package com.h3xstream.findsecbugs;

import com.h3xstream.findsecbugs.common.matcher.InstructionDSL;
import com.h3xstream.findsecbugs.common.matcher.InvokeMatcherBuilder;
import com.h3xstream.findsecbugs.injection.BasicInjectionDetector;
import com.h3xstream.findsecbugs.injection.InjectionPoint;
import com.h3xstream.findsecbugs.taintanalysis.Taint;
import com.h3xstream.findsecbugs.taintanalysis.TaintFrame;
import edu.umd.cs.findbugs.BugReporter;
import edu.umd.cs.findbugs.ba.DataflowAnalysisException;
import org.apache.bcel.generic.ConstantPoolGen;
import org.apache.bcel.generic.InstructionHandle;
import org.apache.bcel.generic.InvokeInstruction;

/* loaded from: input_file:findsecbugs-plugin.jar:com/h3xstream/findsecbugs/PermissiveCORSDetector.class */
public class PermissiveCORSDetector extends BasicInjectionDetector {
    private static final String PERMISSIVE_CORS = "PERMISSIVE_CORS";
    private static final String HTTP_SERVLET_RESPONSE_CLASS = "javax.servlet.http.HttpServletResponse";
    private static final String HEADER_KEY = "Access-Control-Allow-Origin";
    private static final InvokeMatcherBuilder SERVLET_RESPONSE_ADD_HEADER_METHOD;
    private static final InvokeMatcherBuilder SERVLET_RESPONSE_SET_HEADER_METHOD;
    static final /* synthetic */ boolean $assertionsDisabled;

    public PermissiveCORSDetector(BugReporter bugReporter) {
        super(bugReporter);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.h3xstream.findsecbugs.injection.BasicInjectionDetector, com.h3xstream.findsecbugs.injection.AbstractInjectionDetector
    public InjectionPoint getInjectionPoint(InvokeInstruction invokeInstruction, ConstantPoolGen constantPoolGen, InstructionHandle instructionHandle) {
        if (!$assertionsDisabled && (invokeInstruction == null || constantPoolGen == null)) {
            throw new AssertionError();
        }
        if (!SERVLET_RESPONSE_ADD_HEADER_METHOD.matches(invokeInstruction, constantPoolGen) && !SERVLET_RESPONSE_SET_HEADER_METHOD.matches(invokeInstruction, constantPoolGen)) {
            return InjectionPoint.NONE;
        }
        return new InjectionPoint(new int[]{0}, PERMISSIVE_CORS);
    }

    @Override // com.h3xstream.findsecbugs.injection.AbstractInjectionDetector
    protected int getPriorityFromTaintFrame(TaintFrame taintFrame, int i) throws DataflowAnalysisException {
        if (!HEADER_KEY.equalsIgnoreCase(taintFrame.getStackValue(1).getConstantValue())) {
            return 5;
        }
        Taint stackValue = taintFrame.getStackValue(0);
        if (Taint.State.TAINTED.equals(stackValue.getState())) {
            return 1;
        }
        if (Taint.State.UNKNOWN.equals(stackValue.getState())) {
            return 2;
        }
        String constantOrPotentialValue = stackValue.getConstantOrPotentialValue();
        if (constantOrPotentialValue == null) {
            return 5;
        }
        return (constantOrPotentialValue.contains("*") || "null".equalsIgnoreCase(constantOrPotentialValue)) ? 1 : 5;
    }

    static {
        $assertionsDisabled = !PermissiveCORSDetector.class.desiredAssertionStatus();
        SERVLET_RESPONSE_ADD_HEADER_METHOD = InstructionDSL.invokeInstruction().atClass(HTTP_SERVLET_RESPONSE_CLASS).atMethod("addHeader").withArgs("(Ljava/lang/String;Ljava/lang/String;)V");
        SERVLET_RESPONSE_SET_HEADER_METHOD = InstructionDSL.invokeInstruction().atClass(HTTP_SERVLET_RESPONSE_CLASS).atMethod("setHeader").withArgs("(Ljava/lang/String;Ljava/lang/String;)V");
    }
}
