package com.contrastsecurity.agent.plugins.security.policy.rules.providers.internal.csrf;

import com.contrastsecurity.agent.commons.o;
import com.contrastsecurity.agent.http.HttpRequest;
import com.contrastsecurity.agent.http.HttpResponse;
import com.contrastsecurity.agent.http.MultipartItem;
import com.contrastsecurity.agent.messages.app.activity.assessment.StateChangingActionDTM;
import com.contrastsecurity.agent.messages.finding.trace.PropertyKey;
import com.contrastsecurity.agent.plugins.rasp.rules.csrf.f;
import com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher;
import com.contrastsecurity.agent.plugins.security.policy.rules.providers.ProviderUtil;
import com.contrastsecurity.agent.plugins.security.policy.rules.providers.internal.csrf.CSRFRule;
import com.contrastsecurity.agent.plugins.security.u;
import com.contrastsecurity.agent.util.C0224u;
import com.contrastsecurity.agent.util.C0226w;
import com.contrastsecurity.agent.util.SimplePattern;
import com.contrastsecurity.agent.util.W;
import com.contrastsecurity.thirdparty.org.apache.http.HeaderElement;
import com.contrastsecurity.thirdparty.org.apache.http.ParseException;
import com.contrastsecurity.thirdparty.org.apache.http.client.methods.HttpGet;
import com.contrastsecurity.thirdparty.org.apache.http.client.methods.HttpPost;
import com.contrastsecurity.thirdparty.org.apache.http.client.utils.URLEncodedUtils;
import com.contrastsecurity.thirdparty.org.apache.http.message.BasicHeaderValueParser;
import com.contrastsecurity.thirdparty.org.apache.http.protocol.HTTP;
import com.contrastsecurity.thirdparty.org.slf4j.Logger;
import com.contrastsecurity.thirdparty.org.slf4j.LoggerFactory;
import java.util.EnumMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.zip.CRC32;

/* compiled from: CSRFWatcher.java */
/* loaded from: input_file:lib/contrast-agent-core.jar:com/contrastsecurity/agent/plugins/security/policy/rules/providers/internal/csrf/c.class */
public class c extends HttpWatcher {
    private boolean a = false;
    private final CSRFRule.a b;
    private final SimplePattern[] c;
    private final ProviderUtil d;
    private static final int g = 8;
    private static final int h = 24;
    private static final String[] e = {HttpGet.METHOD_NAME, HttpPost.METHOD_NAME};
    private static final Set<String> f = o.b(HTTP.PLAIN_TEXT_TYPE, "multipart/form-data", URLEncodedUtils.CONTENT_TYPE);
    private static final Logger i = LoggerFactory.getLogger(c.class);

    public c(CSRFRule.a aVar, SimplePattern[] simplePatternArr, ProviderUtil providerUtil) {
        this.b = aVar;
        this.c = simplePatternArr;
        this.d = providerUtil;
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher
    public void onRequestStart(HttpRequest httpRequest) {
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher
    public void onChunkReceived(String str) {
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher
    public void onHeaderSet(String str, String str2) {
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher
    public void onDateHeaderSet(String str, long j) {
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher
    public void onIntHeaderSet(String str, int i2) {
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher
    public void onResponseEnd(HttpRequest httpRequest, HttpResponse httpResponse) {
        List<StateChangingActionDTM> a;
        this.a = this.a || httpRequest.getProperties().containsKey("csrf.token.checked");
        if (this.a) {
            return;
        }
        if (a(httpResponse.getStatus())) {
            this.a = true;
        } else {
            if (!b(httpRequest) || (a = b.a(httpRequest)) == null || a.isEmpty()) {
                return;
            }
            a(httpRequest, a);
        }
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher
    public long getRuleRequestHash(HttpRequest httpRequest) {
        return u.e.a(f.b, httpRequest);
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher
    public long getRuleRequestHash(HttpRequest httpRequest, CRC32 crc32) {
        return u.e.a(crc32, f.b, httpRequest);
    }

    private void a(HttpRequest httpRequest, List<StateChangingActionDTM> list) {
        String normalizedUri = httpRequest.getNormalizedUri();
        try {
            String a = C0224u.a(list);
            EnumMap enumMap = new EnumMap(PropertyKey.class);
            enumMap.put((EnumMap) PropertyKey.ACTIONS, (PropertyKey) a);
            this.d.reportFinding(f.b, (Map<PropertyKey, String>) enumMap, u.e.a(f.b, httpRequest), true);
        } catch (Exception e2) {
            i.error("Problem reporting CSRF rule for {}", normalizedUri, e2);
        }
    }

