package fr.paris.lutece.util.http;

import fr.paris.lutece.portal.service.captcha.ICaptchaSecurityService;
import fr.paris.lutece.portal.service.util.AppPathService;
import fr.paris.lutece.portal.service.util.AppPropertiesService;
import fr.paris.lutece.portal.web.LocalVariables;
import fr.paris.lutece.util.string.StringUtil;
import java.util.Enumeration;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.Logger;
import org.springframework.util.AntPathMatcher;

/* loaded from: input_file:fr/paris/lutece/util/http/SecurityUtil.class */
public final class SecurityUtil {
    private static final String LOGGER_NAME = "lutece.security.http";
    private static final String CONSTANT_HTTP_HEADER_X_FORWARDED_FOR = "X-Forwarded-For";
    private static final String PATTERN_IP_ADDRESS = "^([0-9]{1,3}\\.){3}[0-9]{1,3}$";
    private static final String CONSTANT_COMMA = ",";
    private static final String[] XXE_TERMS = {"!DOCTYPE", "!ELEMENT", "!ENTITY"};
    private static final String[] PATH_MANIPULATION = {"..", "/", "\\"};
    public static final String PROPERTY_REDIRECT_URL_SAFE_PATTERNS = "lutece.security.redirectUrlSafePatterns";

    private SecurityUtil() {
    }

    public static boolean containsCleanParameters(HttpServletRequest httpServletRequest) {
        return containsCleanParameters(httpServletRequest, null);
    }

    public static boolean containsCleanParameters(HttpServletRequest httpServletRequest, String str) {
        Enumeration parameterNames = httpServletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            for (String str2 : httpServletRequest.getParameterValues((String) parameterNames.nextElement())) {
                if (containsXssCharacters(httpServletRequest, str2, str)) {
                    Logger.getLogger(LOGGER_NAME).warn("SECURITY WARNING : INVALID REQUEST PARAMETERS" + dumpRequest(httpServletRequest));
                    return false;
                }
            }
        }
        return true;
    }

    public static boolean containsXssCharacters(HttpServletRequest httpServletRequest, String str) {
        return containsXssCharacters(httpServletRequest, str, null);
    }

    public static boolean containsXssCharacters(HttpServletRequest httpServletRequest, String str, String str2) {
        boolean containsXssCharacters = str2 == null ? StringUtil.containsXssCharacters(str) : StringUtil.containsXssCharacters(str, str2);
        if (containsXssCharacters) {
            Logger.getLogger(LOGGER_NAME).warn("SECURITY WARNING : XSS CHARACTERS DETECTED" + dumpRequest(httpServletRequest));
        }
        return containsXssCharacters;
    }

    public static boolean containsXmlExternalEntityInjectionTerms(String str) {
        for (String str2 : XXE_TERMS) {
            if (StringUtils.indexOfIgnoreCase(str, str2) >= 0) {
                Logger.getLogger(LOGGER_NAME).warn("SECURITY WARNING : XXE TERMS DETECTED : " + dumpRequest(LocalVariables.getRequest()));
                return true;
            }
        }
        return false;
    }

    public static boolean containsPathManipulationChars(HttpServletRequest httpServletRequest, String str) {
        for (String str2 : PATH_MANIPULATION) {
            if (str.contains(str2)) {
                Logger.getLogger(LOGGER_NAME).warn("SECURITY WARNING : PATH_MANIPULATION DETECTED : " + dumpRequest(httpServletRequest));
                return true;
            }
        }
        return false;
    }

    public static String dumpRequest(HttpServletRequest httpServletRequest) {
        StringBuilder sb = new StringBuilder("\r\n Request Dump : \r\n");
        if (httpServletRequest != null) {
            dumpTitle(sb, "Request variables");
            dumpVariables(sb, httpServletRequest);
            dumpTitle(sb, "Request parameters");
            dumpParameters(sb, httpServletRequest);
            dumpTitle(sb, "Request headers");
            dumpHeaders(sb, httpServletRequest);
        } else {
            sb.append("no request provided.");
        }
        return sb.toString();
    }

    public static String getRealIp(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(CONSTANT_HTTP_HEADER_X_FORWARDED_FOR);
        if (header != null) {
            while (!header.matches(PATTERN_IP_ADDRESS) && header.contains(CONSTANT_COMMA)) {
                String substring = header.substring(0, header.indexOf(CONSTANT_COMMA));
                header = header.substring(header.indexOf(CONSTANT_COMMA)).replaceFirst(CONSTANT_COMMA, ICaptchaSecurityService.EMPTY_STRING).trim();
                if (substring != null && substring.matches(PATTERN_IP_ADDRESS)) {
                    header = substring;
                }
            }
            if (!header.matches(PATTERN_IP_ADDRESS)) {
                header = httpServletRequest.getRemoteAddr();
            }
        } else {
            header = httpServletRequest.getRemoteAddr();
        }
        return header;
    }

