package jenkins.util.xml;

import java.util.logging.Level;
import java.util.logging.LogManager;
import java.util.logging.Logger;
import javax.annotation.Nonnull;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.sax.SAXSource;
import javax.xml.transform.sax.SAXTransformerFactory;
import org.apache.tools.ant.util.XmlConstants;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.XMLReaderFactory;

@Restricted({NoExternalUse.class})
/* loaded from: input_file:WEB-INF/lib/jenkins-core-1.657.jar:jenkins/util/xml/XMLUtils.class */
public final class XMLUtils {
    private static final Logger LOGGER = LogManager.getLogManager().getLogger(XMLUtils.class.getName());
    private static final String DISABLED_PROPERTY_NAME = XMLUtils.class.getName() + ".disableXXEPrevention";

    public static void safeTransform(@Nonnull Source source, @Nonnull Result result) throws TransformerException, SAXException {
        InputSource sourceToInputSource = SAXSource.sourceToInputSource(source);
        if (sourceToInputSource != null) {
            ((SAXTransformerFactory) TransformerFactory.newInstance()).setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
            XMLReader createXMLReader = XMLReaderFactory.createXMLReader();
            try {
                createXMLReader.setFeature(XmlConstants.FEATURE_EXTERNAL_ENTITIES, false);
            } catch (SAXException e) {
            }
            try {
                createXMLReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
            } catch (SAXException e2) {
            }
            createXMLReader.setEntityResolver(RestrictiveEntityResolver.INSTANCE);
            _transform(new SAXSource(createXMLReader, sourceToInputSource), result);
            return;
        }
        if (!Boolean.getBoolean(DISABLED_PROPERTY_NAME)) {
            throw new TransformerException("Could not convert source of type " + source.getClass() + " and XXEPrevention is enabled.");
        }
        LOGGER.log(Level.WARNING, "XML external entity (XXE) prevention has been disabled by the system property {0}=true Your system may be vulnerable to XXE attacks.", DISABLED_PROPERTY_NAME);
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Caller stack trace: ", (Throwable) new Exception("XXE Prevention caller history"));
        }
        _transform(source, result);
    }

    private static void _transform(Source source, Result result) throws TransformerException {
        TransformerFactory newInstance = TransformerFactory.newInstance();
        newInstance.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
        newInstance.newTransformer().transform(source, result);
    }
}
