package com.contrastsecurity.agent.plugins.frameworks.e;

import com.contrastsecurity.agent.A;
import com.contrastsecurity.agent.apps.Application;
import com.contrastsecurity.agent.commons.l;
import com.contrastsecurity.agent.config.ContrastProperties;
import com.contrastsecurity.agent.http.HttpRequest;
import com.contrastsecurity.agent.plugins.frameworks.L;
import com.contrastsecurity.agent.plugins.frameworks.M;
import com.contrastsecurity.agent.plugins.frameworks.O;
import com.contrastsecurity.agent.plugins.frameworks.Q;
import com.contrastsecurity.agent.plugins.frameworks.e.c;
import com.contrastsecurity.agent.plugins.frameworks.u;
import com.contrastsecurity.agent.plugins.rasp.rules.xxe.XXERaspRule;
import com.contrastsecurity.agent.plugins.security.SecurityPlugin;
import com.contrastsecurity.agent.plugins.security.model.SourceEvent;
import com.contrastsecurity.agent.plugins.security.policy.propagators.Propagator;
import com.contrastsecurity.agent.plugins.security.policy.rules.Rule;
import com.contrastsecurity.agent.trace.Trace;
import com.contrastsecurity.agent.util.C0208e;
import com.contrastsecurity.agent.util.N;
import com.contrastsecurity.agent.util.ObjectShare;
import com.contrastsecurity.agent.util.W;
import com.contrastsecurity.thirdparty.org.apache.commons.lang.StringUtils;
import com.contrastsecurity.thirdparty.org.slf4j.Logger;
import com.contrastsecurity.thirdparty.org.slf4j.LoggerFactory;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import javax.xml.parsers.DocumentBuilder;

/* compiled from: JAXBSupporter.java */
/* loaded from: input_file:lib/contrast-agent-core.jar:com/contrastsecurity/agent/plugins/frameworks/e/e.class */
public final class e extends u implements L, O, Q {
    private final com.contrastsecurity.agent.config.g c;
    private final com.contrastsecurity.agent.plugins.security.controller.propagate.a d;
    private b[] e;
    private static final String k = "xom.configuration.reflection";
    private static final String l = "saxparser.configuration.reflection";
    private static final String m = "saxparser.reflection";
    private static final String n = "saxsource.reflection";
    private static final String q = "documentbuilder.reflection";
    private static final String r = "jaxb.unmarshaller.getProperty.reflection";
    private static final String s = "jaxb.unmarshaller.reflection";
    private static final String t = "jaxb.streamreader.reflection";
    private static final String u = "documentbuilder.xconfig.disallowdoctype.reflection";
    private static final String v = "documentbuilder.opensaml.reflection";
    private static final String w = "javax.xml.transform.sax.SAXSource";
    private static final String x = "jaxb.inputfactory.reflection";
    private static final String y = "jaxb.inputfactory.class";
    private static final String z = "jaxb.dynamic.tagging";
    private static final String A = "javax.xml.bind.Unmarshaller";
    public static final String b = "/policies/jaxb.xml";
    private static final int f = b.hashCode();
    private static final Object[] g = {"http://javax.xml.XMLConstants/property/accessExternalDTD"};
    private static final Object[] h = {"http://apache.org/xml/features/disallow-doctype-decl"};
    private static final Object[] i = {"http://xml.org/sax/features/external-general-entities"};
    private static final Object[] j = {"http://xml.org/sax/features/external-parameter-entities"};
    private static final String o = " org.apache.xerces.parsers.XMLParser".substring(1);
    private static final String p = " com.sun.org.apache.xerces.internal.parsers.XMLParser".substring(1);
    private static final Logger B = LoggerFactory.getLogger(e.class);

    public e(com.contrastsecurity.agent.config.g gVar) {
        this(gVar, null);
    }

    @A
    e(com.contrastsecurity.agent.config.g gVar, com.contrastsecurity.agent.plugins.security.controller.propagate.a aVar) {
        this.e = new b[]{new d(), new g(), new f(), new j(), new h()};
        l.a(gVar);
        this.c = gVar;
        this.d = aVar;
    }

