package com.atlassian.xwork.interceptors;

import com.atlassian.xwork.ParameterSafe;
import com.opensymphony.xwork2.Action;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.NoParameters;
import com.opensymphony.xwork2.interceptor.ParametersInterceptor;
import com.opensymphony.xwork2.util.ValueStack;
import java.beans.IntrospectionException;
import java.beans.Introspector;
import java.beans.PropertyDescriptor;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import org.apache.struts2.dispatcher.HttpParameters;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/xwork/interceptors/SafeParametersInterceptor.class */
public class SafeParametersInterceptor extends ParametersInterceptor {
    public static final String PARAMETER_NAME_BLOCKED = "Parameter name blocked: ";
    private boolean disableAnnotationChecks = false;
    public static final Logger log = LoggerFactory.getLogger(SafeParametersInterceptor.class);
    private static final Pattern EXCLUDE_CLASS_PATTERN = Pattern.compile(".*class[^a-z0-9_].*", 2);
    private static final Pattern SAFE_PARAMETER_NAME_PATTERN = Pattern.compile("\\w+((\\.\\w+)|(\\[\\d+\\])|(\\['[\\w.]*'\\]))*");
    private static final Set<String> BLOCKED_PARAMETER_NAMES = new HashSet(Arrays.asList("actionErrors", "actionMessages"));
    private static final Pattern MAP_PARAMETER_PATTERN = Pattern.compile(".*\\['[a-zA-Z0-9_]+'\\]");

    protected void after(ActionInvocation actionInvocation, String str) throws Exception {
    }

    public void setDisableAnnotationChecks(boolean z) {
        this.disableAnnotationChecks = z;
    }

    public String doIntercept(ActionInvocation actionInvocation) throws Exception {
        before(actionInvocation);
        return super.doIntercept(actionInvocation);
    }

    protected boolean shouldNotIntercept(ActionInvocation actionInvocation) {
        return actionInvocation.getAction() instanceof NoParameters;
    }

    protected void before(ActionInvocation actionInvocation) throws Exception {
        if (shouldNotIntercept(actionInvocation)) {
            return;
        }
        Map<String, Object> filterSafeParameters = filterSafeParameters(retrieveParameters(actionInvocation.getInvocationContext()), (Action) actionInvocation.getAction());
        if (log.isDebugEnabled()) {
            log.debug("Setting params " + filterSafeParameters);
        }
        ActionContext invocationContext = actionInvocation.getInvocationContext();
        try {
            invocationContext.put("xwork.NullHandler.createNullObjects", Boolean.TRUE);
            invocationContext.put("xwork.MethodAccessor.denyMethodExecution", Boolean.TRUE);
            invocationContext.put("report.conversion.errors", Boolean.TRUE);
            if (filterSafeParameters != null) {
                ValueStack valueStack = ActionContext.getContext().getValueStack();
                for (Map.Entry<String, Object> entry : filterSafeParameters.entrySet()) {
                    String key = entry.getKey();
                    if (isNumeric(key) && Long.valueOf(Long.parseLong(key)).longValue() > 2147483647L) {
                        key = key + 'L';
                    }
                    valueStack.setValue(key, entry.getValue());
                }
            }
        } finally {
            invocationContext.put("xwork.NullHandler.createNullObjects", Boolean.FALSE);
            invocationContext.put("xwork.MethodAccessor.denyMethodExecution", Boolean.FALSE);
            invocationContext.put("report.conversion.errors", Boolean.FALSE);
        }
    }

    private Map<String, Object> filterSafeParameters(HttpParameters httpParameters, Action action) {
        HashMap hashMap = new HashMap();
        httpParameters.entrySet().stream().filter(entry -> {
            return isSafeParameterName((String) entry.getKey(), action, this.disableAnnotationChecks);
        }).forEach(entry2 -> {
            hashMap.put(entry2.getKey(), entry2.getValue());
        });
        return hashMap;
    }

    static boolean isSafeParameterName(String str, Action action) {
        return isSafeParameterName(str, action, true);
    }

    static boolean isSafeParameterName(String str, Action action, boolean z) {
        if (BLOCKED_PARAMETER_NAMES.contains(str)) {
            return false;
        }
        if (EXCLUDE_CLASS_PATTERN.matcher(str).matches()) {
            log.info(PARAMETER_NAME_BLOCKED + str);
            return false;
        }
        if (!SAFE_PARAMETER_NAME_PATTERN.matcher(str).matches()) {
            return false;
        }
        if (z) {
            return true;
        }
        if (str.contains(".") || MAP_PARAMETER_PATTERN.matcher(str).matches()) {
            return isSafeComplexParameterName(str, action);
        }
        return true;
    }

    private static boolean isSafeComplexParameterName(String str, Action action) {
        try {
            String extractInitialParameterName = extractInitialParameterName(str);
            for (PropertyDescriptor propertyDescriptor : Introspector.getBeanInfo(action.getClass()).getPropertyDescriptors()) {
                if (propertyDescriptor.getName().equals(extractInitialParameterName)) {
                    if (isSafeMethod(propertyDescriptor.getReadMethod())) {
                        return true;
                    }
                    log.info("Attempt to call unsafe property setter " + str + " on " + action);
                    return false;
                }
            }
            return false;
        } catch (IntrospectionException e) {
            log.warn("Error introspecting action parameter " + str + " for action " + action + ": " + e.getMessage(), e);
            return false;
        }
    }

    private static String extractInitialParameterName(String str) {
        return (!str.contains("[") || (str.indexOf(".") > 0 && str.indexOf("[") > str.indexOf("."))) ? str.substring(0, str.indexOf(".")) : str.substring(0, str.indexOf("["));
    }

    private static boolean isSafeMethod(Method method) {
        boolean z = false;
        boolean z2 = false;
        if (method != null) {
            z = method.getAnnotation(ParameterSafe.class) != null;
        }
        if (method.getReturnType() != null) {
            z2 = method.getReturnType().getAnnotation(ParameterSafe.class) != null;
        }
        return z || z2;
    }

    private static boolean isNumeric(String str) {
        for (char c : str.toCharArray()) {
            if (!Character.isDigit(c)) {
                return false;
            }
        }
        return true;
    }
}
