package com.contrastsecurity.agent.plugins.rasp.rules.csrf;

import com.contrastsecurity.agent.A;
import com.contrastsecurity.agent.apps.Application;
import com.contrastsecurity.agent.commons.l;
import com.contrastsecurity.agent.config.ContrastProperties;
import com.contrastsecurity.agent.http.HttpManager;
import com.contrastsecurity.agent.http.HttpRequest;
import com.contrastsecurity.agent.http.HttpResponse;
import com.contrastsecurity.agent.http.ReplacedResponseChunk;
import com.contrastsecurity.agent.http.u;
import com.contrastsecurity.agent.messages.app.activity.defend.AttackResult;
import com.contrastsecurity.agent.messages.app.activity.defend.details.UserInputDTM;
import com.contrastsecurity.agent.plugins.rasp.AttackBlockedException;
import com.contrastsecurity.agent.plugins.rasp.InterfaceC0103d;
import com.contrastsecurity.agent.plugins.rasp.RaspManager;
import com.contrastsecurity.agent.plugins.rasp.Y;
import com.contrastsecurity.agent.plugins.rasp.aa;
import com.contrastsecurity.agent.plugins.rasp.rules.m;
import com.contrastsecurity.agent.reloadable.ReloadableBeanManager;
import com.contrastsecurity.agent.util.ByteUtil;
import com.contrastsecurity.agent.util.C0226w;
import com.contrastsecurity.agent.util.RandomUtil;
import com.contrastsecurity.agent.util.W;
import com.contrastsecurity.thirdparty.javax.inject.Inject;
import com.contrastsecurity.thirdparty.org.apache.commons.io.IOUtils;
import com.contrastsecurity.thirdparty.org.apache.commons.lang.StringUtils;
import com.contrastsecurity.thirdparty.org.apache.http.HttpHeaders;
import com.contrastsecurity.thirdparty.org.apache.http.client.methods.HttpPost;
import com.contrastsecurity.thirdparty.org.apache.http.client.utils.URLEncodedUtils;
import com.contrastsecurity.thirdparty.org.apache.http.protocol.HTTP;
import com.contrastsecurity.thirdparty.org.slf4j.Logger;
import com.contrastsecurity.thirdparty.org.slf4j.LoggerFactory;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Collections;
import java.util.Map;

/* compiled from: CSRFRaspRule.java */
/* loaded from: input_file:lib/contrast-agent-core.jar:com/contrastsecurity/agent/plugins/rasp/rules/csrf/f.class */
public final class f extends Y<CSRFDetailsDTM> implements m<CSRFDetailsDTM>, com.contrastsecurity.agent.reloadable.a {
    private final InterfaceC0103d e;
    private final com.contrastsecurity.agent.config.g f;
    private final HttpManager g;
    private final RaspManager h;
    private final aa<CSRFDetailsDTM> i;
    private String j;
    private String k;
    private final byte[][] l;
    private final d m;
    private e n;
    public static final String b = "csrf";

    @A
    static final String c = "$$CONTRAST$$";
    private static final String q = "/csrf/inject.js";
    private static final String r = "csrf.singlebyte.used";
    private static final String s = "csrf.token.insert";
    private static final String t = "!TOKEN_NAME!";
    private static final String u = "!TOKEN_VALUE!";

    @A
    static final int d = 8;
    private static final String o = "</body>";
    private static final char[] p = o.toCharArray();
    private static final String[] v = {HTTP.PLAIN_TEXT_TYPE, "multipart/form-data", URLEncodedUtils.CONTENT_TYPE};
    private static final String[] w = {"text/html", "application/xhtml+xml", "application/html"};
    private static final String[] x = {"login", "auth", "j_security", "verify", "validate"};
    private static final Logger y = LoggerFactory.getLogger(f.class);

    /* compiled from: CSRFRaspRule.java */
    @A
    /* loaded from: input_file:lib/contrast-agent-core.jar:com/contrastsecurity/agent/plugins/rasp/rules/csrf/f$a.class */
    static final class a implements d {
        a() {
        }

        @Override // com.contrastsecurity.agent.plugins.rasp.rules.csrf.f.d
        public boolean a(HttpResponse httpResponse) {
            Boolean bool = (Boolean) httpResponse.getProperty(f.s);
            if (bool == null) {
                bool = Boolean.valueOf(b(httpResponse));
                httpResponse.setProperty(f.s, bool);
            }
            return bool.booleanValue();
        }

        private boolean b(HttpResponse httpResponse) {
            try {
                String contentType = httpResponse.getContentType();
                return contentType != null && W.d(f.w, contentType);
            } catch (Exception e) {
                f.y.debug("Problem inspecting content-type", (Throwable) e);
                return false;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* compiled from: CSRFRaspRule.java */
    @A
    /* loaded from: input_file:lib/contrast-agent-core.jar:com/contrastsecurity/agent/plugins/rasp/rules/csrf/f$b.class */
    public static final class b implements e {
        private final String a;

