package com.xdja.common.filter;

import com.xdja.common.base.MdpConst;
import java.io.IOException;
import java.util.Enumeration;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/xdja/common/filter/SafeLegalFilter.class */
public class SafeLegalFilter extends HttpServlet implements Filter {
    private static final long serialVersionUID = 5286703103846683570L;
    private static final Logger log = LoggerFactory.getLogger(SafeLegalFilter.class);
    private static String sqlReg = "(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|alter|drop|execute|having)\\b)";
    private static String jsReg = "script|(<script>(.*?)</script>|src[\r\n]*=[\r\n]*(.*?)|</script>|<script(.*?)>|eval\\((.*?)\\)|e\u00adxpression\\((.*?)\\)|javascript:|vbscript:|onload(.*?)=|<iframe(.*?)>|</iframe>|<iframe>(.*?)</iframe>|WEB-INF|web(.*?).xml|\\.\\.|Content-Type|alert(.*?)|<|>)|location|onmouseover|Function|function|new";
    private static Pattern sqlPattern = Pattern.compile(sqlReg, 2);
    private static Pattern jsPattern = Pattern.compile(jsReg, 2);

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (StringUtils.isNotBlank(injectInput(servletRequest))) {
            pushErrorMessage(httpServletRequest, httpServletResponse);
        } else {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    private void pushErrorMessage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (httpServletRequest.getHeader("X-Requested-With") == null || !httpServletRequest.getHeader("X-Requested-With").equals("XMLHttpRequest")) {
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/index/index.do?pUrl=" + MdpConst.CHECK_UNSAFE_PAGE);
        } else {
            httpServletResponse.getWriter().print("illegal parameter");
            httpServletResponse.sendError(400);
        }
    }

    private String injectInput(ServletRequest servletRequest) {
        int i;
        if (((HttpServletRequest) servletRequest).getQueryString() != null && ((HttpServletRequest) servletRequest).getQueryString().contains("password")) {
            return "not allow password in url";
        }
        Enumeration parameterNames = servletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String str = (String) parameterNames.nextElement();
            if (!"password".equals(str)) {
                String[] parameterValues = servletRequest.getParameterValues(str);
                int length = parameterValues.length;
                for (0; i < length; i + 1) {
                    String str2 = parameterValues[i];
                    i = (StringUtils.isBlank(str2) || (jsValidate(str2) && sqlValidate(str2))) ? i + 1 : 0;
                    return str2;
                }
            }
        }
        return "";
    }

    private static boolean sqlValidate(String str) {
        if (!sqlPattern.matcher(str).find()) {
            return true;
        }
        log.warn("未通过sql注入校验：" + str);
        return false;
    }

    private static boolean jsValidate(String str) {
        if (!jsPattern.matcher(str).find()) {
            return true;
        }
        log.warn("未通过js注入校验：" + str);
        return false;
    }
}
