package ee.datel.dogis.proxy.filter;

import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.SequenceInputStream;
import java.nio.charset.StandardCharsets;
import java.util.concurrent.ConcurrentLinkedQueue;
import javax.servlet.FilterChain;
import javax.servlet.ReadListener;
import javax.servlet.ServletException;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.text.StringEscapeUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

@Component
@Order(-90)
/* loaded from: input_file:ee/datel/dogis/proxy/filter/XxeKillerFilter.class */
public class XxeKillerFilter extends OncePerRequestFilter {
    protected static final Logger LOGGER = LoggerFactory.getLogger(XxeKillerFilter.class);
    protected static final ConcurrentLinkedQueue<byte[]> BUFFERS = new ConcurrentLinkedQueue<>();
    protected static final ServletInputStream EMPTY_INPUTSTREAM = new ServletInputStream() { // from class: ee.datel.dogis.proxy.filter.XxeKillerFilter.1
        public int read() throws IOException {
            return -1;
        }

        public boolean isFinished() {
            return true;
        }

        public boolean isReady() {
            return false;
        }

        public void setReadListener(ReadListener readListener) {
        }
    };
    protected static final BufferedReader EMPTY_READER = new BufferedReader(new InputStreamReader((InputStream) EMPTY_INPUTSTREAM, StandardCharsets.ISO_8859_1), 1);

    public void afterPropertiesSet() throws ServletException {
        super.afterPropertiesSet();
        LOGGER.info("XXE Killer Filter initiated");
    }

    protected boolean shouldNotFilter(HttpServletRequest httpServletRequest) throws ServletException {
        String method = httpServletRequest.getMethod();
        boolean z = -1;
        switch (method.hashCode()) {
            case 79599:
                if (method.equals("PUT")) {
                    z = true;
                    break;
                }
                break;
            case 2461856:
                if (method.equals("POST")) {
                    z = false;
                    break;
                }
                break;
            case 75900968:
                if (method.equals("PATCH")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
                String contentType = httpServletRequest.getContentType();
                return contentType != null && (contentType.startsWith("application/x-www-form-urlencoded") || contentType.startsWith("multipart/form-data"));
            default:
                return true;
        }
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        byte[] pop = pop();
        try {
            HttpServletRequest wrap = getWrap(httpServletRequest, pop);
            if (wrap == null) {
                httpServletResponse.sendError(HttpStatus.I_AM_A_TEAPOT.value(), "I hate XXE!");
            } else {
                filterChain.doFilter(wrap, httpServletResponse);
            }
        } finally {
            push(pop);
        }
    }

    protected HttpServletRequest getWrap(HttpServletRequest httpServletRequest, byte[] bArr) throws IOException {
        ServletInputStream inputStream = httpServletRequest.getInputStream();
        if (inputStream == null) {
            return wrapNullInputStream(httpServletRequest);
        }
        bArr[0] = (byte) inputStream.read();
        if (bArr[0] == -1) {
            return wrapEmptyInputStream(httpServletRequest);
        }
        int i = 1;
        boolean z = true;
        while (true) {
            int read = inputStream.read(bArr, i, bArr.length - i);
            if (read == -1) {
                break;
            }
            i += read;
            if (bArr.length == i) {
                z = false;
                break;
            }
        }
        if (hasXxe(bArr, i)) {
            LOGGER.warn("I hate XXE!\nHost:{} Aadress:{}\nUser:{}\n{}", new Object[]{httpServletRequest.getRemoteHost(), httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteUser(), StringEscapeUtils.escapeXml10(new String(bArr, 0, i, StandardCharsets.UTF_8))});
            return null;
        }
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr, 0, i);
        return getWrappedRequest(httpServletRequest, z ? byteArrayInputStream : new SequenceInputStream(byteArrayInputStream, inputStream));
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v21 */
    /* JADX WARN: Type inference failed for: r0v22 */
    /* JADX WARN: Type inference failed for: r0v23 */
    protected static boolean hasXxe(byte[] bArr, int i) {
        boolean z = true;
        boolean z2 = false;
        for (int i2 = 0; i2 < i; i2++) {
            byte b = bArr[i2];
            if (b != 0) {
                switch (z2) {
                    case true:
                        z2 = b == 33 ? 2 : 0;
                        break;
                    case true:
                        if (b != 68 && b != 69) {
                            z2 = false;
                            break;
                        } else {
                            return true;
                        }
                    default:
                        if (b == 60) {
                            z = false;
                            z2 = true;
                            break;
                        } else if (z && i2 > 64) {
                            return false;
                        }
                        break;
                }
            }
        }
        return false;
    }

    protected HttpServletRequest getWrappedRequest(HttpServletRequest httpServletRequest, final InputStream inputStream) {
        return new HttpServletRequestWrapper(httpServletRequest) { // from class: ee.datel.dogis.proxy.filter.XxeKillerFilter.2
            private BufferedReader reader;
            private ServletInputStream inputStream;

            public BufferedReader getReader() throws IOException {
                if (this.reader == null) {
                    this.reader = new BufferedReader(new InputStreamReader(inputStream, getCharacterEncoding()));
                }
                return this.reader;
            }

            public ServletInputStream getInputStream() throws IOException {
                if (this.inputStream == null) {
                    this.inputStream = new ServletInputStream() { // from class: ee.datel.dogis.proxy.filter.XxeKillerFilter.2.1
                        private boolean end;

                        public int read() throws IOException {
                            int read = inputStream.read();
                            this.end = read == -1;
                            return read;
                        }

                        public void close() throws IOException {
                            inputStream.close();
                            super.close();
                        }

                        public boolean isFinished() {
                            return this.end;
                        }

                        public boolean isReady() {
                            return false;
                        }

                        public void setReadListener(ReadListener readListener) {
                        }
                    };
                }
                return this.inputStream;
            }
        };
    }

    protected HttpServletRequest wrapEmptyInputStream(HttpServletRequest httpServletRequest) {
        return new HttpServletRequestWrapper(httpServletRequest) { // from class: ee.datel.dogis.proxy.filter.XxeKillerFilter.3
            public BufferedReader getReader() throws IOException {
                return XxeKillerFilter.EMPTY_READER;
            }

            public ServletInputStream getInputStream() throws IOException {
                return XxeKillerFilter.EMPTY_INPUTSTREAM;
            }
        };
    }

    protected HttpServletRequest wrapNullInputStream(HttpServletRequest httpServletRequest) {
        return new HttpServletRequestWrapper(httpServletRequest) { // from class: ee.datel.dogis.proxy.filter.XxeKillerFilter.4
            public BufferedReader getReader() throws IOException {
                return null;
            }

            public ServletInputStream getInputStream() throws IOException {
                return null;
            }
        };
    }

    protected byte[] pop() {
        byte[] poll = BUFFERS.poll();
        return poll == null ? new byte[1024] : poll;
    }

    protected void push(byte[] bArr) {
        BUFFERS.offer(bArr);
    }
}
