package jenkins.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.ExtensionList;
import hudson.Main;
import hudson.PluginWrapper;
import hudson.remoting.ClassFilter;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.CodeSource;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.WeakHashMap;
import java.util.jar.Attributes;
import java.util.jar.JarFile;
import java.util.jar.Manifest;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import jenkins.model.Jenkins;
import jenkins.util.SystemProperties;
import org.apache.commons.io.IOUtils;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.springframework.util.ClassUtils;

@Restricted({NoExternalUse.class})
/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.271-rc30636.458d6f8effc7.jar:jenkins/security/ClassFilterImpl.class */
public class ClassFilterImpl extends ClassFilter {
    private static final Logger LOGGER = Logger.getLogger(ClassFilterImpl.class.getName());
    private static boolean SUPPRESS_WHITELIST = SystemProperties.getBoolean("jenkins.security.ClassFilterImpl.SUPPRESS_WHITELIST");
    private static boolean SUPPRESS_ALL = SystemProperties.getBoolean("jenkins.security.ClassFilterImpl.SUPPRESS_ALL");
    private static final String JENKINS_LOC = codeSource(Jenkins.class);
    private static final String REMOTING_LOC = codeSource(ClassFilter.class);
    private final Map<Class<?>, Boolean> cache = Collections.synchronizedMap(new WeakHashMap());
    private final Map<String, Boolean> codeSourceCache = Collections.synchronizedMap(new HashMap());
    static final Set<String> WHITELISTED_CLASSES;
    private static final Pattern CLASSES_JAR;

    public static void register() {
        if (Main.isUnitTest && JENKINS_LOC == null) {
            mockOff();
            return;
        }
        ClassFilter.setDefault(new ClassFilterImpl());
        if (SUPPRESS_ALL) {
            LOGGER.warning("All class filtering suppressed. Your Jenkins installation is at risk from known attacks. See https://jenkins.io/redirect/class-filter/");
        } else if (SUPPRESS_WHITELIST) {
            LOGGER.warning("JEP-200 class filtering by whitelist suppressed. Your Jenkins installation may be at risk. See https://jenkins.io/redirect/class-filter/");
        }
    }

    public static void unregister() {
        ClassFilter.setDefault(ClassFilter.STANDARD);
    }

    private static void mockOff() {
        LOGGER.warning("Disabling class filtering since we appear to be in a special test environment, perhaps Mockito/PowerMock");
        ClassFilter.setDefault(ClassFilter.NONE);
    }

    @VisibleForTesting
    ClassFilterImpl() {
    }

    @Override // hudson.remoting.ClassFilter
    public boolean isBlacklisted(Class cls) {
        Iterator it = ExtensionList.lookup(CustomClassFilter.class).iterator();
        while (it.hasNext()) {
            CustomClassFilter customClassFilter = (CustomClassFilter) it.next();
            Boolean permits = customClassFilter.permits((Class<?>) cls);
            if (permits != null) {
                if (permits.booleanValue()) {
                    LOGGER.log(Level.FINER, "{0} specifies a policy for {1}: {2}", new Object[]{customClassFilter, cls.getName(), true});
                } else {
                    notifyRejected(cls, cls.getName(), String.format("%s specifies a policy for %s: %s ", customClassFilter, cls.getName(), permits));
                }
                return !permits.booleanValue();
            }
        }
        return this.cache.computeIfAbsent(cls, cls2 -> {
            String name = cls2.getName();
            if (Main.isUnitTest && (name.contains("$$EnhancerByMockitoWithCGLIB$$") || name.contains("$$FastClassByMockitoWithCGLIB$$") || name.startsWith("org.mockito."))) {
                mockOff();
                return false;
            }
            if (ClassFilter.STANDARD.isBlacklisted((Class<?>) cls2)) {
                notifyRejected(cls, cls.getName(), String.format("%s is not permitted ", cls.getName()));
                return true;
            }
            if (cls2.isArray()) {
                LOGGER.log(Level.FINE, "permitting {0} since it is an array", name);
                return false;
            }
            if (Throwable.class.isAssignableFrom(cls2)) {
                LOGGER.log(Level.FINE, "permitting {0} since it is a throwable", name);
                return false;
            }
            if (Enum.class.isAssignableFrom(cls2)) {
                LOGGER.log(Level.FINE, "permitting {0} since it is an enum", name);
                return false;
            }
            String codeSource = codeSource(cls2);
            if (codeSource == null) {
                ClassLoader classLoader = cls2.getClassLoader();
                if (classLoader != null && classLoader.getClass().getName().equals("hudson.remoting.RemoteClassLoader")) {
                    LOGGER.log(Level.FINE, "permitting {0} since it was loaded by a remote class loader", name);
                    return false;
                }
            } else if (isLocationWhitelisted(codeSource)) {
                LOGGER.log(Level.FINE, "permitting {0} due to its location in {1}", new Object[]{name, codeSource});
                return false;
            }
            if (WHITELISTED_CLASSES.contains(name)) {
                LOGGER.log(Level.FINE, "tolerating {0} by whitelist", name);
                return false;
            }
            if (SUPPRESS_WHITELIST || SUPPRESS_ALL) {
                Object[] objArr = new Object[2];
                objArr[0] = name;
                objArr[1] = codeSource != null ? codeSource : "JRE";
                notifyRejected(cls, null, String.format("%s in %s might be dangerous, so would normally be rejected; see https://jenkins.io/redirect/class-filter/", objArr));
                return false;
            }
            Object[] objArr2 = new Object[2];
            objArr2[0] = name;
            objArr2[1] = codeSource != null ? codeSource : "JRE";
            notifyRejected(cls, null, String.format("%s in %s might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/", objArr2));
            return true;
        }).booleanValue();
    }

