package cn.morethank.open.admin.common.inject;

import cn.morethank.open.admin.common.domain.AppConstant;
import cn.morethank.open.admin.common.exception.FailedReqeustException;
import cn.morethank.open.admin.common.util.RequestUtil;
import java.util.Enumeration;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import org.springframework.web.servlet.HandlerInterceptor;

@Component
/* loaded from: input_file:cn/morethank/open/admin/common/inject/AntiInjectInterceptor.class */
public class AntiInjectInterceptor implements HandlerInterceptor {
    private static final Logger log = LoggerFactory.getLogger(AntiInjectInterceptor.class);

    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj) throws Exception {
        log.debug("------------AntiInjectInterceptor begin--------------");
        String servletPath = httpServletRequest.getServletPath();
        String str = httpServletRequest.getPathInfo() == null ? servletPath : servletPath + httpServletRequest.getPathInfo();
        checkParams(httpServletRequest, str, httpServletRequest.getParameterNames());
        checkParams(httpServletRequest, str, httpServletRequest.getHeaderNames());
        String upperCase = httpServletRequest.getMethod().toUpperCase();
        if (!AppConstant.POST.equalsIgnoreCase(upperCase) && !AppConstant.PUT.equalsIgnoreCase(upperCase)) {
            return true;
        }
        String body = RequestUtil.getBody(httpServletRequest);
        if (StringUtils.hasLength(body)) {
            log.info("{} - {} XSS处理前参数：{}", new Object[]{upperCase, str, body});
            body = AntiInjectXssUtils.xssPostClean(body);
            log.info("{} - {} XSS处理后参数：{}", new Object[]{upperCase, str, body});
        }
        if (!body.contains(AppConstant.ADMIN_FORBIDDEN)) {
            return true;
        }
        log.error("{} - [{}：{}] 参数：{}, 包含不允许sql的关键词，请求拒绝", new Object[]{upperCase, str, body});
        throw new FailedReqeustException("包含不允许的非法关键词，请求拒绝");
    }

    private void checkParams(HttpServletRequest httpServletRequest, String str, Enumeration<?> enumeration) {
        while (enumeration.hasMoreElements()) {
            String str2 = (String) enumeration.nextElement();
            String parameter = httpServletRequest.getParameter(str2);
            log.debug("原请求参数值为：{}", parameter);
            try {
                String xssGetClean = AntiInjectXssUtils.xssGetClean(parameter);
                log.debug("修改后参数值为：{}", xssGetClean);
                if (xssGetClean != null && xssGetClean.contains(AppConstant.ADMIN_FORBIDDEN)) {
                    String str3 = str2 + " invalid content：" + parameter;
                    log.error("请求【" + str + "】参数中包含不允许sql的关键词, 请求拒绝");
                    throw new FailedReqeustException(str3);
                }
            } catch (Exception e) {
                log.error("请求清理xss攻击异常", e);
                log.error("请求【" + str + "】参数中清理xss攻击异常, 请求拒绝");
                throw new FailedReqeustException("invalid xss attack");
            }
        }
    }
}