        b(String str) {
            this.a = str;
        }

        @Override // com.contrastsecurity.agent.plugins.rasp.rules.csrf.f.e
        public String a(HttpRequest httpRequest) {
            u session = httpRequest.getSession(false);
            String str = null;
            if (session != null) {
                String str2 = f.c + this.a;
                String str3 = (String) session.a(str2);
                if (str3 != null) {
                    str = str3;
                } else {
                    str = RandomUtil.secureRandomString(8);
                    session.a(str2, str);
                }
            }
            return str;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* compiled from: CSRFRaspRule.java */
    /* loaded from: input_file:lib/contrast-agent-core.jar:com/contrastsecurity/agent/plugins/rasp/rules/csrf/f$c.class */
    public static class c implements e {
        private final String a;

        c(String str) {
            this.a = str;
        }

        @Override // com.contrastsecurity.agent.plugins.rasp.rules.csrf.f.e
        public String a(HttpRequest httpRequest) {
            return this.a;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* compiled from: CSRFRaspRule.java */
    /* loaded from: input_file:lib/contrast-agent-core.jar:com/contrastsecurity/agent/plugins/rasp/rules/csrf/f$d.class */
    public interface d {
        boolean a(HttpResponse httpResponse);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* compiled from: CSRFRaspRule.java */
    /* loaded from: input_file:lib/contrast-agent-core.jar:com/contrastsecurity/agent/plugins/rasp/rules/csrf/f$e.class */
    public interface e {
        String a(HttpRequest httpRequest);
    }

    @Inject
    public f(com.contrastsecurity.agent.config.g gVar, InterfaceC0103d interfaceC0103d, RaspManager raspManager, HttpManager httpManager, ReloadableBeanManager reloadableBeanManager, aa<CSRFDetailsDTM> aaVar) {
        this(gVar, interfaceC0103d, raspManager, httpManager, new a(), reloadableBeanManager, aaVar);
    }

    f(com.contrastsecurity.agent.config.g gVar, InterfaceC0103d interfaceC0103d, RaspManager raspManager, HttpManager httpManager, d dVar, ReloadableBeanManager reloadableBeanManager, aa<CSRFDetailsDTM> aaVar) {
        l.a(dVar);
        this.e = interfaceC0103d;
        this.f = gVar;
        this.m = dVar;
        this.h = raspManager;
        a(this.f);
        this.l = new byte[6][0];
        for (int i = 0; i < 6; i++) {
            try {
                this.l[i] = o.getBytes(HttpResponse.CHARSET_MAP.get(Integer.valueOf(i)));
            } catch (UnsupportedEncodingException e2) {
                y.error("Couldn't cache body tag bytes for encoding {}", Integer.valueOf(i), e2);
            }
        }
        this.g = httpManager;
        reloadableBeanManager.addBean(this);
        this.i = aaVar;
    }

    @Override // com.contrastsecurity.agent.reloadable.a
    public void onReloadSettings() {
        a(this.f);
    }

    private void a(com.contrastsecurity.agent.config.g gVar) {
        String b2 = gVar.b(ContrastProperties.CSRF_TOKEN_VALUE);
        this.j = gVar.a(ContrastProperties.CSRF_TOKEN);
        InputStream a2 = com.contrastsecurity.agent.k.a.a().a(q);
        if (a2 != null) {
            a(a2);
        } else {
            y.error("Won't be able to inject CSRF token -- injected JS can't be located");
        }
        if (StringUtils.isNotEmpty(b2)) {
            this.n = new c(b2);
        } else {
            this.n = new b(this.j);
        }
    }

    private void a(InputStream inputStream) {
        try {
            this.k = IOUtils.toString(inputStream).replace(t, this.j);
        } catch (IOException e2) {
            y.error("Couldn't process injection JS", (Throwable) e2);
        }
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.f
    public aa<CSRFDetailsDTM> getRuleId() {
        return this.i;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.Y
    public void onRequestStart(Application application, HttpRequest httpRequest) {
        if (!a(httpRequest)) {
            y.debug("Will enforce token checking for {}", httpRequest.getUri());
        } else {
            y.debug("Ignoring token checking for {}", httpRequest.getUri());
            this.h.currentContext().a(b);
        }
    }

