package com.h3xstream.findsecbugs.injection.xml;

import com.h3xstream.findsecbugs.common.matcher.InstructionDSL;
import com.h3xstream.findsecbugs.common.matcher.InvokeMatcherBuilder;
import com.h3xstream.findsecbugs.injection.BasicInjectionDetector;
import com.h3xstream.findsecbugs.injection.InjectionPoint;
import com.h3xstream.findsecbugs.taintanalysis.Taint;
import com.h3xstream.findsecbugs.taintanalysis.TaintFrame;
import com.h3xstream.findsecbugs.taintanalysis.TaintFrameAdditionalVisitor;
import edu.umd.cs.findbugs.BugReporter;
import edu.umd.cs.findbugs.ba.ClassContext;
import edu.umd.cs.findbugs.ba.DataflowAnalysisException;
import java.util.List;
import org.apache.bcel.classfile.Constant;
import org.apache.bcel.classfile.ConstantUtf8;
import org.apache.bcel.generic.ConstantPoolGen;
import org.apache.bcel.generic.FieldInstruction;
import org.apache.bcel.generic.InvokeInstruction;
import org.apache.bcel.generic.LoadInstruction;
import org.apache.bcel.generic.MethodGen;

/* loaded from: input_file:findsecbugs-plugin.jar:com/h3xstream/findsecbugs/injection/xml/XmlInjectionDetector.class */
public class XmlInjectionDetector extends BasicInjectionDetector implements TaintFrameAdditionalVisitor {
    private static final String XML_INJECTION_TYPE = "POTENTIAL_XML_INJECTION";
    private static final String[] STRING_CONCAT_CLASS = {"java/lang/StringBuilder", "java/lang/StringBuffer"};
    private static final InvokeMatcherBuilder STRINGBUILDER_APPEND = InstructionDSL.invokeInstruction().atClass(STRING_CONCAT_CLASS).atMethod("append");
    private static final boolean DEBUG = false;

    public XmlInjectionDetector(BugReporter bugReporter) {
        super(bugReporter);
        for (String str : STRING_CONCAT_CLASS) {
            addParsedInjectionPoint(str + ".append(Ljava/lang/String;)L" + str + ";", new InjectionPoint(new int[]{0}, XML_INJECTION_TYPE));
        }
        registerVisitor(this);
    }

    @Override // com.h3xstream.findsecbugs.injection.AbstractInjectionDetector
    protected int getPriorityFromTaintFrame(TaintFrame taintFrame, int i) throws DataflowAnalysisException {
        Taint stackValue = taintFrame.getStackValue(0);
        return (stackValue.isSafe() || stackValue.hasTag(Taint.Tag.XSS_SAFE) || !taintFrame.getStackValue(1).hasTag(Taint.Tag.XML_VALUE)) ? 5 : 2;
    }

    @Override // com.h3xstream.findsecbugs.taintanalysis.TaintFrameAdditionalVisitor
    public void visitInvoke(InvokeInstruction invokeInstruction, MethodGen methodGen, TaintFrame taintFrame, List<Taint> list, ConstantPoolGen constantPoolGen) throws DataflowAnalysisException {
        Taint taint;
        String constantValue;
        if (STRINGBUILDER_APPEND.matches(invokeInstruction, constantPoolGen) && (constantValue = (taint = list.get(0)).getConstantValue()) != null && constantValue.contains("<") && constantValue.contains(">")) {
            taint.addTag(Taint.Tag.XML_VALUE);
            taintFrame.getStackValue(0).addTag(Taint.Tag.XML_VALUE);
        }
    }

    @Override // com.h3xstream.findsecbugs.taintanalysis.TaintFrameAdditionalVisitor
    public void visitReturn(MethodGen methodGen, Taint taint, ConstantPoolGen constantPoolGen) throws Exception {
    }

    @Override // com.h3xstream.findsecbugs.taintanalysis.TaintFrameAdditionalVisitor
    public void visitLoad(LoadInstruction loadInstruction, MethodGen methodGen, TaintFrame taintFrame, int i, ConstantPoolGen constantPoolGen) {
    }

    @Override // com.h3xstream.findsecbugs.taintanalysis.TaintFrameAdditionalVisitor
    public void visitField(FieldInstruction fieldInstruction, MethodGen methodGen, TaintFrame taintFrame, Taint taint, int i, ConstantPoolGen constantPoolGen) throws Exception {
    }

    @Override // com.h3xstream.findsecbugs.injection.AbstractTaintDetector
    public boolean shouldAnalyzeClass(ClassContext classContext) {
        ConstantPoolGen constantPoolGen = classContext.getConstantPoolGen();
        boolean z = false;
        boolean z2 = false;
        String[] strArr = STRING_CONCAT_CLASS;
        int length = strArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            if (constantPoolGen.lookupUtf8(strArr[i]) != -1) {
                z = true;
                break;
            }
            i++;
        }
        int i2 = 0;
        while (true) {
            if (i2 >= constantPoolGen.getSize()) {
                break;
            }
            Constant constant = constantPoolGen.getConstant(i2);
            if ((constant instanceof ConstantUtf8) && ((ConstantUtf8) constant).getBytes().contains("<")) {
                z2 = true;
                break;
            }
            i2++;
        }
        return z && z2;
    }
}
