package com.h3xstream.findsecbugs.injection.sql;

import com.h3xstream.findsecbugs.injection.InjectionPoint;
import com.h3xstream.findsecbugs.injection.InjectionSource;
import org.apache.bcel.classfile.ConstantUtf8;
import org.apache.bcel.generic.ConstantPoolGen;
import org.apache.bcel.generic.INVOKEINTERFACE;
import org.apache.bcel.generic.InstructionHandle;
import org.apache.bcel.generic.InvokeInstruction;

/* loaded from: input_file:com/h3xstream/findsecbugs/injection/sql/JpaInjectionSource.class */
public class JpaInjectionSource implements InjectionSource {
    protected static final String SQL_INJECTION_TYPE = "SQL_INJECTION_JPA";

    @Override // com.h3xstream.findsecbugs.injection.InjectionSource
    public boolean isCandidate(ConstantPoolGen constantPoolGen) {
        for (int i = 0; i < constantPoolGen.getSize(); i++) {
            ConstantUtf8 constant = constantPoolGen.getConstant(i);
            if ((constant instanceof ConstantUtf8) && constant.getBytes().equals("javax/persistence/EntityManager")) {
                return true;
            }
        }
        return false;
    }

    @Override // com.h3xstream.findsecbugs.injection.InjectionSource
    public InjectionPoint getInjectableParameters(InvokeInstruction invokeInstruction, ConstantPoolGen constantPoolGen, InstructionHandle instructionHandle) {
        if (invokeInstruction instanceof INVOKEINTERFACE) {
            String methodName = invokeInstruction.getMethodName(constantPoolGen);
            String signature = invokeInstruction.getSignature(constantPoolGen);
            String className = invokeInstruction.getClassName(constantPoolGen);
            if (className.equals("javax.persistence.EntityManager") && methodName.equals("createQuery") && signature.equals("(Ljava/lang/String;)Ljavax/persistence/Query;")) {
                return new InjectionPoint(new int[]{0}, SQL_INJECTION_TYPE);
            }
            if (className.equals("javax.persistence.EntityManager") && methodName.equals("createQuery") && signature.equals("(Ljava/lang/String;Ljava/lang/Class;)Ljavax/persistence/TypedQuery;")) {
                return new InjectionPoint(new int[]{1}, SQL_INJECTION_TYPE);
            }
            if (className.equals("javax.persistence.EntityManager") && methodName.equals("createNativeQuery") && signature.equals("(Ljava/lang/String;)Ljavax/persistence/Query;")) {
                return new InjectionPoint(new int[]{0}, SQL_INJECTION_TYPE);
            }
            if (className.equals("javax.persistence.EntityManager") && methodName.equals("createNativeQuery") && (signature.equals("(Ljava/lang/String;Ljava/lang/String;)Ljavax/persistence/Query;") || signature.equals("(Ljava/lang/String;Ljava/lang/Class;)Ljavax/persistence/Query;"))) {
                return new InjectionPoint(new int[]{1}, SQL_INJECTION_TYPE);
            }
        }
        return InjectionPoint.NONE;
    }
}
