package com.day.cq.wcm.foundation.security.impl;

import com.day.cq.wcm.foundation.Chart;
import com.day.cq.wcm.foundation.List;
import com.day.cq.wcm.foundation.forms.attachments.AttachmentDataSource;
import com.day.cq.wcm.foundation.security.AttachmentTypeBlacklistService;
import com.day.cq.wcm.foundation.security.SaferSlingPostValidator;
import com.day.text.Text;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.request.RequestParameter;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service(serviceFactory = true, value = {SaferSlingPostValidator.class})
@Component(label = "%security.saferslingpostvalidator.name", description = "%security.saferslingpostvalidator.description", metatype = true)
@Properties({@Property(name = "service.description", value = {"Safer Sling Post Validator"}, propertyPrivate = true)})
/* loaded from: input_file:com/day/cq/wcm/foundation/security/impl/SaferSlingPostValidatorImpl.class */
public class SaferSlingPostValidatorImpl implements SaferSlingPostValidator {
    private static final String OPERATION_PARAMETER = ":operation";
    private static final String TYPEHINT_SUFFIX = "@TypeHint";
    private static final String RESOURCETYPE_PARAMETER = "sling:resourceType";
    private static final String RESOURCESUPERTYPE_PARAMETER = "sling:resourceSuperType";
    private static final String JCR_PRIMARYTYPE = "jcr:primaryType";
    private static final String JCR_MIXINTYPES = "jcr:mixinTypes";
    private static final String BINARY = "Binary";

    @Property(value = {"jcr:description", Chart.PN_TITLE, "jcr:lastModified", JCR_PRIMARYTYPE, JCR_MIXINTYPES, "sling:resourceType", "sling:resourceSuperType", "cq:tags"}, label = "%security.saferslingpostvalidator.whitelist.name", description = "%security.saferslingpostvalidator.whitelist.description")
    private static final String PARAMETER_WHITELIST = "parameter.whitelist";

    @Property(value = {}, label = "%security.saferslingpostvalidator.prefix.name", description = "%security.saferslingpostvalidator.prefix.description", cardinality = Integer.MAX_VALUE)
    private static final String PARAMETER_WHITELIST_PREFIXES = "parameter.whitelist.prefixes";

    @Property(value = {}, label = "%security.saferslingpostvalidator.binary.name", description = "%security.saferslingpostvalidator.binary.description", cardinality = Integer.MAX_VALUE)
    private static final String BINARY_PARAMETER_WHITELIST = "binary.parameter.whitelist";

    @Property(value = {TYPEHINT_SUFFIX, "@DefaultValue", "@UseDefaultWhenMissing", "@IgnoreBlanks", "@ValueFrom", "@Delete", "@Patch"}, label = "%security.saferslingpostvalidator.modifier.name", description = "%security.saferslingpostvalidator.modifier.description")
    private static final String MODIFIER_WHITELIST = "modifier.whitelist";

    @Property(value = {"delete", "nop"}, label = "%security.saferslingpostvalidator.operation.name", description = "%security.saferslingpostvalidator.operation.description")
    private static final String OPERATION_WHITELIST = "operation.whitelist";

    @Property(value = {}, label = "%security.saferslingpostvalidator.operation.prefix.name", description = "%security.saferslingpostvalidator.operation.prefix.description", cardinality = Integer.MAX_VALUE)
    private static final String OPERATION_WHITELIST_PREFIXES = "operation.whitelist.prefixes";

    @Property(value = {"cq:CalendarEvent", "nt:unstructured", "nt:folder", "nt:file", "nt:resource", "sling:Folder", "sling:OrderedFolder", BINARY, "Boolean", "Date", "Double", "Long", "Name", "Path", "String", "String[]"}, label = "%security.saferslingpostvalidator.typehint.name", description = "%security.saferslingpostvalidator.typehint.description")
    private static final String TYPEHINT_WHITELIST = "typehint.whitelist";

    @Property(value = {}, label = "%security.saferslingpostvalidator.resourcetype.name", description = "%security.saferslingpostvalidator.resourcetype.description", cardinality = Integer.MAX_VALUE)
    private static final String RESOURCETYPE_WHITELIST = "resourcetype.whitelist";

    @Reference
    private AttachmentTypeBlacklistService attachmentTypeBlacklist;
    protected final Logger logger = LoggerFactory.getLogger(getClass());
    private Set<String> parameterWhiteList = new HashSet();
    private Set<String> parameterWhiteListPrefixes = new HashSet();
    private Set<String> binaryParameterWhiteList = new HashSet();
    private Set<String> modifierWhiteList = new HashSet();
    private Set<String> operationWhiteList = new HashSet();
    private Set<String> operationWhiteListPrefixes = new HashSet();
    private Set<String> typeHintWhiteList = new HashSet();
    private Set<String> resourceTypeWhiteList = new HashSet();

