package com.yvan.actuator.sqlinjection.filter;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.Sets;
import io.micrometer.core.instrument.util.StringUtils;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.util.AntPathMatcher;

/* loaded from: input_file:com/yvan/actuator/sqlinjection/filter/SqlInjectionFilter.class */
public class SqlInjectionFilter implements Filter {
    private static final Logger log = LoggerFactory.getLogger(SqlInjectionFilter.class);
    private static Set<String> ALLOWED_PATHS = Sets.newConcurrentHashSet();
    private static final String SQL_REG_EXP = ".*(\\b(select|insert|into|update|delete|from|where|trancate|drop|execute|grant|use|union)\\b).*";

    public void init(FilterConfig filterConfig) {
        String initParameter = filterConfig.getInitParameter("allowedPaths");
        if (StringUtils.isNotBlank(initParameter)) {
            ALLOWED_PATHS.addAll(Arrays.asList(initParameter.split(",")));
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        CustomRequestWrapper customRequestWrapper = new CustomRequestWrapper(httpServletRequest);
        try {
            doSqlInjection(httpServletRequest, customRequestWrapper, servletResponse);
        } catch (Exception e) {
            log.error("sql注入拦截失败", e);
        }
        filterChain.doFilter(customRequestWrapper, servletResponse);
    }

    private void doSqlInjection(HttpServletRequest httpServletRequest, CustomRequestWrapper customRequestWrapper, ServletResponse servletResponse) throws IOException {
        HashMap hashMap = new HashMap();
        String replaceAll = httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length()).replaceAll("[/]+$", "");
        AntPathMatcher antPathMatcher = new AntPathMatcher();
        boolean z = false;
        Iterator<String> it = ALLOWED_PATHS.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            } else if (antPathMatcher.matchStart(it.next(), replaceAll)) {
                z = true;
                break;
            }
        }
        if (z) {
            return;
        }
        Iterator<Map.Entry<String, Object>> it2 = getParameterMap(hashMap, httpServletRequest, customRequestWrapper).entrySet().iterator();
        while (it2.hasNext()) {
            Object value = it2.next().getValue();
            if (value != null && !isSqlInject(value.toString(), servletResponse)) {
                return;
            }
        }
    }

    private Map<String, Object> getParameterMap(Map<String, Object> map, HttpServletRequest httpServletRequest, CustomRequestWrapper customRequestWrapper) {
        if ("POST".equalsIgnoreCase(httpServletRequest.getMethod())) {
            String body = customRequestWrapper.getBody();
            if (!StringUtils.isNotEmpty(body)) {
                Map<String, String[]> parameterMap = customRequestWrapper.getParameterMap();
                if (parameterMap != null && parameterMap.size() > 0) {
                    for (Map.Entry<String, String[]> entry : parameterMap.entrySet()) {
                        map.put(entry.getKey(), entry.getValue()[0]);
                    }
                }
            } else if (getJSONType(body)) {
                try {
                    map = (Map) new ObjectMapper().readValue(body, new TypeReference<Map<String, Object>>() { // from class: com.yvan.actuator.sqlinjection.filter.SqlInjectionFilter.1
                    });
                } catch (IOException e) {
                    e.printStackTrace();
                }
            } else {
                for (String str : body.split("&")) {
                    String[] split = str.split("=");
                    map.put(split[0], split[1]);
                }
            }
        } else {
            Map<String, String[]> parameterMap2 = customRequestWrapper.getParameterMap();
            if (parameterMap2 == null || parameterMap2.size() <= 0) {
                String str2 = null;
                try {
                    str2 = URLDecoder.decode(httpServletRequest.getRequestURI(), "UTF-8");
                } catch (UnsupportedEncodingException e2) {
                    e2.printStackTrace();
                }
                map.put("pathVar", str2);
            } else {
                for (Map.Entry<String, String[]> entry2 : parameterMap2.entrySet()) {
                    map.put(entry2.getKey(), entry2.getValue()[0]);
                }
            }
        }
        return map;
    }

    private boolean isSqlInject(String str, ServletResponse servletResponse) throws IOException {
        if (null == str || !str.toLowerCase().matches(SQL_REG_EXP)) {
            return true;
        }
        HashMap hashMap = new HashMap();
        log.info("SqlInjectionFilter isSqlInject ：入参中有非法字符: " + str);
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        hashMap.put("code", "999");
        hashMap.put("message", "入参中有非法字符");
        httpServletResponse.setContentType("application/json;charset=UTF-8");
        httpServletResponse.setStatus(HttpStatus.OK.value());
        String str2 = "";
        try {
            str2 = new ObjectMapper().writeValueAsString(hashMap);
        } catch (JsonProcessingException e) {
            e.printStackTrace();
        }
        httpServletResponse.getWriter().write(str2);
        httpServletResponse.getWriter().flush();
        httpServletResponse.getWriter().close();
        return false;
    }

    private boolean getJSONType(String str) {
        boolean z = false;
        if (StringUtils.isNotBlank(str)) {
            String trim = str.trim();
            if (trim.startsWith("{") && trim.endsWith("}")) {
                z = true;
            } else if (trim.startsWith("[") && trim.endsWith("]")) {
                z = true;
            }
        }
        return z;
    }

    public void destroy() {
    }
}