    @Override // com.contrastsecurity.agent.plugins.frameworks.Q
    public boolean a(Application application, Rule rule, Object obj, Object[] objArr, Object obj2) {
        if (!XXERaspRule.ID.equals(rule.getId())) {
            return true;
        }
        if (B.isDebugEnabled()) {
            B.debug("Analyzing parser {}", W.a(obj));
        }
        if (a(objArr) && !q(objArr[0])) {
            return false;
        }
        if (f(obj)) {
            Object g2 = g(obj);
            return g2 == null || e(g2) || j(g2);
        }
        if (n(obj)) {
            switch (m(obj)) {
                case DISALLOWED:
                    return false;
                case ALLOWED:
                    return true;
                case UNKNOWN:
                    if (i(obj)) {
                        Object h2 = h(obj);
                        return h2 == null || m(h2) != i.DISALLOWED;
                    }
                    break;
            }
        }
        if (l(obj)) {
            Object k2 = k(obj);
            return k2 == null || j(k2);
        }
        if (a(obj)) {
            return j(obj);
        }
        if (p(obj)) {
            return a(obj, objArr);
        }
        if (n(obj)) {
            return m(obj) != i.DISALLOWED;
        }
        if (d(obj)) {
            return j(obj);
        }
        if (!B.isDebugEnabled()) {
            return true;
        }
        B.debug("Ignoring JAXB analysis for object={}, params={}, ret={}", W.a(obj), StringUtils.join(objArr), W.a(obj2));
        return true;
    }

    private boolean d(Object obj) {
        if (obj == null) {
            return false;
        }
        return C0208e.b(obj.getClass(), "org.xml.sax.XMLReader");
    }

    private boolean e(Object obj) {
        return obj.getClass().getName().contains("nu.xom.XML1");
    }

    private boolean f(Object obj) {
        boolean z2 = false;
        if (obj != null) {
            z2 = obj.getClass().getName().endsWith("nu.xom.Builder");
        }
        return z2;
    }

    private Object g(Object obj) {
        Object obj2 = null;
        try {
            obj2 = a(obj.getClass(), "parser").get(obj);
        } catch (Throwable th) {
            com.contrastsecurity.agent.h.e.a(k, B, "Problem reflecting xom reader", th);
        }
        return obj2;
    }

    private Object h(Object obj) {
        try {
            return N.a(obj, "builder").get(obj);
        } catch (Throwable th) {
            com.contrastsecurity.agent.h.e.a(v, B, "Problem reflecting builder out of saml", th);
            return null;
        }
    }

    private boolean i(Object obj) {
        boolean z2 = false;
        if (obj != null && obj.getClass().getName().contains("$DocumentBuilderProxy")) {
            z2 = true;
        }
        return z2;
    }

    private boolean a(Object obj, Class<?> cls) throws IllegalAccessException {
        B.debug("Inspecting reader {}", obj);
        Class<?> cls2 = obj.getClass();
        if (d(obj, cls2)) {
            return false;
        }
        Field a = a(cls2, "fConfiguration");
        if (a == null) {
            B.error("Couldn't find configuration field from {} -- assuming supports external entities", cls);
            return true;
        }
        Object obj2 = a.get(obj);
        if (obj2 == null) {
            B.debug("Encountered null Unmarshaller#reader#fConfiguration");
            return true;
        }
        Field a2 = a(obj2.getClass(), "fEntityManager");
        if (a2 == null) {
            B.error("Couldn't find entity manager field from {} -- assuming supports external entities", cls);
            return true;
        }
        Object obj3 = a2.get(obj2);
        if (obj3 != null) {
            return o(obj3).g();
        }
        B.debug("Entity manager field was null -- assuming supports external entities");
        return true;
    }

    private boolean j(Object obj) {
        Object obj2;
        Boolean a;
        boolean z2 = true;
        try {
            Boolean a2 = a(i, false, obj, obj.getClass());
            if (a2 != null && a2.booleanValue() && (a = a(j, false, obj, obj.getClass())) != null && a.booleanValue()) {
                B.debug("general && parameter entities feature turned off -- not vulnerable");
                z2 = false;
            }
            if (z2 && (obj2 = a(obj.getClass(), "fConfiguration").get(obj)) != null) {
                if (a(h, true, obj2, obj2.getClass()).booleanValue()) {
                    B.debug("disallow-doctype feature turned on -- not vulnerable");
                    z2 = false;
                }
            }
        } catch (Throwable th) {
            com.contrastsecurity.agent.h.e.a(l, B, "Problem reflecting disallow-doctype-decl", th);
        }
        return z2;
    }