    @Activate
    protected void activate(ComponentContext componentContext) {
        Object obj = componentContext.getProperties().get(PARAMETER_WHITELIST);
        if (obj instanceof String[]) {
            this.parameterWhiteList = new HashSet();
            this.parameterWhiteList.addAll(Arrays.asList((String[]) obj));
        }
        Object obj2 = componentContext.getProperties().get(PARAMETER_WHITELIST_PREFIXES);
        if (obj2 instanceof String[]) {
            this.parameterWhiteListPrefixes = new HashSet();
            this.parameterWhiteListPrefixes.addAll(Arrays.asList((String[]) obj2));
        }
        Object obj3 = componentContext.getProperties().get(BINARY_PARAMETER_WHITELIST);
        if (obj3 instanceof String[]) {
            this.binaryParameterWhiteList = new HashSet();
            this.binaryParameterWhiteList.addAll(Arrays.asList((String[]) obj3));
        }
        Object obj4 = componentContext.getProperties().get(MODIFIER_WHITELIST);
        if (obj4 instanceof String[]) {
            this.modifierWhiteList = new HashSet();
            this.modifierWhiteList.addAll(Arrays.asList((String[]) obj4));
        }
        Object obj5 = componentContext.getProperties().get(OPERATION_WHITELIST);
        if (obj5 instanceof String[]) {
            this.operationWhiteList = new HashSet();
            this.operationWhiteList.addAll(Arrays.asList((String[]) obj5));
        }
        Object obj6 = componentContext.getProperties().get(OPERATION_WHITELIST_PREFIXES);
        if (obj6 instanceof String[]) {
            this.operationWhiteListPrefixes = new HashSet();
            this.operationWhiteListPrefixes.addAll(Arrays.asList((String[]) obj6));
        }
        Object obj7 = componentContext.getProperties().get(TYPEHINT_WHITELIST);
        if (obj7 instanceof String[]) {
            this.typeHintWhiteList = new HashSet();
            this.typeHintWhiteList.addAll(Arrays.asList((String[]) obj7));
        }
        Object obj8 = componentContext.getProperties().get(RESOURCETYPE_WHITELIST);
        if (obj8 instanceof String[]) {
            this.resourceTypeWhiteList = new HashSet();
            this.resourceTypeWhiteList.addAll(Arrays.asList((String[]) obj8));
        }
    }

    @Override // com.day.cq.wcm.foundation.security.SaferSlingPostValidator
    public boolean reject(SlingHttpServletRequest slingHttpServletRequest, String... strArr) {
        String str;
        Enumeration parameterNames = slingHttpServletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            Object nextElement = parameterNames.nextElement();
            if (!(nextElement instanceof String)) {
                return true;
            }
            String str2 = (String) nextElement;
            if (!this.parameterWhiteList.contains(str2)) {
                if (str2.startsWith("../") || str2.endsWith("/..") || str2.contains("/../") || str2.startsWith("/")) {
                    return true;
                }
                String leafName = leafName(str2);
                int lastIndexOf = leafName.lastIndexOf(64);
                if (lastIndexOf >= 0) {
                    String substring = leafName.substring(lastIndexOf);
                    str = leafName.substring(0, lastIndexOf);
                    if (checkModifier(slingHttpServletRequest, str, str2, substring)) {
                        return true;
                    }
                } else {
                    str = leafName;
                }
                if (OPERATION_PARAMETER.equals(str) && checkOperation(slingHttpServletRequest, str, str2)) {
                    return true;
                }
                if ((JCR_PRIMARYTYPE.equals(str) || JCR_MIXINTYPES.equals(str)) && checkJCRTypes(slingHttpServletRequest, str, str2)) {
                    return true;
                }
                if (("sling:resourceType".equals(str) || "sling:resourceSuperType".equals(str)) && checkResourceTypes(slingHttpServletRequest, str, str2)) {
                    return true;
                }
                if (str.contains(":") && !str.startsWith(":") && !this.parameterWhiteList.contains(str) && checkParameterPrefixes(str) && checkParameterPatterns(str, strArr)) {
                    return true;
                }
                if ((":applyTo".equals(str) && validateApplyTo(slingHttpServletRequest)) || validateUploads(slingHttpServletRequest, str)) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean checkParameterPrefixes(String str) {
        Iterator<String> it = this.parameterWhiteListPrefixes.iterator();
        while (it.hasNext()) {
            if (str.startsWith(it.next())) {
                return false;
            }
        }
        return true;
    }

    private boolean checkParameterPatterns(String str, String... strArr) {
        if (strArr == null || strArr.length == 0) {
            return false;
        }
        for (String str2 : strArr) {
            try {
            } catch (PatternSyntaxException e) {
                this.logger.warn("invalid pattern [{}] provided to SaferSlingPostValidator: ", str2, e);
            }
            if (Pattern.compile(str2).matcher(str).matches()) {
                return false;
            }
        }
        return true;
    }

