package io.codemodder.codemods;

import com.contrastsecurity.sarif.Result;
import com.github.javaparser.StaticJavaParser;
import com.github.javaparser.ast.CompilationUnit;
import com.github.javaparser.ast.NodeList;
import com.github.javaparser.ast.body.VariableDeclarator;
import com.github.javaparser.ast.expr.BooleanLiteralExpr;
import com.github.javaparser.ast.expr.Expression;
import com.github.javaparser.ast.expr.MethodCallExpr;
import com.github.javaparser.ast.expr.NameExpr;
import com.github.javaparser.ast.expr.ObjectCreationExpr;
import com.github.javaparser.ast.expr.VariableDeclarationExpr;
import com.github.javaparser.ast.stmt.BlockStmt;
import com.github.javaparser.ast.stmt.ExpressionStmt;
import com.github.javaparser.ast.stmt.ForEachStmt;
import com.github.javaparser.ast.stmt.Statement;
import com.github.javaparser.ast.type.ClassOrInterfaceType;
import io.codemodder.Codemod;
import io.codemodder.CodemodExecutionPriority;
import io.codemodder.CodemodInvocationContext;
import io.codemodder.DependencyGAV;
import io.codemodder.Importance;
import io.codemodder.ReviewGuidance;
import io.codemodder.RuleSarif;
import io.codemodder.SarifPluginJavaParserChanger;
import io.codemodder.SourceCodeRegionExtractor;
import io.codemodder.ast.ASTTransforms;
import io.codemodder.ast.ASTs;
import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
import io.github.pixee.security.UnwantedTypes;
import java.util.List;
import java.util.Optional;
import javax.inject.Inject;

@Codemod(id = "codeql:java/jexl-expression-injection", reviewGuidance = ReviewGuidance.MERGE_WITHOUT_REVIEW, importance = Importance.MEDIUM, executionPriority = CodemodExecutionPriority.HIGH)
/* loaded from: input_file:io/codemodder/codemods/JEXLInjectionCodemod.class */
public final class JEXLInjectionCodemod extends SarifPluginJavaParserChanger<Expression> {
    @Inject
    public JEXLInjectionCodemod(@ProvidedCodeQLScan(ruleId = "java/jexl-expression-injection") RuleSarif ruleSarif) {
        super(ruleSarif, Expression.class, SourceCodeRegionExtractor.FROM_SARIF_FIRST_LOCATION);
    }

    public boolean onResultFound(CodemodInvocationContext codemodInvocationContext, CompilationUnit compilationUnit, Expression expression, Result result) {
        return checkAndFix(expression).isPresent();
    }

    public List<DependencyGAV> dependenciesRequired() {
        return List.of(DependencyGAV.JAVA_SECURITY_TOOLKIT);
    }

    static Optional<Integer> checkAndFix(Expression expression) {
        return isFixable(expression).flatMap(JEXLInjectionCodemod::tryToFix);
    }

    static Optional<MethodCallExpr> isFixable(Expression expression) {
        return findJEXLCreateExpression(expression).flatMap(JEXLInjectionCodemod::findJEXLBuilderCreate);
    }

    static Optional<Integer> tryToFix(MethodCallExpr methodCallExpr) {
        CompilationUnit compilationUnit = (CompilationUnit) methodCallExpr.findCompilationUnit().get();
        Optional findParentStatementFrom = ASTs.findParentStatementFrom(methodCallExpr);
        if (findParentStatementFrom.isEmpty()) {
            return Optional.empty();
        }
        ClassOrInterfaceType parseClassOrInterfaceType = StaticJavaParser.parseClassOrInterfaceType("JexlSandbox");
        ExpressionStmt expressionStmt = new ExpressionStmt(new VariableDeclarationExpr(new VariableDeclarator(parseClassOrInterfaceType, "sandbox", new ObjectCreationExpr((Expression) null, parseClassOrInterfaceType, new NodeList(new Expression[]{new BooleanLiteralExpr(true)})))));
        ForEachStmt forEachStmt = new ForEachStmt(new VariableDeclarationExpr(new VariableDeclarator(StaticJavaParser.parseType("String"), "cls")), new MethodCallExpr(new NameExpr(UnwantedTypes.class.getSimpleName()), "dangerousClassNameTokens"), new BlockStmt(new NodeList(new Statement[]{new ExpressionStmt(new MethodCallExpr(new NameExpr("sandbox"), "block", new NodeList(new Expression[]{new NameExpr("cls")})))})));
        Statement statement = (Statement) findParentStatementFrom.get();
        ASTTransforms.addStatementBeforeStatement(statement, expressionStmt);
        ASTTransforms.addStatementBeforeStatement(statement, forEachStmt);
        MethodCallExpr methodCallExpr2 = new MethodCallExpr(new MethodCallExpr((Expression) methodCallExpr.getScope().get(), "sandbox", new NodeList(new Expression[]{new NameExpr("sandbox")})), "create");
        ASTTransforms.addImportIfMissing(compilationUnit, UnwantedTypes.class.getName());
        ASTTransforms.addImportIfMissing(compilationUnit, "org.apache.commons.jexl3.introspection.JexlSandbox");
        methodCallExpr.replace(methodCallExpr2);
        return methodCallExpr.getBegin().map(position -> {
            return Integer.valueOf(position.line);
        });
    }

    private static Optional<MethodCallExpr> findJEXLCreateExpression(Expression expression) {
        return ((expression instanceof MethodCallExpr) && expression.asMethodCallExpr().getNameAsString().equals("createExpression")) ? Optional.of(expression.asMethodCallExpr()) : expression instanceof NameExpr ? ASTs.findEarliestLocalVariableDeclarationOf(expression.asNameExpr(), expression.asNameExpr().getNameAsString()).filter(ASTs::isFinalOrNeverAssigned).flatMap(localVariableDeclaration -> {
            return localVariableDeclaration.getVariableDeclarator().getInitializer();
        }).map(expression2 -> {
            if (expression2.isMethodCallExpr()) {
                return expression2.asMethodCallExpr();
            }
            return null;
        }).filter(methodCallExpr -> {
            return methodCallExpr.getNameAsString().equals("createExpression");
        }) : Optional.empty();
    }

    private static Optional<MethodCallExpr> findJEXLBuilderCreate(MethodCallExpr methodCallExpr) {
        Expression expression = (Expression) methodCallExpr.getScope().get();
        return ((expression instanceof MethodCallExpr) && expression.asMethodCallExpr().getNameAsString().equals("create")) ? Optional.of(expression.asMethodCallExpr()) : expression instanceof NameExpr ? ASTs.findEarliestLocalVariableDeclarationOf(expression.asNameExpr(), expression.asNameExpr().getNameAsString()).filter(ASTs::isFinalOrNeverAssigned).flatMap(localVariableDeclaration -> {
            return localVariableDeclaration.getVariableDeclarator().getInitializer();
        }).map(expression2 -> {
            if (expression2.isMethodCallExpr()) {
                return expression2.asMethodCallExpr();
            }
            return null;
        }).filter(methodCallExpr2 -> {
            return methodCallExpr2.getNameAsString().equals("create");
        }) : Optional.empty();
    }
}
