package com.newrelic.agent.security.instrumentator.utils;

import com.newrelic.agent.security.deps.org.apache.commons.lang3.RegExUtils;
import com.newrelic.agent.security.deps.org.apache.commons.lang3.StringUtils;
import com.newrelic.agent.security.deps.org.apache.commons.text.StringEscapeUtils;
import com.newrelic.agent.security.deps.org.unbescape.html.HtmlEscape;
import com.newrelic.agent.security.intcodeagent.filelogging.FileLoggerThreadPool;
import com.newrelic.agent.security.intcodeagent.logging.IAgentConstants;
import com.newrelic.agent.security.intcodeagent.utils.TransactionUtils;
import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper;
import com.newrelic.api.agent.security.schema.HttpRequest;
import com.newrelic.api.agent.security.schema.HttpResponse;
import com.newrelic.api.agent.security.utils.logging.LogLevel;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/* loaded from: input_file:newrelic/newrelic-agent.jar:newrelic-security-agent.jar:com/newrelic/agent/security/instrumentator/utils/CallbackUtils.class */
public class CallbackUtils {
    private static final String HTML_COMMENT_END = "-->";
    private static final String HTML_COMMENT_START = "!--";
    public static final String ANGLE_END = ">";
    public static final String JAVASCRIPT = "javascript:";
    public static final String ERROR = "Error :";
    public static final String FIVE_COLON = "::::";
    public static final String APPLICATION_JSON = "application/json";
    public static final String APPLICATION_XML = "application/xml";
    public static final String APPLICATION_X_WWW_FORM_URLENCODED = "application/x-www-form-urlencoded";
    public static final String SCRIPT = "script";
    public static final String SCRIPT_END = "</script";
    public static final String ON1 = "on";
    public static final String SRC = "src";
    public static final String HREF = "href";
    public static final String ACTION = "action";
    public static final String EQUALS = "=";
    public static final String ANGLE_START = "<";
    public static final String FORMACTION = "formaction";
    public static final String SRCDOC = "srcdoc";
    public static final String DATA = "data";
    public static final String CAME_TO_XSS_CHECK = "Came to XSS check : ";
    private static final FileLoggerThreadPool logger = FileLoggerThreadPool.getInstance();
    public static final Character ANGLE_END_CHAR = '>';
    private static final Pattern REGEX_SPACE = Pattern.compile(IAgentConstants.REGEX_SPACE);
    public static Pattern tagNameRegex = Pattern.compile("<([a-zA-Z_\\-]+[0-9]*|!--)", 42);
    public static Pattern attribRegex = Pattern.compile("([^(\\/\\s<'\">)]+?)(?:\\s*)=\\s*(('|\")([\\s\\S]*?)(?:(?=(\\\\?))\\5.)*?\\3|.+?(?=\\/>|>|\\?>|\\s|<\\/|$))", 42);

    public static Set<String> checkForReflectedXSS(HttpRequest httpRequest, HttpResponse httpResponse) {
        HashSet hashSet = new HashSet();
        TransactionUtils.trimResponseBody(httpResponse);
        Set<String> decodeRequestData = decodeRequestData(httpRequest);
        if (decodeRequestData.isEmpty()) {
            hashSet.add("");
            return hashSet;
        }
        Set<String> decodeResponseData = decodeResponseData(httpResponse);
        if (decodeResponseData.isEmpty()) {
            hashSet.add("");
            return hashSet;
        }
        String joinWith = StringUtils.joinWith(FIVE_COLON, decodeResponseData);
        logger.log(LogLevel.FINER, String.format("Checking reflected XSS : %s :: %s", decodeRequestData, joinWith), CallbackUtils.class.getName());
        for (String str : isXSS(decodeRequestData)) {
            if (StringUtils.containsIgnoreCase(joinWith, str)) {
                hashSet.add(str);
                if (!AgentUtils.getInstance().getAgentPolicy().getVulnerabilityScan().getEnabled().booleanValue() || !AgentUtils.getInstance().getAgentPolicy().getVulnerabilityScan().getIastScan().getEnabled().booleanValue()) {
                    break;
                }
            }
        }
        if (hashSet.isEmpty()) {
            hashSet.add("");
        }
        return hashSet;
    }

    public static String urlDecode(String str) {
        String str2;
        try {
            str2 = URLDecoder.decode(str, StandardCharsets.UTF_8.name());
        } catch (Throwable th) {
            str2 = str;
        }
        return str2;
    }

