package org.wso2.carbon.ui.valve;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Properties;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.ServletException;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.utils.CarbonUtils;

/* loaded from: input_file:org/wso2/carbon/ui/valve/XSSValve.class */
public class XSSValve extends ValveBase {
    private static String[] xssURIPatternList;
    private static String xssRule;
    private static String patterPath;
    private static ArrayList<Pattern> patternList;
    private static String XSS_VALVE_PROPERTY = "Security.XSSPreventionConfig";
    private static String ENABLED_PROPERTY = XSS_VALVE_PROPERTY + ".Enabled";
    private static String RULE_PATTERN_PROPERTY = XSS_VALVE_PROPERTY + ".Patterns.Pattern";
    private static String RULE_PROPERTY = XSS_VALVE_PROPERTY + ".Rule";
    private static String XSS_EXTENSION_FILE_NAME = "xss-patterns.properties";
    private static boolean xssEnabled = false;
    private static String RULE_ALLOW = "allow";
    private static String RULE_DENY = "deny";
    private static final Log log = LogFactory.getLog(XSSValve.class);

    protected void initInternal() throws LifecycleException {
        super.initInternal();
        loadConfiguration();
    }

    private void loadConfiguration() {
        ServerConfiguration serverConfiguration = ServerConfiguration.getInstance();
        if (serverConfiguration.getFirstProperty(ENABLED_PROPERTY) != null && Boolean.parseBoolean(serverConfiguration.getFirstProperty(ENABLED_PROPERTY))) {
            xssEnabled = true;
        }
        xssURIPatternList = serverConfiguration.getProperties(RULE_PATTERN_PROPERTY);
        xssRule = serverConfiguration.getFirstProperty(RULE_PROPERTY);
        patterPath = CarbonUtils.getCarbonSecurityConfigDirPath() + "/" + XSS_EXTENSION_FILE_NAME;
        buildScriptPatterns();
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        if (xssEnabled) {
            String substring = request.getRequestURI().substring(request.getRequestURI().indexOf("/") + 1);
            if (RULE_ALLOW.equals(xssRule) && !isContextStartWithGivenPatterns(substring)) {
                validateParameters(request);
            } else if (RULE_DENY.equals(xssRule) && isContextStartWithGivenPatterns(substring)) {
                validateParameters(request);
            } else if (!RULE_ALLOW.equals(xssRule) && !RULE_DENY.equals(xssRule)) {
                validateParameters(request);
            }
        }
        getNext().invoke(request, response);
    }

    private void validateParameters(Request request) throws ServletException {
        Enumeration parameterNames = request.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String parameter = request.getParameter((String) parameterNames.nextElement());
            if (parameter != null) {
                String replaceAll = parameter.replaceAll("��", "");
                Iterator<Pattern> it = patternList.iterator();
                while (it.hasNext()) {
                    Matcher matcher = it.next().matcher(replaceAll);
                    if (matcher.find()) {
                        throw new ServletException("Possible XSS Attack. Suspicious code : " + matcher.toMatchResult().group());
                    }
                }
            }
        }
    }

    private boolean isContextStartWithGivenPatterns(String str) {
        boolean z = false;
        String[] strArr = xssURIPatternList;
        int length = strArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            if (str.contains(strArr[i])) {
                z = true;
                break;
            }
            i++;
        }
        return z;
    }

    private void buildScriptPatterns() {
        patternList = new ArrayList<>();
        if (patterPath == null || patterPath.isEmpty()) {
            return;
        }
        FileInputStream fileInputStream = null;
        File file = new File(patterPath);
        Properties properties = new Properties();
        try {
            if (file.exists()) {
                try {
                    fileInputStream = new FileInputStream(file);
                    properties.load(fileInputStream);
                    if (fileInputStream != null) {
                        try {
                            fileInputStream.close();
                        } catch (IOException e) {
                            log.error("Error while closing stream ", e);
                        }
                    }
                } catch (FileNotFoundException e2) {
                    log.error("Can not load xssPatternConfig properties file ", e2);
                    if (fileInputStream != null) {
                        try {
                            fileInputStream.close();
                        } catch (IOException e3) {
                            log.error("Error while closing stream ", e3);
                        }
                    }
                } catch (IOException e4) {
                    log.error("Can not load xssPatternConfigFile properties file ", e4);
                    if (fileInputStream != null) {
                        try {
                            fileInputStream.close();
                        } catch (IOException e5) {
                            log.error("Error while closing stream ", e5);
                        }
                    }
                }
            }
            if (properties.isEmpty()) {
                return;
            }
            Iterator<String> it = properties.stringPropertyNames().iterator();
            while (it.hasNext()) {
                patternList.add(Pattern.compile(properties.getProperty(it.next()), 42));
            }
        } catch (Throwable th) {
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (IOException e6) {
                    log.error("Error while closing stream ", e6);
                }
            }
            throw th;
        }
    }
}