    private Object k(Object obj) {
        Object obj2 = null;
        try {
            obj2 = N.d(obj.getClass(), "getXMLReader").invoke(obj, (Object[]) null);
        } catch (Throwable th) {
            com.contrastsecurity.agent.h.e.b(m, B, "Problem reflecting saxparser reader", th);
        }
        return obj2;
    }

    private Object b(Object obj, Class<?> cls) {
        Object obj2 = null;
        try {
            obj2 = N.d(cls, "getXMLReader").invoke(obj, (Object[]) null);
        } catch (Throwable th) {
            com.contrastsecurity.agent.h.e.b(n, B, "Problem reflecting saxsource reader", th);
        }
        return obj2;
    }

    private boolean l(Object obj) {
        if (obj == null) {
            return false;
        }
        return C0208e.a(obj.getClass().getSuperclass(), "javax.xml.parsers.SAXParser");
    }

    boolean a(Object obj) {
        if (obj == null) {
            return false;
        }
        return C0208e.a(obj.getClass(), o) || C0208e.a(obj.getClass(), p);
    }

    private i m(Object obj) {
        Object obj2;
        Field a;
        Object obj3;
        try {
            Field a2 = a(obj.getClass(), "domParser");
            if (a2 != null && (obj2 = a2.get(obj)) != null && (a = a(obj2.getClass(), "fConfiguration")) != null && (obj3 = a.get(obj2)) != null) {
                Class<?> cls = obj3.getClass();
                if (cls.getName().contains(".XIncludeAwareParserConfiguration") && a(h, true, obj3, cls).booleanValue()) {
                    B.debug("disallow-doctype feature turned on -- not vulnerable");
                    return i.DISALLOWED;
                }
                Field a3 = a(cls, "fEntityManager");
                return a3 == null ? i.UNKNOWN : i.a(o(a3.get(obj3)).g());
            }
            return i.UNKNOWN;
        } catch (Throwable th) {
            com.contrastsecurity.agent.commons.u.a(th);
            com.contrastsecurity.agent.h.e.a(q, B, "Failed to inspect DocumentBuilder", th);
            return i.UNKNOWN;
        }
    }

    private Boolean a(Object[] objArr, boolean z2, Object obj, Class<?> cls) {
        Boolean bool = null;
        try {
            Method c = c(obj, cls);
            if (B.isDebugEnabled()) {
                B.debug("Invoking getFeature() on {}", W.a(obj));
            }
            Object invoke = c.invoke(obj, objArr);
            if (invoke instanceof Boolean) {
                bool = Boolean.valueOf(((Boolean) invoke).booleanValue() == z2);
            }
        } catch (Throwable th) {
            com.contrastsecurity.agent.h.e.a(u, B, "Problem reflecting XIncludeAwareParserConfig#getFeature() call", th);
        }
        return bool;
    }

    private Method c(Object obj, Class<?> cls) {
        Method method = null;
        try {
            method = N.d(cls, "getFeature", ObjectShare.SINGLE_STRING_ARRAY);
        } catch (Throwable th) {
            Class<? super Object> superclass = cls.getSuperclass();
            B.debug("Couldn't find getFeature(); on configuration class -- jumping to superclass {}", superclass != null ? superclass.getName() : "null");
            if (superclass != null && superclass != Object.class) {
                method = c(obj, superclass);
            }
        }
        return method;
    }

    private boolean n(Object obj) {
        boolean z2 = false;
        if (obj != null) {
            try {
                if (obj instanceof DocumentBuilder) {
                    z2 = true;
                }
            } catch (Throwable th) {
            }
            if (!z2 && obj.getClass().getName().contains(".DocumentBuilderImpl")) {
                z2 = true;
            }
        }
        return z2;
    }

    private boolean a(Object obj, Object[] objArr) {
        Object b2;
        boolean z2 = true;
        try {
            Class<?> cls = obj.getClass();
            Field a = a(cls, "reader");
            if (a == null) {
                B.error("Couldn't find reader field from {} -- assuming supports external entities", cls);
                z2 = true;
            } else {
                Object obj2 = a.get(obj);
                if (obj2 != null) {
                    z2 = a(obj2, cls);
                } else {
                    for (Object obj3 : objArr) {
                        Class<?> cls2 = obj3.getClass();
                        if (w.equals(cls2.getName()) && (b2 = b(obj3, cls2)) != null) {
                            z2 = j(b2);
                        }
                    }
                    B.debug("Encountered null Unmarshaller#reader, looking for an XMLReader in the arguments now");
                }
            }
        } catch (Throwable th) {
            com.contrastsecurity.agent.h.e.a(t, B, "Couldn't confirm whether JAXB Unmarshaller supported external entities", th);
        }
        B.debug("Supports external entities = {}", Boolean.valueOf(z2));
        return z2;
    }

