package com.xdja.pams.common.filter;

import com.xdja.pams.common.commonconst.PamsConst;
import com.xdja.pams.common.util.MD5Util;
import com.xdja.pams.common.util.Util;
import java.io.IOException;
import java.net.URLEncoder;
import java.util.Comparator;
import java.util.Enumeration;
import java.util.Map;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/xdja/pams/common/filter/InjectFilter.class */
public class InjectFilter extends HttpServlet implements Filter {
    private static final long serialVersionUID = 5286703103846683570L;
    private static final Logger log = LoggerFactory.getLogger(RolePowerFilters.class);
    private static String sqlReg = "(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|alter|drop|execute|having)\\b)";
    private static String jsReg = "(script|src[\r\n]*=[\r\n]*(.*?)|eval\\((.*?)\\)|iframe|e\u00adxpression\\((.*?)\\)|javascript:|vbscript:|onload(.*?)=|WEB-INF|web(.*?).xml|\\.\\.|Content-Type|alert(.*?)|onclick|ondblclick|onerror|onkeydown|onload|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onresize|onselect|onsubmit|onunload|onfocus|input|onblur|onchange|onabort|onkeypress|onkeyup|<|>)";
    private static Pattern sqlPattern = Pattern.compile(sqlReg, 2);
    private static Pattern jsPattern = Pattern.compile(jsReg, 2);

    /* renamed from: com.xdja.pams.common.filter.InjectFilter$1, reason: invalid class name */
    /* loaded from: input_file:com/xdja/pams/common/filter/InjectFilter$1.class */
    static class AnonymousClass1 implements Comparator<String> {
        AnonymousClass1() {
        }

        @Override // java.util.Comparator
        public int compare(String str, String str2) {
            return str.compareTo(str2);
        }
    }

    /* renamed from: com.xdja.pams.common.filter.InjectFilter$2, reason: invalid class name */
    /* loaded from: input_file:com/xdja/pams/common/filter/InjectFilter$2.class */
    static class AnonymousClass2 implements Comparator<String> {
        AnonymousClass2() {
        }

        @Override // java.util.Comparator
        public int compare(String str, String str2) {
            return str.compareTo(str2);
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String requestURI = httpServletRequest.getRequestURI();
        String injectInput = injectInput(httpServletRequest);
        if (StringUtils.isNotBlank(injectInput)) {
            log.warn("参数含有注入攻击非法字符：" + injectInput);
            String header = httpServletRequest.getHeader("X-Requested-With");
            if (header == null || !header.equals("XMLHttpRequest")) {
                httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + PamsConst.ERROR_PAGE);
                return;
            } else if (servletRequest.getParameter(PamsConst.SAFEFILTER_INFO_RTNDATA_TYPE) != null && PamsConst.SAFEFILTER_INFO_RTNDATA_TYPE_PAGE.equals(servletRequest.getParameter(PamsConst.SAFEFILTER_INFO_RTNDATA_TYPE))) {
                httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + PamsConst.ERROR_PAGE);
                return;
            } else {
                httpServletResponse.setStatus(400);
                httpServletResponse.addHeader("Inject-param", "Inject-param");
                return;
            }
        }
        for (int i = 0; i < SafeFilters.fireURLList.length; i++) {
            if (requestURI.contains(SafeFilters.fireURLList[i])) {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
        }
        if (checkQueryParameterComplete((HttpServletRequest) servletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else if (servletRequest.getParameter(PamsConst.SAFEFILTER_INFO_RTNDATA_TYPE) != null && PamsConst.SAFEFILTER_INFO_RTNDATA_TYPE_PAGE.equals(servletRequest.getParameter(PamsConst.SAFEFILTER_INFO_RTNDATA_TYPE))) {
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + PamsConst.DATA_MODIFICATION_PAGE);
        } else {
            httpServletResponse.setStatus(400);
            httpServletResponse.addHeader(PamsConst.RESPONSE_DATA_BE_FALSIFIED, "data be falsified");
        }
    }

