package team.sailboat.commons.ms.db;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.lang.reflect.Parameter;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerInterceptor;
import team.sailboat.commons.fan.http.HttpStatus;
import team.sailboat.commons.fan.text.XString;
import team.sailboat.commons.ms.cors.CORSFilter;

/* loaded from: input_file:team/sailboat/commons/ms/db/AntiSqlInjectionInterceptor.class */
public class AntiSqlInjectionInterceptor implements HandlerInterceptor {
    static Pattern sPtn = Pattern.compile("\\b(and|exec|insert|select|drop|grant|alter|delete|update|updatexml|count|chr|mid|master|truncate|char|declare|or)\\b|(\\*|;|\\+|'|%)");
    final Logger mLogger = LoggerFactory.getLogger(AntiSqlInjectionInterceptor.class);

    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj) throws Exception {
        if (!(obj instanceof HandlerMethod)) {
            this.mLogger.warn("UnSupport handler：{}", obj.getClass().getName());
            return true;
        }
        for (String str : getParamNames((HandlerMethod) obj)) {
            String parameter = httpServletRequest.getParameter(str);
            if (XString.isNotEmpty(parameter) && sPtn.matcher(parameter.toLowerCase()).find()) {
                httpServletResponse.setStatus(HttpStatus.BAD_REQUEST.value());
                httpServletResponse.setHeader("Content-type", "text/plain");
                httpServletResponse.setHeader(CORSFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, CORSFilter.DEFAULT_ALLOWED_ORIGINS);
                httpServletResponse.getWriter().write(XString.msgFmt("不合法的参数[{}]：{}", new Object[]{str, parameter}));
                return false;
            }
        }
        return true;
    }

    private List<String> getParamNames(HandlerMethod handlerMethod) {
        Parameter[] parameters = handlerMethod.getMethod().getParameters();
        ArrayList arrayList = new ArrayList();
        for (Parameter parameter : parameters) {
            if (parameter.isAnnotationPresent(AntiSqlInjection.class)) {
                RequestParam annotation = parameter.getAnnotation(RequestParam.class);
                if (annotation != null) {
                    arrayList.add(annotation.name());
                } else {
                    this.mLogger.warn("参数[{}]没有用RequestParam修饰，AntiSqlInjection注解不起作用", parameter.getName());
                }
            }
        }
        return arrayList;
    }
}