    private String leafName(String str) {
        int lastIndexOf = str.lastIndexOf(47);
        return lastIndexOf >= 0 ? str.substring(lastIndexOf + 1) : str;
    }

    private boolean checkResourceTypes(SlingHttpServletRequest slingHttpServletRequest, String str, String str2) {
        String[] parameterValues = slingHttpServletRequest.getParameterValues(str2);
        return parameterValues == null || parameterValues.length > 1 || !this.resourceTypeWhiteList.contains(parameterValues[0]);
    }

    private boolean checkJCRTypes(SlingHttpServletRequest slingHttpServletRequest, String str, String str2) {
        String[] parameterValues = slingHttpServletRequest.getParameterValues(str2);
        if (parameterValues == null) {
            return false;
        }
        for (String str3 : parameterValues) {
            if (!this.typeHintWhiteList.contains(str3)) {
                return true;
            }
        }
        return false;
    }

    private boolean checkOperation(SlingHttpServletRequest slingHttpServletRequest, String str, String str2) {
        String[] parameterValues = slingHttpServletRequest.getParameterValues(str2);
        if (parameterValues == null) {
            return false;
        }
        if (parameterValues.length > 1) {
            return true;
        }
        if (List.DEFAULT_QUERY.equals(parameterValues[0]) || this.operationWhiteList.contains(parameterValues[0])) {
            return false;
        }
        Iterator<String> it = this.operationWhiteListPrefixes.iterator();
        while (it.hasNext()) {
            if (parameterValues[0].startsWith(it.next())) {
                return false;
            }
        }
        return true;
    }

    private boolean checkModifier(SlingHttpServletRequest slingHttpServletRequest, String str, String str2, String str3) {
        return !(List.DEFAULT_QUERY.equals(str3) || this.modifierWhiteList.contains(str3)) || checkTypeHint(slingHttpServletRequest, str, str2, str3);
    }

    private boolean checkTypeHint(SlingHttpServletRequest slingHttpServletRequest, String str, String str2, String str3) {
        String[] parameterValues;
        if (!TYPEHINT_SUFFIX.equals(str3) || (parameterValues = slingHttpServletRequest.getParameterValues(str2)) == null) {
            return false;
        }
        if (parameterValues.length > 1) {
            return true;
        }
        String str4 = parameterValues[0];
        if (List.DEFAULT_QUERY.equals(str4) || this.typeHintWhiteList.contains(str4)) {
            return BINARY.equals(str4) && str.contains(List.SEARCH_PROPERTY) && !this.binaryParameterWhiteList.contains(str);
        }
        return true;
    }

    private boolean validateApplyTo(SlingHttpServletRequest slingHttpServletRequest) {
        String[] parameterValues = slingHttpServletRequest.getParameterValues(":applyTo");
        if (parameterValues == null) {
            return false;
        }
        Integer num = (Integer) slingHttpServletRequest.getAttribute(SaferSlingPostValidator.POST_DEPTH_ATTRIBUTE);
        for (String str : parameterValues) {
            if (str != null) {
                if (validateApplyToPath(str, slingHttpServletRequest.getResource().getPath(), num != null ? num.intValue() : 0)) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean validateApplyToPath(String str, String str2, int i) {
        String makeCanonicalPath = Text.makeCanonicalPath(str);
        if (!makeCanonicalPath.startsWith(str2)) {
            return true;
        }
        String substring = makeCanonicalPath.substring(str2.length());
        if (substring.length() > 0 && substring.charAt(0) == '/') {
            substring = substring.substring(1);
        }
        return substring.length() != 0 && substring.split("/").length > i;
    }

    private boolean validateUploads(SlingHttpServletRequest slingHttpServletRequest, String str) {
        RequestParameter[] requestParameters = slingHttpServletRequest.getRequestParameters(str);
        if (requestParameters == null) {
            return false;
        }
        for (RequestParameter requestParameter : requestParameters) {
            if (!requestParameter.isFormField()) {
                if (this.attachmentTypeBlacklist.reject(new AttachmentDataSource(requestParameter))) {
                    return true;
                }
            }
        }
        return false;
    }

    protected void bindAttachmentTypeBlacklist(AttachmentTypeBlacklistService attachmentTypeBlacklistService) {
        this.attachmentTypeBlacklist = attachmentTypeBlacklistService;
    }

    protected void unbindAttachmentTypeBlacklist(AttachmentTypeBlacklistService attachmentTypeBlacklistService) {
        if (this.attachmentTypeBlacklist == attachmentTypeBlacklistService) {
            this.attachmentTypeBlacklist = null;
        }
    }
}
