package com.opensymphony.xwork.util;

import com.opensymphony.xwork.config.ConfigurationManager;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Stream;
import ognl.MethodFailedException;
import ognl.ObjectMethodAccessor;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.aop.support.AopUtils;

/* loaded from: input_file:com/opensymphony/xwork/util/XWorkMethodAccessor.class */
public class XWorkMethodAccessor extends ObjectMethodAccessor {
    public static final String DENY_METHOD_EXECUTION = "xwork.MethodAccessor.denyMethodExecution";
    public static final String XWORK_ALLOW_LIST_ENABLE_PROPERTY = "xwork.allowlist.enable";
    private static Log LOG = LogFactory.getLog(OgnlValueStack.class);
    private final Set<String> unsafeClassNames = getUnsafeClassNames();
    private final Set<String> unsafePackageNames = getUnsafePackageNames();
    private final boolean xWorkAllowlistEnabled = Boolean.getBoolean(XWORK_ALLOW_LIST_ENABLE_PROPERTY);
    private final Set<String> allowedPackageNames = getSafePackageNames();
    private final Set<String> allowedClassNames = getAllowedClassNames();

    private Set<String> getUnsafeClassNames() {
        HashSet hashSet = new HashSet(ConfigurationManager.getConfiguration().getExcludedClasses());
        hashSet.add("class");
        hashSet.add("classLoader");
        hashSet.add("Class");
        hashSet.add("ClassLoader");
        return hashSet;
    }

    private Set<String> getUnsafePackageNames() {
        return Collections.unmodifiableSet(new HashSet(ConfigurationManager.getConfiguration().getExcludedPackageNames()));
    }

    private List<String> populateParentPackages(String str, List<String> list) {
        int lastIndexOf = str.lastIndexOf(46);
        if (lastIndexOf != -1) {
            String substring = str.substring(0, lastIndexOf);
            list.add(substring);
            populateParentPackages(substring, list);
        }
        return list;
    }

    private Set<String> getSafePackageNames() {
        return Collections.unmodifiableSet(new HashSet(ConfigurationManager.getConfiguration().getAllowedPackageNames()));
    }

    private Set<String> getAllowedClassNames() {
        return Collections.unmodifiableSet(new HashSet(ConfigurationManager.getConfiguration().getAllowedClasses()));
    }

    private boolean isUnSafeClass(String str, String str2) {
        if (this.unsafeClassNames.contains(str)) {
            LOG.error("XWorkMethodAccessor: isUnSafeClass(): Found call to unsafe class: " + str);
            return true;
        }
        List<String> populateParentPackages = populateParentPackages(str2, new ArrayList());
        Stream<String> stream = populateParentPackages.stream();
        Set<String> set = this.unsafePackageNames;
        Objects.requireNonNull(set);
        if (!stream.anyMatch((v1) -> {
            return r1.contains(v1);
        })) {
            return false;
        }
        LOG.error("XWorkMethodAccessor: isUnSafeClass(): Found call to unsafe package: " + populateParentPackages);
        return true;
    }

    private boolean isSafeClass(String str, String str2) {
        List<String> populateParentPackages = populateParentPackages(str2, new ArrayList());
        Stream<String> stream = populateParentPackages.stream();
        Set<String> set = this.allowedPackageNames;
        Objects.requireNonNull(set);
        if (stream.anyMatch((v1) -> {
            return r1.contains(v1);
        }) || this.allowedClassNames.contains(str) || this.allowedPackageNames.contains(str2)) {
            return true;
        }
        LOG.error("XWorkMethodAccessor: isSafeClass(): Found call to unsafe class: " + str);
        LOG.error("XWorkMethodAccessor: isSafeClass(): Found call to unsafe package: " + populateParentPackages);
        return false;
    }

    public Object callMethod(Map map, Object obj, String str, Object[] objArr) throws MethodFailedException {
        Boolean bool = (Boolean) map.get(DENY_METHOD_EXECUTION);
        boolean booleanValue = bool == null ? false : bool.booleanValue();
        String name = AopUtils.getTargetClass(obj).getPackage().getName();
        String name2 = AopUtils.getTargetClass(obj).getName();
        if (booleanValue) {
            return null;
        }
        LOG.debug("SafeExpressionUtil: Trying to execute: " + obj.getClass() + "." + str);
        if (this.xWorkAllowlistEnabled) {
            if (!isSafeClass(name2, name)) {
                return null;
            }
        } else if (isUnSafeClass(name2, name)) {
            return null;
        }
        return super.callMethod(map, obj, str, objArr);
    }

    public Object callStaticMethod(Map map, Class cls, String str, Object[] objArr) throws MethodFailedException {
        Boolean bool = (Boolean) map.get(DENY_METHOD_EXECUTION);
        if (bool == null ? false : bool.booleanValue()) {
            return null;
        }
        LOG.debug("SafeExpressionUtil: Found call to static method: " + cls + "." + str);
        return super.callStaticMethod(map, cls, str, objArr);
    }
}