    private boolean a(HttpRequest httpRequest) {
        boolean z = false;
        if (!f(httpRequest)) {
            y.debug("Ignoring method {} for URI {}", httpRequest.getMethod(), httpRequest.getUri());
            z = true;
        } else if (h(httpRequest)) {
            y.debug("Ignoring Ajax request for {}", httpRequest.getUri());
            z = true;
        } else if (g(httpRequest)) {
            y.debug("Ignoring empty user agent request for {}", httpRequest.getUri());
            z = true;
        } else if (c(httpRequest)) {
            y.debug("Ignoring empty POST request for {}", httpRequest.getUri());
            z = true;
        } else if (!e(httpRequest)) {
            y.debug("Ignoring POST request with Content-Type {} for {}", httpRequest.getContentType(), httpRequest.getUri());
            z = true;
        } else if (C0226w.b(httpRequest)) {
            y.debug("Ignoring static request {}", httpRequest.getUri());
            z = true;
        } else if (d(httpRequest)) {
            y.debug("Ignoring equivalent origin-referer for request {}", httpRequest.getUri());
            z = true;
        } else if (b(httpRequest)) {
            y.debug("Ignoring possible login page for request {}", httpRequest.getUri());
            z = true;
        }
        return z;
    }

    private boolean b(HttpRequest httpRequest) {
        return W.a(httpRequest.getUri(), x);
    }

    private boolean c(HttpRequest httpRequest) {
        return httpRequest.getContentLength() <= 0 && W.a(httpRequest.getQueryString());
    }

    private boolean d(HttpRequest httpRequest) {
        boolean z = false;
        String header = httpRequest.getHeader(HttpHeaders.REFERER);
        String header2 = httpRequest.getHeader("Origin");
        if (header == null || header2 == null) {
            y.debug("Didn't compare referer ({}) to origin ({})", header, header2);
        } else {
            try {
                String a2 = a(header2);
                String host = new URL(header).getHost();
                y.debug("Comparing {} from referer to origin {}", host, a2);
                z = host.equals(a2);
            } catch (MalformedURLException e2) {
                y.error("Couldn't parse Referer {}", com.contrastsecurity.agent.d.c.a(y, header), e2);
            }
        }
        return z;
    }

    String a(String str) {
        if (str.startsWith("http://") || str.startsWith("https://")) {
            try {
                str = new URL(str).getHost();
            } catch (Exception e2) {
                str = str.substring(str.indexOf(":") + 3);
            }
        }
        int indexOf = str.indexOf(58);
        if (indexOf != -1) {
            str = str.substring(0, indexOf);
        }
        return str;
    }

    private boolean e(HttpRequest httpRequest) {
        String header = httpRequest.getHeader("Content-Type");
        return header == null || W.d(v, header);
    }

    private boolean f(HttpRequest httpRequest) {
        return HttpPost.METHOD_NAME.equals(httpRequest.getMethod());
    }

    private boolean g(HttpRequest httpRequest) {
        return W.a(httpRequest.getHeader("User-Agent"));
    }

    private boolean h(HttpRequest httpRequest) {
        return !W.a(httpRequest.getHeader("X-Requested-With"));
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.m
    public void b(HttpRequest httpRequest, HttpResponse httpResponse) {
        Boolean bool = httpResponse != null ? (Boolean) httpResponse.getProperty(r) : null;
        if (bool == null || !bool.booleanValue()) {
            return;
        }
        y.debug("Single byte write() was used -- may not have been able to insert token");
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.Y
    public void onParametersResolved(HttpRequest httpRequest) {
        if (this.h.currentContext().b(b)) {
            y.debug("CSRF rule is disabled -- no token checking");
            return;
        }
        Map<String, String[]> parameters = httpRequest.getParameters();
        if (parameters.isEmpty()) {
            return;
        }
        String[] strArr = parameters.get(this.j);
        try {
            String a2 = this.n.a(httpRequest);
            if (a2 != null) {
                a(a2, strArr, httpRequest);
            }
        } catch (AttackBlockedException e2) {
            throw e2;
        } catch (Exception e3) {
            y.error("Problem validating token", (Throwable) e3);
        }
    }

    private void a(String str, String[] strArr, HttpRequest httpRequest) {
        if (strArr == null || !W.b(strArr, str)) {
            boolean canBlock = this.h.canBlock(this);
            this.e.a(this.i, CSRFDetailsDTM.builder().a(this.j).b(str).c((strArr == null || strArr.length <= 0) ? null : strArr[0]).a(), UserInputDTM.builder().filters(Collections.emptySet()).type(UserInputDTM.InputType.REQUEST).value(i(httpRequest)).documentType(UserInputDTM.InputDocumentType.NORMAL).time(System.currentTimeMillis()).build(), canBlock ? AttackResult.BLOCKED : AttackResult.EXPLOITED);
            if (canBlock) {
                throw new AttackBlockedException("Unauthorized transaction detected");
            }
        }
    }

