package com.supermap.server.host.webapp;

import com.gargoylesoftware.htmlunit.HttpHeader;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.supermap.services.util.LogUtil;
import com.supermap.services.util.ResourceManager;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.text.StringCharacterIterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.Policy;
import org.owasp.validator.html.PolicyException;
import org.owasp.validator.html.ScanException;
import org.slf4j.cal10n.LocLogger;

/* loaded from: input_file:BOOT-INF/lib/server-hosts-10.0.1-18030-10.0.1-SNAPSHOT.jar:com/supermap/server/host/webapp/XssFilter.class */
public class XssFilter implements Filter {
    private static final String a = "antisamyName";
    private static final String b = "processMode";
    private static final String c = "xsrfDefendEnable";
    private static final String d = "refererWhiteList";
    private static final String e = "antisamy-ebay.xml";
    private static final String f = "antisamy-myspace.xml";
    private static final String g = "antisamy-tinymce.xml";
    private static final String h = "antisamy-slashdot.xml";
    private static final String[] i = {e, f, g, h};
    private static ResourceManager j = new ResourceManager("com.supermap.server.host.webapp.WebAppHost");
    private static final ResourceManager k = new ResourceManager("resource.InstanceAccessRecordManager");
    private static LocLogger l = LogUtil.getLocLogger(XssFilter.class, j);
    private FilterConfig m;
    private Policy n = null;
    private ProcessMode o;
    private boolean p;
    private List<String> q;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/server-hosts-10.0.1-18030-10.0.1-SNAPSHOT.jar:com/supermap/server/host/webapp/XssFilter$ProcessMode.class */
    public enum ProcessMode {
        CLEAN,
        THROWERROR
    }

    /* loaded from: input_file:BOOT-INF/lib/server-hosts-10.0.1-18030-10.0.1-SNAPSHOT.jar:com/supermap/server/host/webapp/XssFilter$XssRequestWapper.class */
    class XssRequestWapper extends HttpServletRequestWrapper {
        private static final String b = "referer";
        private boolean c;
        private Map<String, String[]> d;

        public XssRequestWapper(HttpServletRequest httpServletRequest) {
            super(httpServletRequest);
            this.c = true;
            this.d = Maps.newHashMap();
        }

        public boolean doFilterRefererWhiteList() {
            String header = super.getHeader("referer");
            String header2 = super.getHeader(HttpHeader.HOST_LC);
            if (StringUtils.isEmpty(header) || header.contains(header2) || !XssFilter.this.p) {
                return false;
            }
            return XssFilter.this.q.size() == 0 || XssFilter.this.q.stream().filter(str -> {
                return header.contains(str);
            }).count() < 1;
        }

        @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
        public Map<String, String[]> getParameterMap() {
            Map<String, String[]> parameterMap = super.getParameterMap();
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            for (Map.Entry<String, String[]> entry : parameterMap.entrySet()) {
                String key = entry.getKey();
                String[] value = entry.getValue();
                for (int i = 0; i < value.length; i++) {
                    value[i] = a(key, XssFilter.this.filterWideCharacters(key, value[i]));
                }
                linkedHashMap.put(key, value);
            }
            this.d = linkedHashMap;
            return parameterMap;
        }

        @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
        public String getParameter(String str) {
            String parameter = super.getParameter(str);
            if (parameter == null) {
                return null;
            }
            if (this.c) {
                parameter = a(str, parameter);
            }
            return parameter;
        }

        @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
        public String[] getParameterValues(String str) {
            String[] parameterValues = super.getParameterValues(str);
            if (parameterValues == null || parameterValues.length == 0) {
                return parameterValues;
            }
            if (this.c) {
                for (int i = 0; i < parameterValues.length; i++) {
                    parameterValues[i] = a(str, parameterValues[i]);
                }
            }
            return parameterValues;
        }

