package org.openrewrite.java.security;

import java.util.Objects;
import org.openrewrite.Cursor;
import org.openrewrite.ExecutionContext;
import org.openrewrite.Recipe;
import org.openrewrite.TreeVisitor;
import org.openrewrite.java.JavaIsoVisitor;
import org.openrewrite.java.JavaVisitor;
import org.openrewrite.java.MethodMatcher;
import org.openrewrite.java.search.UsesType;
import org.openrewrite.java.tree.J;
import org.openrewrite.java.tree.Statement;
import org.openrewrite.java.tree.TypeUtils;

/* loaded from: input_file:org/openrewrite/java/security/XmlParserXXEVulnerability.class */
public class XmlParserXXEVulnerability extends Recipe {
    private static final MethodMatcher XML_PARSER_FACTORY_INSTANCE = new MethodMatcher("javax.xml.stream.XMLInputFactory new*()");
    private static final MethodMatcher XML_PARSER_FACTORY_SET_PROPERTY = new MethodMatcher("javax.xml.stream.XMLInputFactory setProperty(java.lang.String, ..)");
    private static final String XML_FACTORY_FQN = "javax.xml.stream.XMLInputFactory";
    private static final String SUPPORTING_EXTERNAL_ENTITIES_PROPERTY_NAME = "IS_SUPPORTING_EXTERNAL_ENTITIES";
    private static final String SUPPORT_DTD_PROPERTY_NAME = "SUPPORT_DTD";
    private static final String XML_PARSER_INITIALIZATION_METHOD = "xml-parser-initialization-method";
    private static final String XML_FACTORY_VARIABLE_NAME = "xml-factory-variable-name";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/openrewrite/java/security/XmlParserXXEVulnerability$XmlFactoryInsertPropertyStatementVisitor.class */
    public static class XmlFactoryInsertPropertyStatementVisitor extends JavaIsoVisitor<ExecutionContext> {
        J.Block scope;
        StringBuilder propertyTemplate = new StringBuilder();

        public XmlFactoryInsertPropertyStatementVisitor(J.Block block, String str, boolean z, boolean z2) {
            this.scope = block;
            if (z) {
                this.propertyTemplate.append(str).append(".setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);");
            }
            if (z2) {
                this.propertyTemplate.append(str).append(".setProperty(XMLInputFactory.SUPPORT_DTD, false);");
            }
        }

        @Override // org.openrewrite.java.JavaIsoVisitor, org.openrewrite.java.JavaVisitor
        public J.Block visitBlock(J.Block block, ExecutionContext executionContext) {
            J.MethodInvocation methodInvocation;
            J.Block visitBlock = super.visitBlock(block, (J.Block) executionContext);
            Statement statement = null;
            if (visitBlock.isScope(this.scope)) {
                for (int size = visitBlock.getStatements().size() - 2; size > -1; size--) {
                    Statement statement2 = visitBlock.getStatements().get(size);
                    Statement statement3 = visitBlock.getStatements().get(size + 1);
                    if (statement2 instanceof J.MethodInvocation) {
                        J.MethodInvocation methodInvocation2 = (J.MethodInvocation) statement2;
                        if (XmlParserXXEVulnerability.XML_PARSER_FACTORY_INSTANCE.matches(methodInvocation2) || XmlParserXXEVulnerability.XML_PARSER_FACTORY_SET_PROPERTY.matches(methodInvocation2)) {
                            statement = statement3;
                        }
                    } else if (statement2 instanceof J.VariableDeclarations) {
                        J.VariableDeclarations variableDeclarations = (J.VariableDeclarations) statement2;
                        if ((variableDeclarations.getVariables().get(0).getInitializer() instanceof J.MethodInvocation) && (methodInvocation = (J.MethodInvocation) variableDeclarations.getVariables().get(0).getInitializer()) != null && XmlParserXXEVulnerability.XML_PARSER_FACTORY_INSTANCE.matches(methodInvocation)) {
                            statement = statement3;
                        }
                    }
                }
                if (getCursor().getParent() != null && (getCursor().getParent().getValue() instanceof J.ClassDeclaration)) {
                    this.propertyTemplate.insert(0, "{\n").append("}");
                }
                visitBlock = (J.Block) visitBlock.withTemplate(template(this.propertyTemplate.toString()).build(), statement != null ? statement.getCoordinates().before() : visitBlock.getCoordinates().lastStatement(), new Object[0]);
            }
            return visitBlock;
        }
    }

    public String getDisplayName() {
        return "XML parser XXE vulnerability";
    }

    public String getDescription() {
        return "Avoid exposing dangerous features of the XML parser by setting XMLInputFactory `IS_SUPPORTING_EXTERNAL_ENTITIES` and `SUPPORT_DTD` properties to `false`.";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* renamed from: getSingleSourceApplicableTest, reason: merged with bridge method [inline-methods] */
    public JavaVisitor<ExecutionContext> m89getSingleSourceApplicableTest() {
        return new UsesType(XML_FACTORY_FQN);
    }