    private String i(HttpRequest httpRequest) {
        Map<String, String[]> parameters = httpRequest.getParameters();
        StringBuilder sb = new StringBuilder(512);
        for (String str : parameters.keySet()) {
            for (String str2 : parameters.get(str)) {
                sb.append(str);
                sb.append('=');
                sb.append(str2);
                sb.append('&');
            }
        }
        if (sb.length() == 0) {
            sb.append(httpRequest.getQueryString());
        } else {
            sb.deleteCharAt(sb.length() - 1);
        }
        return sb.toString();
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.m
    public ReplacedResponseChunk a(HttpResponse httpResponse, int i, String str, int i2, int i3, ReplacedResponseChunk replacedResponseChunk, boolean z) {
        if (z && this.m.a(httpResponse)) {
            int a2 = str != null ? W.a(str, o, i2, i2 + i3) : -1;
            if (a2 != -1 && a2 < i2 + i3) {
                String str2 = str.substring(i2, a2) + c() + str.substring(a2, i2 + i3);
                replacedResponseChunk = new ReplacedResponseChunk(str2, 0, str2.length());
            }
        }
        return replacedResponseChunk;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.m
    public ReplacedResponseChunk a(HttpResponse httpResponse, int i, String str, ReplacedResponseChunk replacedResponseChunk, boolean z) {
        return a(httpResponse, i, str, 0, str.length(), replacedResponseChunk, z);
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.m
    public ReplacedResponseChunk a(HttpResponse httpResponse, int i, byte[] bArr, ReplacedResponseChunk replacedResponseChunk, boolean z) {
        return a(httpResponse, i, bArr, 0, bArr.length, replacedResponseChunk, z);
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.m
    public ReplacedResponseChunk a(HttpResponse httpResponse, int i, byte b2, ReplacedResponseChunk replacedResponseChunk, boolean z) {
        if (((Boolean) httpResponse.getProperty(r)) == null) {
            httpResponse.setProperty(r, true);
        }
        return replacedResponseChunk;
    }

    public ReplacedResponseChunk a(HttpResponse httpResponse, int i, char[] cArr, ReplacedResponseChunk replacedResponseChunk, boolean z) {
        int b2;
        if (z && this.m.a(httpResponse) && (b2 = W.b(cArr, p)) != -1) {
            replacedResponseChunk = a(cArr, 0, cArr.length, b2);
        }
        return replacedResponseChunk;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.m
    public ReplacedResponseChunk a(HttpResponse httpResponse, int i, char[] cArr, int i2, int i3, ReplacedResponseChunk replacedResponseChunk, boolean z) {
        int a2;
        if (z && this.m.a(httpResponse) && (a2 = W.a(cArr, p, i2, i3 + i2)) != -1) {
            replacedResponseChunk = a(cArr, i2, i3, a2);
        }
        return replacedResponseChunk;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.m
    public ReplacedResponseChunk a(HttpResponse httpResponse, int i, byte[] bArr, int i2, int i3, ReplacedResponseChunk replacedResponseChunk, boolean z) {
        byte[] b2;
        int indexOf;
        if (z && this.m.a(httpResponse) && (b2 = b(i)) != null && (indexOf = ByteUtil.indexOf(bArr, b2, i2, i2 + i3)) != -1 && indexOf >= i2 && indexOf < i2 + i3) {
            replacedResponseChunk = a(bArr, i2, i3, b2, indexOf);
        }
        return replacedResponseChunk;
    }

    private String c() {
        String a2 = this.n.a(this.g.getCurrentRequest());
        return a2 != null ? this.k.replace(u, a2) : "";
    }

    private byte[] a(int i) {
        return c().getBytes();
    }

    ReplacedResponseChunk a(byte[] bArr, int i, int i2, byte[] bArr2, int i3) {
        byte[] a2 = a(3);
        byte[] bArr3 = new byte[i2 + a2.length];
        System.arraycopy(bArr, i, bArr3, 0, i3 - i);
        System.arraycopy(a2, 0, bArr3, i3 - i, a2.length);
        System.arraycopy(bArr, i + (i3 - i), bArr3, (i3 - i) + a2.length, i2 - (i3 - i));
        return new ReplacedResponseChunk(bArr3, 0, bArr3.length);
    }

    ReplacedResponseChunk a(char[] cArr, int i, int i2, int i3) {
        char[] charArray = c().toCharArray();
        char[] cArr2 = new char[i2 + charArray.length];
        System.arraycopy(cArr, i, cArr2, 0, i3 - i);
        System.arraycopy(charArray, 0, cArr2, i3 - i, charArray.length);
        System.arraycopy(cArr, i + (i3 - i), cArr2, (i3 - i) + charArray.length, i2 - (i3 - i));
        return new ReplacedResponseChunk(cArr2, 0, cArr2.length);
    }

    private byte[] b(int i) {
        byte[] bArr = null;
        if (i >= 0 && i < this.l.length) {
            bArr = this.l[i];
        }
        return bArr;
    }

    @Override // com.contrastsecurity.agent.plugins.rasp.rules.m
    public void a(HttpRequest httpRequest, HttpResponse httpResponse) {
    }
}
