package org.apache.shindig.common.servlet;

import java.io.BufferedReader;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLDecoder;
import java.util.Arrays;
import java.util.List;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.utils.CarbonUtils;

/* loaded from: input_file:WEB-INF/lib/shindig-common-2.5.2-wso2v6.jar:org/apache/shindig/common/servlet/URLFilter.class */
public class URLFilter implements Filter {
    private static final String URL_REGEX = "https?://[-a-zA-Z0-9+&@#%?=~_|!:,.;]*";
    private static final String ALLOWED_HOST_NAMES_PARAM = "allowedHostNames";
    private static final String ENABLE_FILTER_PARAM = "enable";
    private static Logger log = Logger.getLogger(URLFilter.class.getName());
    private List<String> allowedHostNames;
    private boolean isEnabled;

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!this.isEnabled) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (httpServletRequest.getMethod().equalsIgnoreCase("POST")) {
            MultiReadHttpServletRequest multiReadHttpServletRequest = new MultiReadHttpServletRequest(httpServletRequest);
            if (handlePOSTRequest(multiReadHttpServletRequest)) {
                filterChain.doFilter(multiReadHttpServletRequest, servletResponse);
                return;
            } else {
                ((HttpServletResponse) servletResponse).sendError(403, "Unauthorized body parameter detected!");
                return;
            }
        }
        if (httpServletRequest.getMethod().equalsIgnoreCase("GET")) {
            if (isInvalidHostNamePresent(URLDecoder.decode(httpServletRequest.getQueryString(), "UTF-8"))) {
                ((HttpServletResponse) servletResponse).sendError(403, "Unauthorized query parameter detected!");
            } else {
                filterChain.doFilter(httpServletRequest, servletResponse);
            }
        }
    }

    private boolean handlePOSTRequest(MultiReadHttpServletRequest multiReadHttpServletRequest) throws ServletException {
        StringBuilder sb = new StringBuilder();
        try {
            BufferedReader reader = multiReadHttpServletRequest.getReader();
            while (true) {
                String readLine = reader.readLine();
                if (readLine == null) {
                    break;
                }
                sb.append(readLine);
            }
            return !isInvalidHostNamePresent(sb.toString());
        } catch (IOException e) {
            throw new ServletException("Error occurred while reading request body in shindig URL filter.", e);
        }
    }

    private boolean isInvalidHostNamePresent(String str) throws ServletException {
        Matcher matcher = Pattern.compile(URL_REGEX).matcher(str);
        while (matcher.find()) {
            try {
                URI uri = new URI(matcher.group());
                if (uri.getHost() != null && !this.allowedHostNames.contains(uri.getHost())) {
                    log.warning("Potential External Service Interaction (DNS) attack thwarted. Unauthorized host name: " + uri.getHost() + " detected in shindig web app request parameters.");
                    return true;
                }
            } catch (URISyntaxException e) {
                throw new ServletException("Error occurred while validating request parameters in shindig URL filter.", e);
            }
        }
        return false;
    }

    public void destroy() {
    }

    public void init(FilterConfig filterConfig) {
        ServerConfiguration serverConfiguration = CarbonUtils.getServerConfiguration();
        StringBuffer stringBuffer = new StringBuffer();
        appendParam(stringBuffer, serverConfiguration.getFirstProperty("HostName"));
        appendParam(stringBuffer, filterConfig.getInitParameter(ALLOWED_HOST_NAMES_PARAM));
        appendParam(stringBuffer, System.getProperty(ALLOWED_HOST_NAMES_PARAM));
        this.allowedHostNames = Arrays.asList(stringBuffer.toString().trim().split("\\s*,\\s*"));
        this.isEnabled = Boolean.parseBoolean(filterConfig.getInitParameter("enable"));
    }

    private void appendParam(StringBuffer stringBuffer, String str) {
        if (str != null) {
            if (stringBuffer.length() > 0) {
                stringBuffer.append(", ");
            }
            stringBuffer.append(str);
        }
    }
}