    private c o(Object obj) {
        c.a f2 = c.f();
        for (b bVar : this.e) {
            try {
                bVar.a(obj, f2);
            } catch (Throwable th) {
                com.contrastsecurity.agent.h.e.a(bVar.getClass().getName(), B, "Problem with inspector {} confirm support for external entities on XMLEntityManager {}", th, new Object[]{bVar, obj.getClass().getName()});
            }
        }
        c a = f2.a();
        B.debug("Inspection results: {}", a);
        return a;
    }

    private boolean d(Object obj, Class<?> cls) {
        boolean z2 = false;
        try {
            Method c = N.c(cls, "getFeature", ObjectShare.SINGLE_STRING_ARRAY);
            B.debug("Invoking XMLReader#getFeature()");
            Boolean bool = (Boolean) c.invoke(obj, g);
            if (bool == null || bool.booleanValue()) {
                B.debug("XMLReader had null or false for disallow external DTD feature");
            } else {
                B.debug("XMLReader specifically disallows external DTD");
                z2 = true;
            }
        } catch (Throwable th) {
            com.contrastsecurity.agent.h.e.a(r, B, "Failed to access getFeature() method to figure if allowed external DTD access", th);
        }
        return z2;
    }

    private Field a(Class<?> cls, String str) {
        if (cls == null || cls == Object.class) {
            return null;
        }
        try {
            return N.c(cls, str);
        } catch (NoSuchFieldException e) {
            Class<? super Object> superclass = cls.getSuperclass();
            B.trace("Looking up the JAXB superclass to {} to check for {} field", superclass, str);
            return a(superclass, str);
        }
    }

    private boolean p(Object obj) {
        boolean z2 = false;
        if (obj != null) {
            try {
                z2 = obj.getClass().isAssignableFrom(Class.forName(A));
            } catch (Throwable th) {
            }
            if (!z2) {
                z2 = obj.getClass().getName().endsWith(".UnmarshallerImpl");
            }
        }
        return z2;
    }

    /* JADX WARN: Finally extract failed */
    private boolean q(Object obj) {
        boolean z2 = true;
        try {
            try {
                Field a = N.a(obj, "fPropertyManager");
                B.debug("Couldn't find fPropertyManager field");
                Object obj2 = a.get(obj);
                if (obj2 != null) {
                    Object invoke = N.d(obj2.getClass(), "getProperty", ObjectShare.SINGLE_STRING_ARRAY).invoke(obj2, "javax.xml.stream.isSupportingExternalEntities");
                    if (invoke instanceof Boolean) {
                        z2 = ((Boolean) invoke).booleanValue();
                    }
                } else {
                    B.debug("fPropertyManager field was null, assuming external entities are supported");
                }
            } catch (Throwable th) {
                B.debug("Couldn't find fPropertyManager field");
                throw th;
            }
        } catch (Throwable th2) {
            com.contrastsecurity.agent.h.e.a(s, B, "Couldn't confirm whether XMLStreamReader supported external entities", th2);
        }
        return z2;
    }

    private boolean a(Object[] objArr) {
        return objArr.length > 0 && objArr[0] != null && objArr[0].getClass().getName().contains(".XMLStreamReader");
    }

    @Override // com.contrastsecurity.agent.plugins.frameworks.Q
    public boolean a(com.contrastsecurity.agent.plugins.security.controller.b bVar) {
        return true;
    }

    @Override // com.contrastsecurity.agent.plugins.frameworks.Q
    public boolean b(com.contrastsecurity.agent.plugins.security.controller.b bVar) {
        return true;
    }

    @Override // com.contrastsecurity.agent.plugins.frameworks.Q
    public void a(Application application, Trace trace, Rule rule, Object obj, Object[] objArr, Object obj2) {
    }

    @Override // com.contrastsecurity.agent.plugins.frameworks.Q
    public boolean a(Application application, Trace trace, Rule rule, SourceEvent sourceEvent, int i2, HttpRequest httpRequest, com.contrastsecurity.agent.apps.exclusions.h hVar) {
        return false;
    }

