package com.xdja.uas.common.filter;

import com.xdja.uas.common.commonconst.PamsConst;
import com.xdja.uas.common.util.Util;
import java.io.IOException;
import java.util.Enumeration;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/xdja/uas/common/filter/InjectFilter.class */
public class InjectFilter extends HttpServlet implements Filter {
    private static final long serialVersionUID = 5286703103846683570L;
    private static final Logger log = LoggerFactory.getLogger(RolePowerFilters.class);
    private static String sqlReg = "(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|alter|drop|execute|having)\\b)";
    private static String jsReg = "(script|src[\r\n]*=[\r\n]*(.*?)|eval\\((.*?)\\)|iframe|e\u00adxpression\\((.*?)\\)|javascript:|vbscript:|onload(.*?)=|WEB-INF|web(.*?).xml|\\.\\.|Content-Type|alert(.*?)|onclick|ondblclick|onerror|onkeydown|onload|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onresize|onselect|onsubmit|onunload|onfocus|input|onblur|onchange|onabort|onkeypress|onkeyup|<|>)";
    private static Pattern sqlPattern = Pattern.compile(sqlReg, 2);
    private static Pattern jsPattern = Pattern.compile(jsReg, 2);

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String requestURI = httpServletRequest.getRequestURI();
        String injectInput = injectInput(httpServletRequest);
        if (!StringUtils.isNotBlank(injectInput)) {
            for (int i = 0; i < SafeFilters.fireURLList.length; i++) {
                if (requestURI.contains(SafeFilters.fireURLList[i])) {
                    filterChain.doFilter(servletRequest, servletResponse);
                    return;
                }
            }
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        log.warn("参数含有注入攻击非法字符：" + injectInput);
        String header = httpServletRequest.getHeader("X-Requested-With");
        if (header == null || !header.equals("XMLHttpRequest")) {
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + PamsConst.ERROR_PAGE);
        } else if (servletRequest.getParameter(PamsConst.SAFEFILTER_INFO_RTNDATA_TYPE) != null && PamsConst.SAFEFILTER_INFO_RTNDATA_TYPE_PAGE.equals(servletRequest.getParameter(PamsConst.SAFEFILTER_INFO_RTNDATA_TYPE))) {
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + PamsConst.ERROR_PAGE);
        } else {
            httpServletResponse.setStatus(400);
            httpServletResponse.addHeader("Inject-param", "Inject-param");
        }
    }

    private String injectInput(ServletRequest servletRequest) {
        int i;
        Enumeration parameterNames = servletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String str = (String) parameterNames.nextElement();
            if (!"password".equals(str)) {
                String[] parameterValues = servletRequest.getParameterValues(str);
                int length = parameterValues.length;
                for (0; i < length; i + 1) {
                    String str2 = parameterValues[i];
                    i = (StringUtils.isBlank(str2) || (jsValidate(str2) && sqlValidate(str2))) ? i + 1 : 0;
                    return str2;
                }
            }
        }
        return PamsConst.EMP;
    }

    private static boolean sqlValidate(String str) {
        if (!sqlPattern.matcher(str).find()) {
            return true;
        }
        log.warn("未通过sql注入校验：" + str);
        return false;
    }

    private static boolean jsValidate(String str) {
        if (!jsPattern.matcher(str).find()) {
            return true;
        }
        log.warn("未通过js注入校验：" + str);
        return false;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        if (SafeFilters.fireURLList == null) {
            SafeFilters.fireURLList = new Util().getProFile(PamsConst.SAFEFILTER_INFO_FIREURL);
        }
    }
}