    protected TreeVisitor<?, ExecutionContext> getVisitor() {
        return new JavaIsoVisitor<ExecutionContext>() { // from class: org.openrewrite.java.security.XmlParserXXEVulnerability.1
            @Override // org.openrewrite.java.JavaIsoVisitor, org.openrewrite.java.JavaVisitor
            public J.ClassDeclaration visitClassDeclaration(J.ClassDeclaration classDeclaration, ExecutionContext executionContext) {
                J.ClassDeclaration visitClassDeclaration = super.visitClassDeclaration(classDeclaration, (J.ClassDeclaration) executionContext);
                Cursor cursor = (Cursor) getCursor().getMessage(XmlParserXXEVulnerability.SUPPORTING_EXTERNAL_ENTITIES_PROPERTY_NAME);
                Cursor cursor2 = (Cursor) getCursor().getMessage(XmlParserXXEVulnerability.SUPPORT_DTD_PROPERTY_NAME);
                Cursor cursor3 = (Cursor) getCursor().getMessage(XmlParserXXEVulnerability.XML_PARSER_INITIALIZATION_METHOD);
                String str = (String) getCursor().getMessage(XmlParserXXEVulnerability.XML_FACTORY_VARIABLE_NAME);
                Cursor cursor4 = null;
                if (cursor == null && cursor2 == null) {
                    cursor4 = cursor3;
                } else {
                    if ((cursor == null) ^ (cursor2 == null)) {
                        cursor4 = cursor == null ? cursor2 : cursor;
                    }
                }
                if (cursor4 != null && str != null) {
                    doAfterVisit(new XmlFactoryInsertPropertyStatementVisitor((J.Block) cursor4.getValue(), str, cursor == null, cursor2 == null));
                }
                return visitClassDeclaration;
            }

            @Override // org.openrewrite.java.JavaIsoVisitor, org.openrewrite.java.JavaVisitor
            public J.VariableDeclarations.NamedVariable visitVariable(J.VariableDeclarations.NamedVariable namedVariable, ExecutionContext executionContext) {
                J.VariableDeclarations.NamedVariable visitVariable = super.visitVariable(namedVariable, (J.VariableDeclarations.NamedVariable) executionContext);
                if (TypeUtils.isOfClassType(visitVariable.getType(), XmlParserXXEVulnerability.XML_FACTORY_FQN)) {
                    getCursor().putMessageOnFirstEnclosing(J.ClassDeclaration.class, XmlParserXXEVulnerability.XML_FACTORY_VARIABLE_NAME, visitVariable.getSimpleName());
                }
                return visitVariable;
            }

            @Override // org.openrewrite.java.JavaIsoVisitor, org.openrewrite.java.JavaVisitor
            public J.MethodInvocation visitMethodInvocation(J.MethodInvocation methodInvocation, ExecutionContext executionContext) {
                J.MethodInvocation visitMethodInvocation = super.visitMethodInvocation(methodInvocation, (J.MethodInvocation) executionContext);
                if (XmlParserXXEVulnerability.XML_PARSER_FACTORY_INSTANCE.matches(visitMethodInvocation)) {
                    Cursor cursor = getCursor();
                    Cursor cursor2 = getCursor();
                    Class<J.Block> cls = J.Block.class;
                    Objects.requireNonNull(J.Block.class);
                    cursor.putMessageOnFirstEnclosing(J.ClassDeclaration.class, XmlParserXXEVulnerability.XML_PARSER_INITIALIZATION_METHOD, cursor2.dropParentUntil(cls::isInstance));
                } else if (XmlParserXXEVulnerability.XML_PARSER_FACTORY_SET_PROPERTY.matches(visitMethodInvocation) && (visitMethodInvocation.getArguments().get(0) instanceof J.FieldAccess)) {
                    J.FieldAccess fieldAccess = (J.FieldAccess) visitMethodInvocation.getArguments().get(0);
                    if (XmlParserXXEVulnerability.SUPPORTING_EXTERNAL_ENTITIES_PROPERTY_NAME.equals(fieldAccess.getSimpleName())) {
                        Cursor cursor3 = getCursor();
                        Cursor cursor4 = getCursor();
                        Class<J.Block> cls2 = J.Block.class;
                        Objects.requireNonNull(J.Block.class);
                        cursor3.putMessageOnFirstEnclosing(J.ClassDeclaration.class, XmlParserXXEVulnerability.SUPPORTING_EXTERNAL_ENTITIES_PROPERTY_NAME, cursor4.dropParentUntil(cls2::isInstance));
                    } else if (XmlParserXXEVulnerability.SUPPORT_DTD_PROPERTY_NAME.equals(fieldAccess.getSimpleName())) {
                        Cursor cursor5 = getCursor();
                        Cursor cursor6 = getCursor();
                        Class<J.Block> cls3 = J.Block.class;
                        Objects.requireNonNull(J.Block.class);
                        cursor5.putMessageOnFirstEnclosing(J.ClassDeclaration.class, XmlParserXXEVulnerability.SUPPORT_DTD_PROPERTY_NAME, cursor6.dropParentUntil(cls3::isInstance));
                    }
                }
                return visitMethodInvocation;
            }
        };
    }
}