        @Override // javax.servlet.http.HttpServletRequestWrapper, javax.servlet.http.HttpServletRequest
        public String getQueryString() {
            if (this.d.isEmpty()) {
                return super.getQueryString();
            }
            StringBuilder sb = new StringBuilder();
            for (String str : this.d.keySet()) {
                sb.append(str).append('=').append((CharSequence) a(this.d.get(str))).append('&');
            }
            return sb.toString();
        }

        @Override // javax.servlet.http.HttpServletRequestWrapper, javax.servlet.http.HttpServletRequest
        public StringBuffer getRequestURL() {
            return new StringBuffer(b(a(super.getRequestURL().toString())));
        }

        @Override // javax.servlet.http.HttpServletRequestWrapper, javax.servlet.http.HttpServletRequest
        public String getRequestURI() {
            return b(a(super.getRequestURI()));
        }

        private String a(String str) {
            String str2 = null;
            try {
                str2 = URLDecoder.decode(str, "utf-8");
            } catch (UnsupportedEncodingException e) {
                URLDecoder.decode(str);
            }
            return str2;
        }

        private String b(String str) {
            StringBuilder sb = new StringBuilder();
            StringCharacterIterator stringCharacterIterator = new StringCharacterIterator(str);
            boolean z = false;
            for (char current = stringCharacterIterator.current(); current != 65535; current = stringCharacterIterator.next()) {
                if (current == '<') {
                    sb.append("");
                    z = true;
                } else if (current == '>') {
                    sb.append("");
                    z = true;
                } else if (current == '&') {
                    sb.append("");
                    z = true;
                } else if (current == '\"') {
                    sb.append("");
                    z = true;
                } else {
                    sb.append(current);
                }
                if (z) {
                    a(str, current);
                    z = false;
                }
            }
            return sb.toString();
        }

        private void a(String str, char c) {
            switch (XssFilter.this.o) {
                case CLEAN:
                    XssFilter.l.warn(XssFilter.k.getMessage("CLEAN_DANGER_CHARACTER_URL", str, Character.valueOf(c)));
                    return;
                case THROWERROR:
                    throw new IllegalArgumentException(XssFilter.k.getMessage("THROWERROR_FOR_URL", str, Character.valueOf(c)));
                default:
                    return;
            }
        }

        private StringBuilder a(String[] strArr) {
            StringBuilder sb = new StringBuilder();
            for (String str : strArr) {
                sb.append(str);
            }
            return sb;
        }