    @Override // com.contrastsecurity.agent.plugins.frameworks.Q
    public boolean a(Trace trace, Rule rule) {
        return false;
    }

    @Override // com.contrastsecurity.agent.plugins.frameworks.L
    public String getPolicyLocation() {
        String str = null;
        if (this.c.f(ContrastProperties.SUPPORTER_JAXB)) {
            str = b;
        }
        return str;
    }

    @Override // com.contrastsecurity.agent.plugins.frameworks.L
    public boolean isMatchingPolicyLocation(com.contrastsecurity.agent.plugins.frameworks.N n2) {
        return M.a(n2, this);
    }

    @Override // com.contrastsecurity.agent.plugins.frameworks.L
    public int getPolicyId() {
        return f;
    }

    @Override // com.contrastsecurity.agent.plugins.frameworks.O
    public boolean a(Propagator propagator, Class<?> cls, Object obj, Object[] objArr, int[] iArr, Class<?> cls2, Object obj2) {
        return true;
    }

    @Override // com.contrastsecurity.agent.plugins.frameworks.O
    public boolean a(com.contrastsecurity.agent.plugins.security.model.d dVar) {
        return true;
    }

    @Override // com.contrastsecurity.agent.plugins.frameworks.O
    public void b(com.contrastsecurity.agent.plugins.security.model.d dVar) {
        String id = dVar.e().getId();
        if (id == null || !id.startsWith("xmlif-reader-")) {
            return;
        }
        Object b2 = dVar.b();
        if (B.isDebugEnabled()) {
            B.debug("Analyzing XMLInputFactory {}", W.a(b2));
        }
        if (!b(b2)) {
            com.contrastsecurity.agent.h.e.b(y, B, "Expected XMLInputFactory for propagator {}", null, new Object[]{dVar.e().getId()});
            return;
        }
        if (c(b2)) {
            return;
        }
        String[] strArr = {"R"};
        String[] strArr2 = {"xmlif-validated-xxe"};
        String[] strArr3 = new String[0];
        try {
            a().a(dVar.f().getName(), dVar.f().getDesc(), dVar.f().getModifiers(), dVar.b(), dVar.g(), dVar.c(), dVar.d(), false, strArr, strArr2, strArr3, dVar.k() + 1);
        } catch (Exception e) {
            com.contrastsecurity.agent.h.e.b(z, B, "Exception un/tagging targets {} with tags {} and untags {} in propagator {}", e, new Object[]{dVar.h(), strArr, strArr2, strArr3, dVar.e().getId()});
        }
    }

    private com.contrastsecurity.agent.plugins.security.controller.propagate.a a() {
        return this.d != null ? this.d : SecurityPlugin.getSecurityServiceProvider().getContrastDataFlowTaggingService();
    }

    @A
    boolean b(Object obj) {
        return obj != null && C0208e.a(obj.getClass(), "javax.xml.stream.XMLInputFactory");
    }

    @A
    boolean c(Object obj) {
        boolean z2 = true;
        Class<?> cls = obj.getClass();
        try {
            Method d = N.d(cls, "isPropertySupported", ObjectShare.SINGLE_STRING_ARRAY);
            Method d2 = N.d(cls, "getProperty", ObjectShare.SINGLE_STRING_ARRAY);
            Boolean a = a(d, d2, obj, "javax.xml.stream.supportDTD");
            if (a == null || a.booleanValue()) {
                Boolean a2 = a(d, d2, obj, "javax.xml.stream.isSupportingExternalEntities");
                if (a2 != null) {
                    z2 = a2.booleanValue();
                }
            } else {
                z2 = false;
            }
        } catch (Throwable th) {
            com.contrastsecurity.agent.h.e.a(x, B, "Couldn't confirm whether XMLInputFactory supported external entities", th);
        }
        return z2;
    }

    private Boolean a(Method method, Method method2, Object obj, String str) throws InvocationTargetException, IllegalAccessException {
        Boolean bool = null;
        Object invoke = method.invoke(obj, str);
        if ((invoke instanceof Boolean) && ((Boolean) invoke).booleanValue()) {
            Object invoke2 = method2.invoke(obj, str);
            if (invoke2 instanceof Boolean) {
                bool = (Boolean) invoke2;
            }
        }
        return bool;
    }
}
