package com.h3xstream.findsecbugs.taintanalysis.extra;

import com.h3xstream.findsecbugs.FindSecBugsGlobalConfig;
import com.h3xstream.findsecbugs.common.matcher.InstructionDSL;
import com.h3xstream.findsecbugs.common.matcher.InvokeMatcherBuilder;
import com.h3xstream.findsecbugs.injection.BasicInjectionDetector;
import com.h3xstream.findsecbugs.taintanalysis.Taint;
import com.h3xstream.findsecbugs.taintanalysis.TaintFrame;
import com.h3xstream.findsecbugs.taintanalysis.TaintFrameAdditionalVisitor;
import edu.umd.cs.findbugs.BugReporter;
import edu.umd.cs.findbugs.ba.DataflowAnalysisException;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import org.apache.bcel.generic.ConstantPoolGen;
import org.apache.bcel.generic.FieldInstruction;
import org.apache.bcel.generic.InvokeInstruction;
import org.apache.bcel.generic.LoadInstruction;
import org.apache.bcel.generic.MethodGen;

/* loaded from: input_file:findsecbugs-plugin.jar:com/h3xstream/findsecbugs/taintanalysis/extra/JstlExpressionWhiteLister.class */
public class JstlExpressionWhiteLister extends BasicInjectionDetector implements TaintFrameAdditionalVisitor {
    private static final String SYSTEM_PROPERTY = "findsecbugs.jstlsafe.customregexfile";
    private static final String CONTEXT_PATH_PATTERN = "${pageContext.request.contextPath}";
    private final List<Pattern> safePatterns;
    private static final Pattern TAG_FOR_HTML_CONTENT_PATTERN = Pattern.compile("\\$\\{e:forHtmlContent\\([a-zA-Z0-9\\._]+\\)\\}");
    private static final Pattern TAG_TO_SAFE_JSON_PATTERN = Pattern.compile("^\\$\\{\\s*[a-zA-Z]+:toSafeJSON\\([a-zA-Z0-9\\-#,\\'\\\"\\&\\[\\]@\\\\ \\._\\(\\):]+\\)\\s*\\}$");
    private static final Pattern TAG_SAFE_QUOTE_PATTERN = Pattern.compile("^\\$\\{\\s*[a-zA-Z]+:safeQuote\\([a-zA-Z0-9\\-#,\\'\\\"\\&\\[\\]@\\\\ \\._\\(\\):]+\\)\\s*\\}$");
    private static final InvokeMatcherBuilder PROPRIETARY_EVALUATE = InstructionDSL.invokeInstruction().atClass("org/apache/jasper/runtime/PageContextImpl").atMethod("proprietaryEvaluate").withArgs("(Ljava/lang/String;Ljava/lang/Class;Ljavax/servlet/jsp/PageContext;Lorg/apache/jasper/runtime/ProtectedFunctionMapper;)Ljava/lang/Object;");

    public JstlExpressionWhiteLister(BugReporter bugReporter) {
        super(bugReporter);
        this.safePatterns = getCustomPatterns();
        registerVisitor(this);
    }

    @Override // com.h3xstream.findsecbugs.taintanalysis.TaintFrameAdditionalVisitor
    public void visitInvoke(InvokeInstruction invokeInstruction, MethodGen methodGen, TaintFrame taintFrame, List<Taint> list, ConstantPoolGen constantPoolGen) throws DataflowAnalysisException {
        if (PROPRIETARY_EVALUATE.matches(invokeInstruction, constantPoolGen)) {
            Taint taint = list.get(3);
            if (taint.getConstantValue() != null) {
                String constantValue = taint.getConstantValue();
                if (TAG_FOR_HTML_CONTENT_PATTERN.matcher(constantValue).find() || TAG_TO_SAFE_JSON_PATTERN.matcher(constantValue).find() || TAG_SAFE_QUOTE_PATTERN.matcher(constantValue).find() || CONTEXT_PATH_PATTERN.equals(constantValue)) {
                    taintFrame.getTopValue().addTag(Taint.Tag.XSS_SAFE);
                    return;
                }
                Iterator<Pattern> it = this.safePatterns.iterator();
                while (it.hasNext()) {
                    if (it.next().matcher(constantValue).find()) {
                        taintFrame.getTopValue().addTag(Taint.Tag.XSS_SAFE);
                    }
                }
            }
        }
    }

    @Override // com.h3xstream.findsecbugs.taintanalysis.TaintFrameAdditionalVisitor
    public void visitLoad(LoadInstruction loadInstruction, MethodGen methodGen, TaintFrame taintFrame, int i, ConstantPoolGen constantPoolGen) {
    }

    @Override // com.h3xstream.findsecbugs.taintanalysis.TaintFrameAdditionalVisitor
    public void visitField(FieldInstruction fieldInstruction, MethodGen methodGen, TaintFrame taintFrame, Taint taint, int i, ConstantPoolGen constantPoolGen) throws Exception {
    }

    @Override // com.h3xstream.findsecbugs.taintanalysis.TaintFrameAdditionalVisitor
    public void visitReturn(MethodGen methodGen, Taint taint, ConstantPoolGen constantPoolGen) throws Exception {
    }

    private static List<Pattern> getCustomPatterns() {
        ArrayList arrayList = new ArrayList();
        String loadFromSystem = FindSecBugsGlobalConfig.getInstance().loadFromSystem(SYSTEM_PROPERTY, "");
        if (!loadFromSystem.trim().equals("")) {
            for (String str : loadFromSystem.split(File.pathSeparator)) {
                arrayList.addAll(customPatternsFromFile(str));
            }
        }
        return arrayList;
    }

    private static List<Pattern> customPatternsFromFile(String str) {
        File file = new File(str);
        try {
            InputStream fileInputStream = file.exists() ? new FileInputStream(file) : JstlExpressionWhiteLister.class.getClassLoader().getResourceAsStream(str);
            try {
                if (fileInputStream == null) {
                    throw new IllegalArgumentException(String.format("Could not add custom patterns. Neither file %s nor resource matching %s found.", file.getAbsolutePath(), str));
                }
                List<Pattern> patternsFromStream = patternsFromStream(fileInputStream);
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
                return patternsFromStream;
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException("Cannot load custom safe regex patterns from " + str, e);
        }
    }

    private static List<Pattern> patternsFromStream(InputStream inputStream) throws IOException {
        ArrayList arrayList = new ArrayList();
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.UTF_8));
        while (true) {
            try {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    bufferedReader.close();
                    return arrayList;
                }
                if (!"".equals(readLine.trim())) {
                    arrayList.add(Pattern.compile(readLine));
                }
            } catch (Throwable th) {
                try {
                    bufferedReader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
    }
}
