package com.odianyun.project.support.config.http;

import com.google.common.base.Splitter;
import com.google.common.collect.Lists;
import com.odianyun.db.mybatis.BaseSQLBuilder;
import com.odianyun.project.util.WebUtils;
import com.odianyun.util.io.IOUtils;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.Charset;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ReadListener;
import javax.servlet.ServletException;
import javax.servlet.ServletInputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.owasp.esapi.ESAPI;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.MediaType;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.Assert;
import org.springframework.util.MimeType;
import org.springframework.util.PathMatcher;
import org.springframework.util.StringUtils;

/* loaded from: input_file:BOOT-INF/lib/ody-project-support-0.0.22-jzt.jar:com/odianyun/project/support/config/http/XssWebFilter.class */
public class XssWebFilter implements Filter {
    private static Logger logger = LoggerFactory.getLogger((Class<?>) XssWebFilter.class);
    private PathMatcher pathMatcher = new AntPathMatcher();
    private List<String> includeUris = Collections.emptyList();
    private List<String> defaultExcludeUris = Collections.emptyList();
    private List<String> excludeUris = Collections.emptyList();
    private List<? extends MimeType> filterBodyMimeTypes = Lists.newArrayList(MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML, MediaType.APPLICATION_FORM_URLENCODED);
    private boolean skipHeader;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/ody-project-support-0.0.22-jzt.jar:com/odianyun/project/support/config/http/XssWebFilter$DelegatingServletInputStream.class */
    public static class DelegatingServletInputStream extends ServletInputStream {
        private final InputStream sourceStream;
        private boolean finished = false;

        public DelegatingServletInputStream(InputStream inputStream) {
            Assert.notNull(inputStream, "Source InputStream must not be null");
            this.sourceStream = inputStream;
        }

        public final InputStream getSourceStream() {
            return this.sourceStream;
        }

        @Override // java.io.InputStream
        public int read() throws IOException {
            int read = this.sourceStream.read();
            if (read == -1) {
                this.finished = true;
            }
            return read;
        }

        @Override // java.io.InputStream
        public int available() throws IOException {
            return this.sourceStream.available();
        }

        @Override // java.io.InputStream, java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            super.close();
            this.sourceStream.close();
        }

        @Override // javax.servlet.ServletInputStream
        public boolean isFinished() {
            return this.finished;
        }

        @Override // javax.servlet.ServletInputStream
        public boolean isReady() {
            return true;
        }

        @Override // javax.servlet.ServletInputStream
        public void setReadListener(ReadListener readListener) {
            throw new UnsupportedOperationException();
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/ody-project-support-0.0.22-jzt.jar:com/odianyun/project/support/config/http/XssWebFilter$XssHttpServletRequestWrapper.class */
    static class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
        private boolean skipBody;
        private boolean skipHeader;
        private static final Pattern SCRIPT = Pattern.compile("<script>(.*?)</script>", 2);
        private static final Pattern SRC = Pattern.compile("src[\r\n]*=[\r\n]*\\'(.*?)\\'", 42);
        private static final Pattern CLOSE_SCRIPT = Pattern.compile(BaseSQLBuilder.SCRIPT_SUFFIX, 2);
        private static final Pattern BEGIN_SCRIPT = Pattern.compile("<script(.*?)>", 42);
        private static final Pattern EVAL = Pattern.compile("eval\\((.*?)\\)", 42);
        private static final Pattern EXPRESSION = Pattern.compile("expression\\((.*?)\\)", 42);
        private static final Pattern JAVASCRIPT = Pattern.compile("javascript:", 2);
        private static final Pattern VBSCRIPT = Pattern.compile("vbscript:", 2);
        private static final Pattern ONLOAD = Pattern.compile("onload([\r\n\\w]*)=", 2);
        private static final Pattern ONEVENT = Pattern.compile("on([\r\n\\w]*)=", 2);

        public XssHttpServletRequestWrapper(HttpServletRequest httpServletRequest, boolean z, boolean z2) {
            super(httpServletRequest);
            this.skipBody = z;
            this.skipHeader = z2;
        }