    public boolean checkQueryParameterComplete(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getHeader("x-requested-with") == null || !httpServletRequest.getHeader("x-requested-with").equalsIgnoreCase("XMLHttpRequest")) {
            return true;
        }
        try {
            String[] urlParam = getUrlParam(comboneRequestParameter(httpServletRequest).split("&"));
            StringBuilder sb = new StringBuilder();
            for (String str : urlParam) {
                sb.append(str).append("&");
            }
            StringBuilder sb2 = new StringBuilder(sb.substring(0, sb.length() - 1));
            String header = httpServletRequest.getHeader(PamsConst.REQUEST_COMPLETE_HEADER_KEY);
            String replace = URLEncoder.encode(sb2.toString(), "UTF-8").replace("+", "%2B");
            log.debug(replace);
            return MD5Util.encoderByPrueMd5(replace).equals(header);
        } catch (Exception e) {
            log.error(e.getMessage() + "请求参数完整性校验失败", e);
            return false;
        }
    }

    private String[] getUrlParam(String[] strArr) {
        for (int i = 0; i < strArr.length - 1; i++) {
            for (int i2 = 0; i2 < (strArr.length - i) - 1; i2++) {
                String str = strArr[i2];
                String str2 = strArr[i2 + 1];
                if (isMoreThan(str, str2)) {
                    strArr[i2] = str2;
                    strArr[i2 + 1] = str;
                }
            }
        }
        return strArr;
    }

    private boolean isMoreThan(String str, String str2) {
        if (null == str || null == str2 || "".equals(str) || "".equals(str2)) {
            return false;
        }
        char[] charArray = str.toCharArray();
        char[] charArray2 = str2.toCharArray();
        int min = Math.min(charArray.length, charArray2.length);
        for (int i = 0; i < min; i++) {
            if (charArray[i] > charArray2[i]) {
                return true;
            }
            if (charArray[i] < charArray2[i]) {
                return false;
            }
        }
        return charArray.length > charArray2.length;
    }

    public String comboneRequestParameter(HttpServletRequest httpServletRequest) {
        Map parameterMap = httpServletRequest.getParameterMap();
        StringBuilder sb = new StringBuilder();
        int i = 0;
        for (Map.Entry entry : parameterMap.entrySet()) {
            if (!PamsConst.STR__.equals(entry.getKey())) {
                for (int i2 = 0; i2 < ((Object[]) entry.getValue()).length; i2++) {
                    if (i == 0) {
                        i++;
                    } else {
                        sb.append("&");
                    }
                    sb.append(((String) entry.getKey()) + PamsConst.CONDITION_SPLIT_2 + ((String[]) entry.getValue())[i2]);
                }
            }
        }
        return sb.toString();
    }

    private String injectInput(ServletRequest servletRequest) {
        int i;
        Enumeration parameterNames = servletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String str = (String) parameterNames.nextElement();
            if (!"password".equals(str)) {
                String[] parameterValues = servletRequest.getParameterValues(str);
                int length = parameterValues.length;
                for (0; i < length; i + 1) {
                    String str2 = parameterValues[i];
                    i = (StringUtils.isBlank(str2) || (jsValidate(str2) && sqlValidate(str2))) ? i + 1 : 0;
                    return str2;
                }
            }
        }
        return "";
    }

    private static boolean sqlValidate(String str) {
        if (!sqlPattern.matcher(str).find()) {
            return true;
        }
        log.warn("未通过sql注入校验：" + str);
        return false;
    }

    private static boolean jsValidate(String str) {
        if (!jsPattern.matcher(str).find()) {
            return true;
        }
        log.warn("未通过js注入校验：" + str);
        return false;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        if (SafeFilters.fireURLList == null) {
            SafeFilters.fireURLList = new Util().getProFile(PamsConst.SAFEFILTER_INFO_FIREURL);
        }
    }
}