    private boolean isLocationWhitelisted(String str) {
        return this.codeSourceCache.computeIfAbsent(str, str2 -> {
            Manifest manifest;
            Manifest manifest2;
            File file;
            if (str2.equals(JENKINS_LOC)) {
                LOGGER.log(Level.FINE, "{0} seems to be the location of Jenkins core, OK", str2);
                return true;
            }
            if (str2.equals(REMOTING_LOC)) {
                LOGGER.log(Level.FINE, "{0} seems to be the location of Remoting, OK", str2);
                return true;
            }
            if (str2.matches("file:/.+[.]jar")) {
                try {
                    JarFile jarFile = new JarFile(new File(new URI(str2)), false);
                    Throwable th = null;
                    try {
                        manifest = jarFile.getManifest();
                        if (manifest == null) {
                            LOGGER.log(Level.FINE, "ignoring {0} with no manifest", str2);
                        } else {
                            if (isPluginManifest(manifest)) {
                                LOGGER.log(Level.FINE, "{0} seems to be a Jenkins plugin, OK", str2);
                                ?? r0 = true;
                                if (jarFile != null) {
                                    if (0 != 0) {
                                        try {
                                            jarFile.close();
                                        } catch (Throwable th2) {
                                            th.addSuppressed(th2);
                                        }
                                    } else {
                                        jarFile.close();
                                    }
                                }
                                return r0;
                            }
                            LOGGER.log(Level.FINE, "{0} does not look like a Jenkins plugin", str2);
                        }
                        Manifest manifest3 = manifest;
                        if (jarFile != null) {
                            if (0 != 0) {
                                try {
                                    jarFile.close();
                                    manifest3 = manifest;
                                } catch (Throwable th3) {
                                    (false ? 1 : 0).addSuppressed(th3);
                                    manifest3 = th3;
                                }
                            } else {
                                jarFile.close();
                                manifest3 = manifest;
                            }
                        }
                        manifest2 = manifest3;
                    } catch (Throwable th4) {
                        if (jarFile != null) {
                            if (0 != 0) {
                                try {
                                    jarFile.close();
                                } catch (Throwable th5) {
                                    (false ? 1 : 0).addSuppressed(th5);
                                }
                            } else {
                                jarFile.close();
                            }
                        }
                        throw th4;
                    }
                } catch (Exception e) {
                    LOGGER.log(Level.WARNING, "problem checking " + str2, (Throwable) e);
                    manifest2 = manifest;
                }
            }
            Matcher matcher = CLASSES_JAR.matcher(str2);
            if (matcher.matches()) {
                try {
                    file = new File(new URI(matcher.group(1) + PluginWrapper.MANIFEST_FILENAME));
                } catch (Exception e2) {
                    LOGGER.log(Level.WARNING, "problem checking " + str2, (Throwable) e2);
                }
                if (file.isFile()) {
                    try {
                        FileInputStream fileInputStream = new FileInputStream(file);
                        Throwable th6 = null;
                        if (isPluginManifest(new Manifest(fileInputStream))) {
                            LOGGER.log(Level.FINE, "{0} looks like a Jenkins plugin based on {1}, OK", new Object[]{str2, file});
                            if (fileInputStream != null) {
                                if (0 != 0) {
                                    try {
                                        fileInputStream.close();
                                    } catch (Throwable th7) {
                                        th6.addSuppressed(th7);
                                    }
                                } else {
                                    fileInputStream.close();
                                }
                            }
                            return true;
                        }
                        LOGGER.log(Level.FINE, "{0} does not look like a Jenkins plugin", file);
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th8) {
                                    th6.addSuppressed(th8);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                    } finally {
                    }
                    LOGGER.log(Level.WARNING, "problem checking " + str2, (Throwable) e2);
                } else {
                    LOGGER.log(Level.FINE, "{0} has no matching {1}", new Object[]{str2, file});
                }
            }
            if (str2.endsWith("/target/classes/") || str2.matches(".+/build/classes/[^/]+/main/")) {
                LOGGER.log(Level.FINE, "{0} seems to be current plugin classes, OK", str2);
                return true;
            }
            if (Main.isUnitTest) {
                if (str2.endsWith("/target/test-classes/") || str2.endsWith("-tests.jar") || str2.matches(".+/build/classes/[^/]+/test/")) {
                    LOGGER.log(Level.FINE, "{0} seems to be test classes, OK", str2);
                    return true;
                }
                if (str2.matches(".+/jenkins-test-harness-.+[.]jar")) {
                    LOGGER.log(Level.FINE, "{0} seems to be jenkins-test-harness, OK", str2);
                    return true;
                }
            }
            LOGGER.log(Level.FINE, "{0} is not recognized; rejecting", str2);
            return false;
        }).booleanValue();
    }

