arguments = callExpression.arguments();
        if (arguments.size() != 2 || arguments.stream().anyMatch(argument -> {
            return !argument.is(new Tree.Kind[]{Tree.Kind.REGULAR_ARGUMENT});
        })) {
            return false;
        }
        HasSymbol expression = ((RegularArgument) arguments.get(0)).expression();
        return (expression instanceof HasSymbol) && (symbol = expression.symbol()) != null && "xml.sax.handler.feature_external_ges".equals(symbol.fullyQualifiedName()) && !Expressions.isFalsy(((RegularArgument) arguments.get(1)).expression());
    }

    private static boolean isCallToSetFeature(CallExpression callExpression) {
        return callExpression.callee().is(new Tree.Kind[]{Tree.Kind.QUALIFIED_EXPR}) && callExpression.callee().qualifier().is(new Tree.Kind[]{Tree.Kind.NAME}) && callExpression.callee().name().name().equals("setFeature");
    }
}