        private String a(String str, String str2) {
            AntiSamy antiSamy = new AntiSamy();
            try {
                str2 = URLDecoder.decode(str2, "utf-8");
                return XssFilter.this.cleanOrThrowExceptionIfChanged(str, str2, StringEscapeUtils.unescapeHtml4(antiSamy.scan(str2, XssFilter.this.n).getCleanHTML()));
            } catch (UnsupportedEncodingException e) {
                if (ProcessMode.THROWERROR.equals(XssFilter.this.o)) {
                    throw new IllegalArgumentException(XssFilter.k.getMessage("PARAMETERS_HAS_DANGER_CHARACTER", str), e);
                }
                XssFilter.l.error("failed scan " + str2, e);
                return str2;
            } catch (ScanException e2) {
                if (ProcessMode.THROWERROR.equals(XssFilter.this.o)) {
                    throw new IllegalArgumentException(XssFilter.k.getMessage("PARAMETERS_HAS_DANGER_CHARACTER", str), e2);
                }
                XssFilter.l.error("failed scan " + str2, e2);
                return str2;
            } catch (PolicyException e3) {
                if (ProcessMode.THROWERROR.equals(XssFilter.this.o)) {
                    throw new IllegalArgumentException(XssFilter.k.getMessage("PARAMETERS_HAS_DANGER_CHARACTER", str), e3);
                }
                XssFilter.l.error("failed scan " + str2, e3);
                return str2;
            }
        }
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
        this.m = filterConfig;
        String initParameter = this.m.getInitParameter(a);
        String initParameter2 = this.m.getInitParameter(b);
        String initParameter3 = this.m.getInitParameter(c);
        String initParameter4 = this.m.getInitParameter(d);
        this.p = b(initParameter3);
        this.q = a(initParameter4);
        if (StringUtils.isEmpty(initParameter2)) {
            this.o = ProcessMode.CLEAN;
        } else if (initParameter2.equalsIgnoreCase(ProcessMode.THROWERROR.name())) {
            this.o = ProcessMode.THROWERROR;
        } else {
            this.o = ProcessMode.CLEAN;
        }
        l.debug(k.getMessage("PROCESS_MODEL", this.o));
        if (StringUtils.isEmpty(initParameter)) {
            initParameter = i[0];
        }
        l.debug(k.getMessage("POLICY_NAME", initParameter));
        try {
            InputStream resourceAsStream = XssFilter.class.getClassLoader().getResourceAsStream(initParameter);
            Throwable th = null;
            if (resourceAsStream != null) {
                try {
                    try {
                        this.n = Policy.getInstance(resourceAsStream);
                    } catch (Throwable th2) {
                        th = th2;
                        throw th2;
                    }
                } finally {
                }
            }
            if (resourceAsStream != null) {
                if (0 != 0) {
                    try {
                        resourceAsStream.close();
                    } catch (Throwable th3) {
                        th.addSuppressed(th3);
                    }
                } else {
                    resourceAsStream.close();
                }
            }
        } catch (PolicyException e2) {
            l.error("failed init policy", e2);
        } catch (IOException e3) {
            l.error("failed load policy file", e3);
        }
    }

    private List<String> a(String str) {
        try {
            return Lists.newArrayList(StringUtils.split(str, ";"));
        } catch (Exception e2) {
            return Lists.newArrayList();
        }
    }

    private boolean b(String str) {
        try {
            return Boolean.valueOf(str).booleanValue();
        } catch (Exception e2) {
            return false;
        }
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        XssRequestWapper xssRequestWapper = new XssRequestWapper((HttpServletRequest) servletRequest);
        if (xssRequestWapper.doFilterRefererWhiteList()) {
            ((HttpServletResponse) servletResponse).setStatus(403);
        } else {
            if (!xssRequestWapper.getMethod().equalsIgnoreCase("GET")) {
                filterChain.doFilter(xssRequestWapper, servletResponse);
                return;
            }
            if (this.o != null) {
                xssRequestWapper.getParameterMap();
            }
            filterChain.doFilter(xssRequestWapper, servletResponse);
        }
    }

    @Override // javax.servlet.Filter
    public void destroy() {
        this.m = null;
    }

    protected String filterWideCharacters(String str, String str2) {
        String decode;
        try {
            decode = URLDecoder.decode("%df\"", "utf-8");
        } catch (UnsupportedEncodingException e2) {
            decode = URLDecoder.decode("%df\"");
        }
        return StringUtils.contains(str2, decode) ? a(str, str2, decode, true) : str2;
    }

    private String a(String str, String str2, String str3, boolean z) {
        String str4 = str3;
        switch (this.o) {
            case CLEAN:
                if (z) {
                    str4 = StringUtils.replaceAll(str2, str3, "");
                }
                l.warn(k.getMessage("CLEAN_DANGER_CHARACTER", str, str2, str3));
                return str4;
            case THROWERROR:
                throw new IllegalArgumentException(k.getMessage("THROWERROR_FOR_PARAMETER", str));
            default:
                return str2;
        }
    }

    protected String cleanOrThrowExceptionIfChanged(String str, String str2, String str3) {
        if (StringUtils.isEmpty(str2)) {
            return str2;
        }
        if (StringUtils.isEmpty(str3)) {
            return a(str, str2, str3, false);
        }
        return str2.replaceAll("\\r|\\n| ", "").trim().equals(str3.replaceAll("\\r|\\n| ", "").trim()) ? str2 : a(str, str2, str3, false);
    }
}
