package com.opensymphony.xwork.util;

import com.google.common.cache.CacheBuilder;
import com.opensymphony.xwork.config.ConfigurationManager;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;
import javax.lang.model.SourceVersion;
import ognl.Node;
import ognl.OgnlContext;
import ognl.OgnlException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/opensymphony/xwork/util/SafeExpressionUtil.class */
public class SafeExpressionUtil {
    private static final Set<String> UNSAFE_VARIABLE_NAMES;
    private static final Optional<Method> OGNL_METHOD_GET_METHOD;
    private static final Optional<Field> OGNL_METHOD_GET_CLASS_STATIC_FIELD;
    private static final Log log = LogFactory.getLog(SafeExpressionUtil.class);
    private final Set<String> SAFE_EXPRESSIONS_CACHE = Collections.newSetFromMap(CacheBuilder.newBuilder().maximumSize(10000).build().asMap());
    private final Set<String> UNSAFE_EXPRESSIONS_CACHE = Collections.newSetFromMap(CacheBuilder.newBuilder().maximumSize(1000).build().asMap());
    private final Set<String> unsafePropertyNames = getUnsafePropertyNames();
    private final Set<String> unsafePackageNames = getUnsafePackageNames();
    private final Set<String> unsafeMethodNames = getUnsafeMethodNames();
    private final Set<String> unsafeNodeTypes = getUnsafeNodeTypes();
    private final boolean xWorkAllowlistEnabled = ConfigurationManager.getConfiguration().getXWorkAllowlistEnable();
    private final Set<String> allowedStaticMethodClasses = getAllowedStaticMethodClassesNames();
    private final Set<String> unsafeClassNames = getUnsafeClassNames();

    private Set<String> getUnsafeClassNames() {
        return new HashSet(ConfigurationManager.getConfiguration().getExcludedClasses());
    }

    private Set<String> getUnsafePropertyNames() {
        HashSet hashSet = new HashSet();
        hashSet.add("class");
        hashSet.add("classLoader");
        hashSet.add("Class");
        hashSet.add("ClassLoader");
        return Collections.unmodifiableSet(hashSet);
    }

    private Set<String> getUnsafePackageNames() {
        return Collections.unmodifiableSet(new HashSet(ConfigurationManager.getConfiguration().getExcludedPackageNames()));
    }

    private Set<String> getUnsafeMethodNames() {
        HashSet hashSet = new HashSet();
        hashSet.add("getClass");
        hashSet.add("getClassLoader");
        return Collections.unmodifiableSet(hashSet);
    }

    private Set<String> getUnsafeNodeTypes() {
        return Collections.unmodifiableSet(new HashSet(ConfigurationManager.getConfiguration().getExcludedNodeTypes()));
    }

    private Set<String> getAllowedStaticMethodClassesNames() {
        return Collections.unmodifiableSet(new HashSet(ConfigurationManager.getConfiguration().getAllowedStaticMethodClasses()));
    }

    public boolean isSafeExpression(String str) {
        int expressionMaxLength = ConfigurationManager.getConfiguration().getExpressionMaxLength();
        if (expressionMaxLength == 0 || str == null || str.length() <= expressionMaxLength) {
            return isSafeExpressionInternal(str, new HashSet());
        }
        return false;
    }

    private boolean isSafeExpressionInternal(String str, Set<String> set) {
        if (!this.SAFE_EXPRESSIONS_CACHE.contains(str)) {
            if (this.UNSAFE_EXPRESSIONS_CACHE.contains(str)) {
                return false;
            }
            if (!this.xWorkAllowlistEnabled && isUnSafeClass(str)) {
                this.UNSAFE_EXPRESSIONS_CACHE.add(str);
                return false;
            }
            if (SourceVersion.isName(trimQuotes(str)) && this.allowedStaticMethodClasses.contains(trimQuotes(str))) {
                this.SAFE_EXPRESSIONS_CACHE.add(str);
            } else {
                try {
                    Object compile = OgnlUtil.compile(str);
                    if (compile instanceof Node) {
                        if (containsUnsafeExpression((Node) compile, set)) {
                            this.UNSAFE_EXPRESSIONS_CACHE.add(str);
                            log.debug(String.format("Unsafe clause found in [\" %s \"]", str));
                        } else {
                            this.SAFE_EXPRESSIONS_CACHE.add(str);
                        }
                    }
                } catch (OgnlException | RuntimeException e) {
                    this.SAFE_EXPRESSIONS_CACHE.add(str);
                    log.debug("Cannot verify safety of OGNL expression :" + str + " error Message : " + e.getMessage());
                }
            }
        }
        return this.SAFE_EXPRESSIONS_CACHE.contains(str);
    }