    public static boolean isInternalRedirectUrlSafe(String str, HttpServletRequest httpServletRequest) {
        return isInternalRedirectUrlSafe(str, httpServletRequest, AppPropertiesService.getProperty(PROPERTY_REDIRECT_URL_SAFE_PATTERNS));
    }

    public static boolean isInternalRedirectUrlSafe(String str, HttpServletRequest httpServletRequest, String str2) {
        if (StringUtils.isBlank(str)) {
            return true;
        }
        boolean[] zArr = new boolean[5];
        zArr[0] = !str.startsWith("//");
        zArr[1] = !str.startsWith("http:");
        zArr[2] = !str.startsWith("https:");
        zArr[3] = !str.contains("://");
        zArr[4] = !str.startsWith("javascript:");
        if (BooleanUtils.and(zArr) || str.startsWith(AppPathService.getBaseUrl(httpServletRequest))) {
            return true;
        }
        if (!StringUtils.isBlank(str2)) {
            AntPathMatcher antPathMatcher = new AntPathMatcher();
            for (String str3 : str2.split(CONSTANT_COMMA)) {
                if (str3 != null && antPathMatcher.match(str3, str)) {
                    return true;
                }
            }
        }
        Logger.getLogger(LOGGER_NAME).warn("SECURITY WARNING : OPEN_REDIRECT DETECTED : " + dumpRequest(httpServletRequest));
        return false;
    }

    public static String logForgingProtect(String str) {
        int length = str.length();
        return "\n** USER INPUT DATA : BEGIN (" + StringUtils.countMatches(str, "\n") + " lines and " + length + " chars) ** \n" + str.replace("\n", "\n** ") + "\n** USER INPUT DATA : END\n";
    }

    private static void dumpTitle(StringBuilder sb, String str) {
        sb.append("** ");
        sb.append(str);
        sb.append("  **\r\n");
    }

    private static void dumpVariables(StringBuilder sb, HttpServletRequest httpServletRequest) {
        dumpVariable(sb, "AUTH_TYPE", httpServletRequest.getAuthType());
        dumpVariable(sb, "REQUEST_METHOD", httpServletRequest.getMethod());
        dumpVariable(sb, "PATH_INFO", httpServletRequest.getPathInfo());
        dumpVariable(sb, "PATH_TRANSLATED", httpServletRequest.getPathTranslated());
        dumpVariable(sb, "QUERY_STRING", httpServletRequest.getQueryString());
        dumpVariable(sb, "REQUEST_URI", httpServletRequest.getRequestURI());
        dumpVariable(sb, "SCRIPT_NAME", httpServletRequest.getServletPath());
        dumpVariable(sb, "LOCAL_ADDR", httpServletRequest.getLocalAddr());
        dumpVariable(sb, "SERVER_PROTOCOL", httpServletRequest.getProtocol());
        dumpVariable(sb, "REMOTE_ADDR", httpServletRequest.getRemoteAddr());
        dumpVariable(sb, "REMOTE_HOST", httpServletRequest.getRemoteHost());
        dumpVariable(sb, "HTTPS", httpServletRequest.getScheme());
        dumpVariable(sb, "SERVER_NAME", httpServletRequest.getServerName());
        dumpVariable(sb, "SERVER_PORT", String.valueOf(httpServletRequest.getServerPort()));
    }

    private static void dumpHeaders(StringBuilder sb, HttpServletRequest httpServletRequest) {
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String str = (String) headerNames.nextElement();
            Enumeration headers = httpServletRequest.getHeaders(str);
            while (headers.hasMoreElements()) {
                dumpVariable(sb, str, (String) headers.nextElement());
            }
        }
    }

    private static void dumpParameters(StringBuilder sb, HttpServletRequest httpServletRequest) {
        Enumeration parameterNames = httpServletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String str = (String) parameterNames.nextElement();
            for (String str2 : httpServletRequest.getParameterValues(str)) {
                dumpVariable(sb, str, str2);
            }
        }
    }

    private static void dumpVariable(StringBuilder sb, String str, String str2) {
        sb.append(str);
        sb.append(" : \"");
        sb.append(str2);
        sb.append("\"\r\n");
    }
}