    boolean a(HttpRequest httpRequest) {
        return HttpGet.METHOD_NAME.equalsIgnoreCase(httpRequest.getMethod()) && W.a(httpRequest.getQueryString());
    }

    boolean b(HttpRequest httpRequest) {
        Map<String, String[]> parameters = httpRequest.getParameters();
        if (parameters != null) {
            for (String str : parameters.keySet()) {
                if (W.d(str, f.b)) {
                    i.debug("Not considering CSRF because possible token value observed {}", str);
                    return false;
                }
                if (W.d(str, "token")) {
                    String[] strArr = parameters.get(str);
                    if (a(strArr)) {
                        i.debug("Not considering CSRF because possible token value observed {}={}", str, strArr[0]);
                        return false;
                    }
                }
            }
        }
        Set<MultipartItem> multipartItems = httpRequest.getMultipartItems();
        if (multipartItems == null) {
            return true;
        }
        for (MultipartItem multipartItem : multipartItems) {
            String fieldName = multipartItem.getFieldName();
            if (W.d(fieldName, f.b)) {
                i.debug("Not considering CSRF because possible token value observed {}", fieldName);
                return false;
            }
            if (W.d(fieldName, "token")) {
                String value = multipartItem.getValue();
                if (a(value)) {
                    i.debug("Not considering CSRF because possible token value observed {}={}", fieldName, value);
                    return false;
                }
            }
        }
        return true;
    }

    boolean a(String[] strArr) {
        if (strArr == null || strArr.length != 1) {
            return false;
        }
        return a(strArr[0]);
    }

    boolean a(String str) {
        if (str == null || str.length() < 8 || str.length() > 24) {
            return false;
        }
        return W.f(str);
    }

    boolean a(int i2) {
        return i2 >= 400;
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher
    public boolean supports(HttpRequest httpRequest) {
        String header = httpRequest.getHeader("X-Requested-With");
        if (!W.a(header)) {
            i.debug("Ignoring CSRFRule for {} because X-Requested-With={}", httpRequest.getUri(), header);
            this.a = true;
            return false;
        }
        if (W.a(httpRequest.getHeader("User-Agent"))) {
            this.a = true;
            i.debug("Ignoring CSRFRule for {} because no User-Agent was supplied -- not a browser interaction", httpRequest.getUri());
            return false;
        }
        if (C0226w.b(httpRequest)) {
            this.a = true;
            i.debug("Ignoring CSRFRule for {} because it looks like its a static resource", httpRequest.getUri());
            return false;
        }
        String header2 = httpRequest.getHeader("Content-Type");
        if (header2 != null) {
            try {
                HeaderElement[] parseElements = BasicHeaderValueParser.parseElements(header2, BasicHeaderValueParser.INSTANCE);
                if (parseElements.length == 0) {
                    this.a = true;
                    i.debug("Ignoring CSRFRule for {} because its content-type header is malformed value {}", httpRequest.getUri(), header2);
                    return false;
                }
                if (!e(parseElements[0].getName())) {
                    this.a = true;
                    i.debug("Ignoring CSRFRule for {} because Content-Type was {}", httpRequest.getUri(), header2);
                    return false;
                }
            } catch (ParseException e2) {
                this.a = true;
                i.debug("Ignoring CSRFRule for {} because its content-type header is malformed value {}", httpRequest.getUri(), header2, e2);
                return false;
            }
        }
        String method = httpRequest.getMethod();
        if (method != null && !d(method)) {
            this.a = true;
            i.debug("Ignoring CSRFRule for {} because method was {}", httpRequest.getUri(), method);
            return false;
        }
        if (a(httpRequest)) {
            this.a = true;
            i.debug("Ignoring CSRFRule for {} because method was GET and no querystring", httpRequest.getUri());
            return false;
        }
        if (CSRFRule.a.KNOWN_IDEMPOTENT.equals(this.b) && c(httpRequest.getNormalizedUri())) {
            this.a = true;
            i.debug("Ignoring CSRFRule for {} because URL was known idempotent", httpRequest.getNormalizedUri());
            return false;
        }
        if (!CSRFRule.a.KNOWN_NEED_PROTECTING.equals(this.b) || c(httpRequest.getNormalizedUri())) {
            return true;
        }
        this.a = true;
        i.debug("Ignoring CSRFRule for {} because URL was not on the need-to-protect list", httpRequest.getNormalizedUri());
        return false;
    }

    boolean c(String str) {
        for (int i2 = 0; this.c != null && i2 < this.c.length; i2++) {
            if (this.c[i2].matches(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean d(String str) {
        return W.b(e, str);
    }

    private boolean e(String str) {
        return f.contains(str);
    }
}