    private boolean containsUnsafeExpression(Node node, Set<String> set) {
        String name = node.getClass().getName();
        if (this.unsafeNodeTypes.contains(name)) {
            return true;
        }
        if ("ognl.ASTStaticMethod".equals(name) && !this.allowedStaticMethodClasses.contains(getClassNameFromStaticMethod(node))) {
            return true;
        }
        if ("ognl.ASTProperty".equals(name)) {
            if (isUnSafeProperty(node.toString())) {
                return true;
            }
            if (!this.xWorkAllowlistEnabled && isUnSafeClass(node.toString())) {
                return true;
            }
        }
        if ("ognl.ASTMethod".equals(name) && this.unsafeMethodNames.contains(getMethodInOgnlExp(node))) {
            return true;
        }
        if ("ognl.ASTVarRef".equals(name) && UNSAFE_VARIABLE_NAMES.contains(node.toString())) {
            return true;
        }
        if ("ognl.ASTConst".equals(name) && !isSafeConstantExpressionNode(node, set)) {
            return true;
        }
        for (int i = 0; i < node.jjtGetNumChildren(); i++) {
            Node jjtGetChild = node.jjtGetChild(i);
            if (jjtGetChild != null && containsUnsafeExpression(jjtGetChild, set)) {
                return true;
            }
        }
        return false;
    }

    private boolean isSafeConstantExpressionNode(Node node, Set<String> set) {
        try {
            String obj = node.getValue(new OgnlContext(), (Object) null).toString();
            if (set.contains(obj) || obj == null || obj.isEmpty()) {
                return true;
            }
            set.add(obj);
            return isSafeExpressionInternal(obj, set);
        } catch (OgnlException e) {
            log.debug("Cannot verify safety of OGNL expression", e);
            return false;
        }
    }

    private static String getClassNameFromStaticMethod(Node node) {
        try {
            if (OGNL_METHOD_GET_CLASS_STATIC_FIELD.isPresent()) {
                return (String) OGNL_METHOD_GET_CLASS_STATIC_FIELD.get().get(node);
            }
            return null;
        } catch (IllegalAccessException e) {
            log.debug("Method can't be accessed for introspection", e);
            return null;
        }
    }

    private static String getMethodInOgnlExp(Node node) {
        try {
            if (OGNL_METHOD_GET_METHOD.isPresent()) {
                return (String) OGNL_METHOD_GET_METHOD.get().invoke(node, new Object[0]);
            }
            return null;
        } catch (IllegalAccessException | InvocationTargetException e) {
            log.debug("Method can't be accessed for introspection", e);
            return null;
        }
    }

    private String trimQuotes(String str) {
        String trim = str.trim();
        return (trim.startsWith("\"") && trim.endsWith("\"")) ? trimQuotes(trim.substring(1, trim.length() - 1)) : (trim.startsWith("'") && trim.endsWith("'")) ? trimQuotes(trim.substring(1, trim.length() - 1)) : str;
    }

    private boolean isUnSafeClass(String str) {
        String trimQuotes = trimQuotes(str);
        if (this.unsafeClassNames.contains(trimQuotes)) {
            return true;
        }
        if (!SourceVersion.isName(trimQuotes)) {
            return false;
        }
        Stream<String> stream = populateParentPackages(trimQuotes, new ArrayList()).stream();
        Set<String> set = this.unsafePackageNames;
        Objects.requireNonNull(set);
        return stream.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }

    private boolean isUnSafeProperty(String str) {
        return this.unsafePropertyNames.contains(trimQuotes(str));
    }

    private List<String> populateParentPackages(String str, List<String> list) {
        int lastIndexOf = str.lastIndexOf(46);
        if (lastIndexOf != -1) {
            String substring = str.substring(0, lastIndexOf);
            list.add(substring);
            populateParentPackages(substring, list);
        }
        return list;
    }

    static {
        Method method;
        HashSet hashSet = new HashSet();
        hashSet.add("#_memberAccess");
        hashSet.add("#context");
        hashSet.add("#request");
        hashSet.add("#parameters");
        hashSet.add("#session");
        hashSet.add("#application");
        hashSet.add("#attr");
        UNSAFE_VARIABLE_NAMES = Collections.unmodifiableSet(hashSet);
        Field field = null;
        try {
            field = Class.forName("ognl.ASTStaticMethod").getDeclaredField("className");
            field.setAccessible(true);
        } catch (Exception e) {
        }
        OGNL_METHOD_GET_CLASS_STATIC_FIELD = Optional.ofNullable(field);
        try {
            method = Class.forName("ognl.ASTMethod").getMethod("getMethodName", new Class[0]);
            method.setAccessible(true);
        } catch (Exception e2) {
            method = null;
        }
        OGNL_METHOD_GET_METHOD = Optional.ofNullable(method);
    }
}