    @CheckForNull
    private static String codeSource(@NonNull Class<?> cls) {
        URL location;
        CodeSource codeSource = cls.getProtectionDomain().getCodeSource();
        if (codeSource == null || (location = codeSource.getLocation()) == null) {
            return null;
        }
        String url = location.toString();
        if (url.endsWith(ClassUtils.CLASS_FILE_SUFFIX)) {
            String str = cls.getName().replace('.', '/') + ClassUtils.CLASS_FILE_SUFFIX;
            if (url.endsWith(str)) {
                url = url.substring(0, url.length() - str.length());
            }
        }
        if (url.startsWith("jar:file:/") && url.endsWith(".jar!/")) {
            url = url.substring(4, url.length() - 2);
        }
        return url;
    }

    private static boolean isPluginManifest(Manifest manifest) {
        Attributes mainAttributes = manifest.getMainAttributes();
        return !(mainAttributes.getValue("Short-Name") == null || (mainAttributes.getValue("Plugin-Version") == null && mainAttributes.getValue("Jenkins-Version") == null)) || "true".equals(mainAttributes.getValue("Jenkins-ClassFilter-Whitelisted"));
    }

    @Override // hudson.remoting.ClassFilter
    public boolean isBlacklisted(String str) {
        if (Main.isUnitTest && str.contains("$$EnhancerByMockitoWithCGLIB$$")) {
            mockOff();
            return false;
        }
        Iterator it = ExtensionList.lookup(CustomClassFilter.class).iterator();
        while (it.hasNext()) {
            CustomClassFilter customClassFilter = (CustomClassFilter) it.next();
            Boolean permits = customClassFilter.permits(str);
            if (permits != null) {
                if (permits.booleanValue()) {
                    LOGGER.log(Level.FINER, "{0} specifies a policy for {1}: {2}", new Object[]{customClassFilter, str, true});
                } else {
                    notifyRejected(null, str, String.format("%s specifies a policy for %s: %s", customClassFilter, str, permits));
                }
                return !permits.booleanValue();
            }
        }
        if (!ClassFilter.STANDARD.isBlacklisted(str)) {
            return false;
        }
        if (SUPPRESS_ALL) {
            notifyRejected(null, str, String.format("would normally reject %s according to standard blacklist; see https://jenkins.io/redirect/class-filter/", str));
            return false;
        }
        notifyRejected(null, str, String.format("rejecting %s according to standard blacklist; see https://jenkins.io/redirect/class-filter/", str));
        return true;
    }

    private void notifyRejected(@CheckForNull Class<?> cls, @CheckForNull String str, String str2) {
        SecurityException securityException = null;
        if (LOGGER.isLoggable(Level.FINE)) {
            securityException = new SecurityException("Class rejected by the class filter: " + (cls != null ? cls.getName() : str));
        }
        LOGGER.log(Level.WARNING, str2, (Throwable) securityException);
    }

    static {
        try {
            InputStream resourceAsStream = ClassFilterImpl.class.getResourceAsStream("whitelisted-classes.txt");
            Throwable th = null;
            try {
                WHITELISTED_CLASSES = ImmutableSet.copyOf((Collection) IOUtils.readLines(resourceAsStream, StandardCharsets.UTF_8).stream().filter(str -> {
                    return !str.matches("#.*|\\s*");
                }).collect(Collectors.toSet()));
                if (resourceAsStream != null) {
                    if (0 != 0) {
                        try {
                            resourceAsStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        resourceAsStream.close();
                    }
                }
                CLASSES_JAR = Pattern.compile("(file:/.+/)WEB-INF/lib/classes[.]jar");
            } finally {
            }
        } catch (IOException e) {
            throw new ExceptionInInitializerError(e);
        }
    }
}
