package com.atlassian.jira;

import com.atlassian.jira.pageobjects.config.CreateUser;
import com.atlassian.jira.pageobjects.config.LoginAs;
import com.atlassian.jira.pageobjects.pages.EditProfilePage;
import com.atlassian.jira.pageobjects.pages.ViewProfilePage;
import com.atlassian.jira.pageobjects.pages.admin.EditApplicationPropertiesPage;
import com.atlassian.jira.pageobjects.pages.admin.configuration.ViewGeneralConfigurationPage;
import com.atlassian.jira.pageobjects.pages.admin.roles.UserRoleActorActionPage;
import com.atlassian.jira.pageobjects.pages.admin.user.AddUserPage;
import com.atlassian.jira.pageobjects.pages.admin.user.UserBrowserPage;
import com.atlassian.jira.webtest.webdriver.tests.common.BaseJiraWebTest;
import com.atlassian.test.categories.OnDemandSuiteTest;
import java.util.NoSuchElementException;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Test;
import org.junit.experimental.categories.Category;

@Category({OnDemandSuiteTest.class})
/* loaded from: input_file:com/atlassian/jira/TestXss.class */
public class TestXss extends BaseJiraWebTest {
    private static final String DEVELOPER = "developer";

    @Test
    @LoginAs(user = DEVELOPER, password = DEVELOPER)
    @CreateUser(username = DEVELOPER, password = DEVELOPER, groupnames = {"developers"})
    public void testRoleActorActionsXSS() throws Exception {
        pageBinder.navigateToAndBind(UserRoleActorActionPage.class, new Object[]{"10002f843c%3Cscript%3Ealert%281%29%3C/script%3Ee156c7382b7"});
        assertSourceNoXSS();
        pageBinder.navigateToAndBind(UserRoleActorActionPage.class, new Object[]{"10002&projectId=10010f843c%3Cscript%3Ealert%281%29%3C/script%3Ee156c7382b7"});
        assertSourceNoXSS();
        pageBinder.navigateToAndBind(UserRoleActorActionPage.class, new Object[]{"100021442d<script>alert(1)</script>42df75ab185&projectId=10020"});
        assertSourceNoXSS();
        pageBinder.navigateToAndBind(UserRoleActorActionPage.class, new Object[]{"10002f843c%3Cscript%3Ealert%281%29%3C/script%3Ee156c7382b7"});
        assertSourceNoXSS();
        pageBinder.navigateToAndBind(UserRoleActorActionPage.class, new Object[]{"10002&projectId=10010b4927<script>alert(1)</script>fa5f1a0dfb"});
        assertSourceNoXSS();
    }

    @Test
    @LoginAs(user = DEVELOPER, password = DEVELOPER, targetPage = ViewProfilePage.class)
    @CreateUser(username = DEVELOPER, password = DEVELOPER, groupnames = {"developers"})
    public void testEditProfileXSS() {
        EditProfilePage edit = ((ViewProfilePage) pageBinder.bind(ViewProfilePage.class, new Object[0])).edit();
        edit.setFullname("\"><script>alert(\"JST-3617\")</script>").setPassword(DEVELOPER);
        edit.submit();
        assertSourceNoXSS();
    }

    @Test
    @LoginAs(sysadmin = true, targetPage = EditApplicationPropertiesPage.class)
    @CreateUser(username = DEVELOPER, password = DEVELOPER, groupnames = {"developers"})
    public void testEditApplicationPropertiesXSS() {
        EditApplicationPropertiesPage editApplicationPropertiesPage = (EditApplicationPropertiesPage) pageBinder.bind(EditApplicationPropertiesPage.class, new Object[0]);
        String emailFromHeaderFormat = editApplicationPropertiesPage.getEmailFromHeaderFormat();
        String applicationTitle = editApplicationPropertiesPage.getApplicationTitle();
        try {
            editApplicationPropertiesPage.setEmailFromHeaderFormat("\"><script>alert(3790)</script>");
            editApplicationPropertiesPage.submit();
            pageBinder.bind(ViewGeneralConfigurationPage.class, new Object[0]);
            assertSourceNoXSS();
            EditApplicationPropertiesPage navigateToAndBind = pageBinder.navigateToAndBind(EditApplicationPropertiesPage.class, new Object[0]);
            navigateToAndBind.setTitle("votest.jira.com'\"><script>alert(3790)</script>d5c2734e173b21b9c");
            navigateToAndBind.submit();
            pageBinder.bind(ViewGeneralConfigurationPage.class, new Object[0]);
            assertSourceNoXSS();
            EditApplicationPropertiesPage navigateToAndBind2 = pageBinder.navigateToAndBind(EditApplicationPropertiesPage.class, new Object[0]);
            navigateToAndBind2.setTitle(applicationTitle).setEmailFromHeaderFormat(emailFromHeaderFormat);
            navigateToAndBind2.submit();
            pageBinder.bind(ViewGeneralConfigurationPage.class, new Object[0]);
        } catch (Throwable th) {
            EditApplicationPropertiesPage navigateToAndBind3 = pageBinder.navigateToAndBind(EditApplicationPropertiesPage.class, new Object[0]);
            navigateToAndBind3.setTitle(applicationTitle).setEmailFromHeaderFormat(emailFromHeaderFormat);
            navigateToAndBind3.submit();
            pageBinder.bind(ViewGeneralConfigurationPage.class, new Object[0]);
            throw th;
        }
    }

    @Test
    @LoginAs(sysadmin = true, targetPage = AddUserPage.class)
    @CreateUser(username = DEVELOPER, password = DEVELOPER, groupnames = {"developers"})
    public void testAddUserXSS() {
        String str = null;
        try {
            str = "a" + System.currentTimeMillis();
            try {
                ((AddUserPage) pageBinder.bind(AddUserPage.class, new Object[0])).addUser(str, "'\"><script>alert(1)</script>", "'\"><script>alert(1)</script>", str + "@example.com", false).createUser(UserBrowserPage.class, new Object[0]).findRow(str);
                assertSourceNoXSS();
                jira.backdoor().getTestkit().rawRestApiControl().rootResource().path("user").queryParam("username", str).delete();
            } catch (NoSuchElementException e) {
                throw new AssertionError("User " + str + " not found on browser page.");
            }
        } catch (Throwable th) {
            jira.backdoor().getTestkit().rawRestApiControl().rootResource().path("user").queryParam("username", str).delete();
            throw th;
        }
    }

    private void assertSourceNoXSS() {
        Assert.assertThat(jira.getTester().getDriver().getDriver().getPageSource(), Matchers.not(Matchers.containsString("<script>alert")));
    }
}