        @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
        public ServletInputStream getInputStream() throws IOException {
            ServletInputStream inputStream = super.getInputStream();
            if (this.skipBody) {
                return inputStream;
            }
            Charset forName = Charset.forName(getRequest().getCharacterEncoding());
            String content = IOUtils.getContent(inputStream, forName);
            if (XssWebFilter.logger.isDebugEnabled()) {
                XssWebFilter.logger.debug("Before handle: {}", content);
            }
            String cleanXSS = cleanXSS(content, false);
            if (XssWebFilter.logger.isDebugEnabled()) {
                XssWebFilter.logger.debug("After handle: {}", cleanXSS);
            }
            return new DelegatingServletInputStream(new ByteArrayInputStream(cleanXSS.getBytes(forName)));
        }

        @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
        public BufferedReader getReader() throws IOException {
            return !this.skipBody ? new BufferedReader(new InputStreamReader(getInputStream())) : super.getReader();
        }

        @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
        public String[] getParameterValues(String str) {
            String[] parameterValues = super.getParameterValues(str);
            if (parameterValues == null) {
                return null;
            }
            int length = parameterValues.length;
            String[] strArr = new String[length];
            for (int i = 0; i < length; i++) {
                strArr[i] = cleanXSS(parameterValues[i], true);
            }
            return strArr;
        }

        @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
        public String getParameter(String str) {
            String parameter = super.getParameter(str);
            if (parameter == null) {
                return null;
            }
            return cleanXSS(parameter, true);
        }

        @Override // javax.servlet.http.HttpServletRequestWrapper, javax.servlet.http.HttpServletRequest
        public String getHeader(String str) {
            String header = super.getHeader(str);
            if (header == null) {
                return null;
            }
            return this.skipHeader ? header : cleanXSS(header, true);
        }

        private String cleanXSS(String str, boolean z) {
            if (str != null) {
                if (z) {
                    str = ESAPI.encoder().canonicalize(str);
                }
                str = ONEVENT.matcher(ONLOAD.matcher(VBSCRIPT.matcher(JAVASCRIPT.matcher(EXPRESSION.matcher(EVAL.matcher(BEGIN_SCRIPT.matcher(CLOSE_SCRIPT.matcher(SRC.matcher(SCRIPT.matcher(str.trim()).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("");
            }
            return str;
        }
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
        this.includeUris = initUrisParam(filterConfig.getInitParameter("includeUris"));
        this.defaultExcludeUris = initUrisParam(filterConfig.getInitParameter("defaultExcludeUris"));
        this.excludeUris = initUrisParam(filterConfig.getInitParameter("excludeUris"));
        if (!this.defaultExcludeUris.isEmpty()) {
            this.excludeUris = Lists.newArrayList(this.excludeUris);
            this.excludeUris.addAll(this.defaultExcludeUris);
        }
        String initParameter = filterConfig.getInitParameter("skipHeader");
        if (initParameter != null) {
            this.skipHeader = Boolean.valueOf(initParameter).booleanValue();
        }
        String initParameter2 = filterConfig.getInitParameter("filterBodyMimeTypes");
        if (initParameter2 != null) {
            this.filterBodyMimeTypes = MediaType.parseMediaTypes(initParameter2);
        }
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (!isUriMatches(httpServletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        boolean isAjaxRequest = WebUtils.isAjaxRequest(httpServletRequest);
        if (!isAjaxRequest && httpServletRequest.getContentType() != null) {
            isAjaxRequest = MediaType.parseMediaType(httpServletRequest.getContentType()).isPresentIn(this.filterBodyMimeTypes);
        }
        filterChain.doFilter(new XssHttpServletRequestWrapper(httpServletRequest, !isAjaxRequest, this.skipHeader), servletResponse);
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }

    private boolean isUriMatches(HttpServletRequest httpServletRequest) {
        boolean z = false;
        String requestURI = WebUtils.getRequestURI(httpServletRequest);
        Iterator<String> it = this.includeUris.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (this.pathMatcher.match(it.next(), requestURI)) {
                z = true;
                break;
            }
        }
        if (!z && this.includeUris.isEmpty()) {
            z = true;
        }
        Iterator<String> it2 = this.excludeUris.iterator();
        while (true) {
            if (!it2.hasNext()) {
                break;
            }
            if (this.pathMatcher.match(it2.next(), requestURI)) {
                z = false;
                break;
            }
        }
        return z;
    }

    protected List<String> initUrisParam(String str) {
        return StringUtils.hasText(str) ? Splitter.on(",").trimResults().splitToList(str) : Collections.emptyList();
    }
}
