package com.xdja.pki.security.filter;

import com.alibaba.fastjson.JSON;
import com.xdja.pki.common.enums.ErrorEnum;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletInputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.web.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
import org.springframework.util.StreamUtils;

@Component
/* loaded from: input_file:WEB-INF/lib/scms-security-1.0-SNAPSHOT.jar:com/xdja/pki/security/filter/XssAndSqlFilter.class */
public class XssAndSqlFilter implements Filter {
    private static final String sql = " and | or | alter | exec | insert | select | drop | delete | update | count | chr | mid | master | table | database | truncate | char | declare ";
    private static final String sqlUp = " AND | OR | ALTER | EXEC | INSERT | SELECT | DROP | DELETE | UPDATE | COUNT | CHR | MID | MASTER | TABLE | DATABASE | TRUNCATE | CHAR | DECLARE ";
    private static Logger logger = LoggerFactory.getLogger((Class<?>) XssAndSqlFilter.class);
    private static final Pattern script1Pattern = Pattern.compile("<[\r\n| | ]*script[\r\n| | ]*>(.*?)</[\r\n| | ]*script[\r\n| | ]*>", 2);
    private static final Pattern script2Pattern = Pattern.compile("</[\r\n| | ]*script[\r\n| | ]>", 2);
    private static final Pattern script3Pattern = Pattern.compile("<[\r\n| | ]*script(.*?)>", 42);
    private static final Pattern srcPattern = Pattern.compile("src[\r\n| | ]*=[\r\n| | ]*[\\\"|\\'](.*?)[\\\"|\\']", 42);
    private static final Pattern evalPattern = Pattern.compile("eval\\((.*?)\\)", 42);
    private static final Pattern expressionPattern = Pattern.compile("e-xpression\\((.*?)\\)", 42);
    private static final Pattern javaScriptPattern = Pattern.compile("javascript[\r\n| | ]*:[\r\n| | ]*", 2);
    private static final Pattern vbScriptPattern = Pattern.compile("vbscript[\r\n| | ]*:[\r\n| | ]*", 2);
    private static final Pattern onloadPattern = Pattern.compile("onload(.*?)=", 42);
    private static final Set<String> sqlKeys = new HashSet();

    /* loaded from: input_file:WEB-INF/lib/scms-security-1.0-SNAPSHOT.jar:com/xdja/pki/security/filter/XssAndSqlFilter$XssAndSqlHttpServletRequest.class */
    public static class XssAndSqlHttpServletRequest extends HttpServletRequestWrapper {
        private byte[] buffer;
        private ServletResponse response;

        public XssAndSqlHttpServletRequest(HttpServletRequest httpServletRequest, ServletResponse servletResponse) throws IOException {
            super(httpServletRequest);
            this.response = servletResponse;
            this.buffer = StreamUtils.copyToByteArray(httpServletRequest.getInputStream());
        }

        @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
        public BufferedReader getReader() throws IOException {
            return new BufferedReader(new InputStreamReader(getInputStream()));
        }

        @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
        public ServletInputStream getInputStream() throws IOException {
            final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(this.buffer);
            return new ServletInputStream() { // from class: com.xdja.pki.security.filter.XssAndSqlFilter.XssAndSqlHttpServletRequest.1
                @Override // java.io.InputStream
                public int read() throws IOException {
                    return byteArrayInputStream.read();
                }
            };
        }

        public byte[] getBody() {
            return this.buffer;
        }

        @Override // javax.servlet.http.HttpServletRequestWrapper, javax.servlet.http.HttpServletRequest
        public String getHeader(String str) {
            String header = super.getHeader(str);
            if (!XssAndSqlFilter.checkXssAndSql(header)) {
                return header;
            }
            XssAndSqlFilter.errorPrint(this.response);
            return null;
        }