    public static String urlEncode(String str) {
        String str2;
        try {
            str2 = URLEncoder.encode(str, StandardCharsets.UTF_8.name());
        } catch (Throwable th) {
            str2 = str;
        }
        return str2;
    }

    static Set<String> getXSSConstructs(String str) {
        logger.log(LogLevel.FINER, CAME_TO_XSS_CHECK + str, CallbackUtils.class.getName());
        ArrayList arrayList = new ArrayList();
        int i = 0;
        while (true) {
            if (i >= str.length()) {
                break;
            }
            Matcher matcher = tagNameRegex.matcher(str);
            if (!matcher.find(i)) {
                return new HashSet(arrayList);
            }
            boolean z = false;
            String group = matcher.group(1);
            if (StringUtils.isBlank(group)) {
                return new HashSet(arrayList);
            }
            int start = matcher.start();
            i = matcher.end() - 1;
            if (StringUtils.equals(HTML_COMMENT_START, group)) {
                int indexOf = StringUtils.indexOf(str, HTML_COMMENT_END, start);
                if (indexOf == -1) {
                    break;
                }
                i = indexOf;
            } else {
                int indexOf2 = StringUtils.indexOf(str, ">", start);
                int i2 = indexOf2;
                int i3 = indexOf2;
                if (i2 == -1) {
                    i3 = start;
                }
                Matcher matcher2 = attribRegex.matcher(str);
                while (matcher2.find(i)) {
                    String trim = matcher2.group().trim();
                    i = matcher2.end() - 1;
                    i2 = StringUtils.indexOf(str, ">", i3);
                    if (i2 != -1 && matcher2.start() >= i2) {
                        break;
                    }
                    int end = matcher2.end() - 1;
                    i2 = end;
                    i3 = end + 1;
                    if (StringUtils.isBlank(matcher2.group(3)) && matcher2.end() >= i2) {
                        int indexOf3 = StringUtils.indexOf(str, ">", matcher2.start());
                        i2 = indexOf3;
                        i3 = indexOf3;
                        if (i3 == -1) {
                            i3 = str.length() - 1;
                        }
                        trim = StringUtils.substring(trim, 0, i3);
                    }
                    String substringBefore = StringUtils.substringBefore(trim, "=");
                    String substringAfter = StringUtils.substringAfter(trim, "=");
                    if (StringUtils.isNotBlank(substringBefore) && (StringUtils.startsWithIgnoreCase(substringBefore, "on") || StringUtils.equalsIgnoreCase(substringBefore, "src") || StringUtils.equalsIgnoreCase(substringBefore, "href") || StringUtils.equalsIgnoreCase(substringBefore, "action") || StringUtils.equalsIgnoreCase(substringBefore, FORMACTION) || StringUtils.equalsIgnoreCase(substringBefore, SRCDOC) || StringUtils.equalsIgnoreCase(substringBefore, "data") || StringUtils.containsIgnoreCase(RegExUtils.removeAll(HtmlEscape.unescapeHtml(substringAfter), REGEX_SPACE), JAVASCRIPT))) {
                        z = true;
                    }
                }
                if (i2 > 0) {
                    i = i2;
                }
                if (str.charAt(i) != ANGLE_END_CHAR.charValue()) {
                    int indexOf4 = StringUtils.indexOf(str, ">", i);
                    if (indexOf4 != -1) {
                        i = indexOf4;
                    } else if (!z) {
                        continue;
                    }
                }
                if (StringUtils.equalsIgnoreCase(group.trim(), "script")) {
                    int indexOfIgnoreCase = StringUtils.indexOfIgnoreCase(str, SCRIPT_END, i);
                    if (indexOfIgnoreCase == -1) {
                        String substring = StringUtils.substring(str, i + 1);
                        int indexOf5 = StringUtils.indexOf(substring, ">");
                        if (StringUtils.isNotBlank(substring) && indexOf5 != -1) {
                            arrayList.add(StringUtils.substring(str, start, i + 1) + StringUtils.substring(substring, indexOf5));
                            break;
                        }
                    } else {
                        String substring2 = StringUtils.substring(str, i + 1, indexOfIgnoreCase);
                        if (StringUtils.isNotBlank(substring2)) {
                            arrayList.add(StringUtils.substring(str, start, i + 1) + substring2);
                        }
                    }
                }
                if (z) {
                    arrayList.add(StringUtils.substring(str, start, i + 1));
                }
            }
        }
        return new HashSet(arrayList);
    }