        @Override // javax.servlet.http.HttpServletRequestWrapper, javax.servlet.http.HttpServletRequest
        public Enumeration<String> getHeaders(String str) {
            Enumeration<String> headers = super.getHeaders(str);
            if (!headers.hasMoreElements() || !XssAndSqlFilter.checkXssAndSql(headers.nextElement())) {
                return headers;
            }
            XssAndSqlFilter.errorPrint(this.response);
            return null;
        }

        @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
        public String getParameter(String str) {
            String parameter = super.getParameter(str);
            if (!XssAndSqlFilter.checkXssAndSql(parameter)) {
                return parameter;
            }
            XssAndSqlFilter.errorPrint(this.response);
            return null;
        }

        @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
        public String[] getParameterValues(String str) {
            String[] parameterValues = super.getParameterValues(str);
            if (null == parameterValues) {
                return null;
            }
            for (String str2 : parameterValues) {
                if (XssAndSqlFilter.checkXssAndSql(str2)) {
                    XssAndSqlFilter.errorPrint(this.response);
                    return null;
                }
            }
            return parameterValues;
        }
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (httpServletRequest.getRequestURI().contains("/v1/system/upgradeBin/upload")) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        XssAndSqlHttpServletRequest xssAndSqlHttpServletRequest = new XssAndSqlHttpServletRequest(httpServletRequest, servletResponse);
        if (httpServletRequest.getMethod().equalsIgnoreCase("post") && checkXssAndSql(new String(xssAndSqlHttpServletRequest.getBody()))) {
            errorPrint(servletResponse);
        } else {
            filterChain.doFilter(xssAndSqlHttpServletRequest, servletResponse);
        }
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void errorPrint(ServletResponse servletResponse) {
        try {
            HttpServletResponse http = WebUtils.toHttp(servletResponse);
            http.setStatus(400);
            http.setContentType("application/json;charset=UTF-8");
            http.getWriter().write(JSON.toJSONString(ErrorEnum.REQUEST_CONTAIN_ILLEGAL_ATTACK_CHARACTER.resp(null)));
            http.getWriter().flush();
            http.getWriter().close();
        } catch (IOException e) {
            logger.error("响应失败", (Throwable) e);
        }
    }

    public static boolean checkXssAndSql(String str) {
        if (StringUtils.isBlank(str)) {
            return false;
        }
        Iterator<String> it = sqlKeys.iterator();
        while (it.hasNext()) {
            if (str.contains(it.next())) {
                logger.error("请求参数包含不允许的sql关键字[{}]", str);
                return true;
            }
        }
        if (script1Pattern.matcher(str).find()) {
            logger.error("请求参数包含不允许的xss关键字<script>*</script>");
            return true;
        }
        if (script2Pattern.matcher(str).find()) {
            logger.error("请求参数包含不允许的xss关键字</script>");
            return true;
        }
        if (script3Pattern.matcher(str).find()) {
            logger.error("请求参数包含不允许的xss关键字<script *>");
            return true;
        }
        if (srcPattern.matcher(str).find()) {
            logger.error("请求参数包含不允许的xss关键字src=\" * \"");
            return true;
        }
        if (evalPattern.matcher(str).find()) {
            logger.error("请求参数包含不允许的xss关键字eval(*)");
            return true;
        }
        if (expressionPattern.matcher(str).find()) {
            logger.error("请求参数包含不允许的xss关键字e-xpression(*)");
            return true;
        }
        if (javaScriptPattern.matcher(str).find()) {
            logger.error("请求参数包含不允许的xss关键字javascript:*");
            return true;
        }
        if (vbScriptPattern.matcher(str).find()) {
            logger.error("请求参数包含不允许的xss关键字vbscript:*");
            return true;
        }
        if (!onloadPattern.matcher(str).find()) {
            return false;
        }
        logger.error("请求参数包含不允许的xss关键字onload(*)=*");
        return true;
    }

    static {
        for (String str : sql.split("\\|")) {
            sqlKeys.add(str);
        }
        for (String str2 : sqlUp.split("\\|")) {
            sqlKeys.add(str2);
        }
    }
}