    public static Set<String> isXSS(Set<String> set) {
        HashSet hashSet = new HashSet();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            hashSet.addAll(getXSSConstructs(it.next()));
        }
        return hashSet;
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    public static Set<String> decodeResponseData(HttpResponse httpResponse) {
        String str;
        String str2;
        HashSet hashSet = new HashSet();
        String responseContentType = httpResponse.getResponseContentType();
        String sb = httpResponse.getBody().toString();
        String str3 = sb;
        try {
            hashSet.add(str3);
            if (StringUtils.isNoneEmpty(sb)) {
                boolean z = -1;
                switch (responseContentType.hashCode()) {
                    case -1248326952:
                        if (responseContentType.equals("application/xml")) {
                            z = true;
                            break;
                        }
                        break;
                    case -43840953:
                        if (responseContentType.equals("application/json")) {
                            z = false;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        do {
                            str2 = str3;
                            str3 = StringEscapeUtils.unescapeJson(str3);
                            if (!StringUtils.equals(str2, str3)) {
                                hashSet.add(str3);
                            }
                        } while (!StringUtils.equals(str2, str3));
                    case true:
                        do {
                            str = str3;
                            str3 = StringEscapeUtils.unescapeXml(str3);
                            if (!StringUtils.equals(str, str3)) {
                                hashSet.add(str3);
                            }
                        } while (!StringUtils.equals(str, str3));
                }
            }
        } catch (Throwable th) {
            logger.log(LogLevel.SEVERE, "Error :", th, CallbackUtils.class.getName());
        }
        return hashSet;
    }

    public static Set<String> decodeRequestData(HttpRequest httpRequest) {
        HashSet hashSet = new HashSet();
        String contentType = httpRequest.getContentType();
        String sb = httpRequest.getBody().toString();
        try {
            HashMap hashMap = new HashMap(httpRequest.getHeaders());
            hashMap.remove(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID);
            for (Map.Entry entry : hashMap.entrySet()) {
                processURLEncodedDataForXSS(hashSet, (String) entry.getKey());
                processURLEncodedDataForXSS(hashSet, (String) entry.getValue());
            }
            if (httpRequest.getParameterMap() != null) {
                for (Map.Entry<String, String[]> entry2 : httpRequest.getParameterMap().entrySet()) {
                    if (StringUtils.contains(entry2.getKey(), "<")) {
                        hashSet.add(entry2.getKey());
                    }
                    for (String str : entry2.getValue()) {
                        if (StringUtils.contains(str, "<")) {
                            hashSet.add(str);
                        }
                    }
                }
            }
            processURLEncodedDataForXSS(hashSet, httpRequest.getUrl());
            if (StringUtils.isNotBlank(sb)) {
                hashSet.add(sb);
                boolean z = -1;
                switch (contentType.hashCode()) {
                    case -1485569826:
                        if (contentType.equals("application/x-www-form-urlencoded")) {
                            z = 2;
                            break;
                        }
                        break;
                    case -1248326952:
                        if (contentType.equals("application/xml")) {
                            z = true;
                            break;
                        }
                        break;
                    case -43840953:
                        if (contentType.equals("application/json")) {
                            z = false;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        String unescapeJson = StringEscapeUtils.unescapeJson(sb);
                        if (!StringUtils.equals(sb, unescapeJson) && StringUtils.contains(unescapeJson, "<")) {
                            hashSet.add(unescapeJson);
                            break;
                        }
                        break;
                    case true:
                        String unescapeXml = StringEscapeUtils.unescapeXml(sb);
                        if (!StringUtils.equals(sb, unescapeXml) && StringUtils.contains(unescapeXml, "<")) {
                            hashSet.add(unescapeXml);
                            break;
                        }
                        break;
                    case true:
                        String urlDecode = urlDecode(sb);
                        hashSet.add(urlDecode);
                        String urlDecode2 = urlDecode(urlDecode);
                        if (!StringUtils.equals(urlDecode, urlDecode2) && StringUtils.contains(urlDecode2, "<")) {
                            hashSet.add(urlDecode2);
                            break;
                        }
                        break;
                }
            }
        } catch (Throwable th) {
            logger.log(LogLevel.SEVERE, "Error :", th, CallbackUtils.class.getName());
        }
        return hashSet;
    }

    private static void processURLEncodedDataForXSS(Set<String> set, String str) {
        if (StringUtils.contains(str, "<")) {
            set.add(str);
        }
        String urlDecode = urlDecode(str);
        if (StringUtils.contains(urlDecode, "<")) {
            set.add(urlDecode);
        }
    }
}
