package edu.umd.cs.findbugs.detect;

import edu.umd.cs.findbugs.BugInstance;
import edu.umd.cs.findbugs.BugReporter;
import edu.umd.cs.findbugs.Detector;
import edu.umd.cs.findbugs.ba.CFG;
import edu.umd.cs.findbugs.ba.CFGBuilderException;
import edu.umd.cs.findbugs.ba.ClassContext;
import edu.umd.cs.findbugs.ba.DataflowAnalysisException;
import edu.umd.cs.findbugs.ba.Location;
import edu.umd.cs.findbugs.ba.constant.Constant;
import edu.umd.cs.findbugs.ba.constant.ConstantDataflow;
import java.util.Iterator;
import org.apache.bcel.classfile.JavaClass;
import org.apache.bcel.classfile.Method;
import org.apache.bcel.generic.ConstantPoolGen;
import org.apache.bcel.generic.INVOKEINTERFACE;
import org.apache.bcel.generic.Instruction;
import org.apache.bcel.generic.MethodGen;

/* loaded from: input_file:plugin-resources/jars/coreplugin.jar:edu/umd/cs/findbugs/detect/FindSqlInjection.class */
public class FindSqlInjection implements Detector {
    BugReporter bugReporter;

    public FindSqlInjection(BugReporter bugReporter) {
        this.bugReporter = bugReporter;
    }

    private boolean prescreen(ClassContext classContext, Method method) {
        return true;
    }

    @Override // edu.umd.cs.findbugs.Detector
    public void visitClassContext(ClassContext classContext) {
        for (Method method : classContext.getJavaClass().getMethods()) {
            MethodGen methodGen = classContext.getMethodGen(method);
            if (methodGen != null && prescreen(classContext, method)) {
                try {
                    analyzeMethod(classContext, method);
                } catch (CFGBuilderException e) {
                    this.bugReporter.logError(new StringBuffer().append("FindDeadLocalStores caught exception while analyzing ").append(methodGen).toString(), e);
                } catch (DataflowAnalysisException e2) {
                    this.bugReporter.logError(new StringBuffer().append("FindDeadLocalStores caught exception while analyzing ").append(methodGen).toString(), e2);
                }
            }
        }
    }

    private void analyzeMethod(ClassContext classContext, Method method) throws DataflowAnalysisException, CFGBuilderException {
        JavaClass javaClass = classContext.getJavaClass();
        MethodGen methodGen = classContext.getMethodGen(method);
        ConstantPoolGen constantPool = methodGen.getConstantPool();
        try {
            CFG cfg = classContext.getCFG(method);
            ConstantDataflow constantDataflow = classContext.getConstantDataflow(method);
            Iterator<Location> locationIterator = cfg.locationIterator();
            while (locationIterator.hasNext()) {
                Location next = locationIterator.next();
                Instruction instruction = next.getHandle().getInstruction();
                if (instruction instanceof INVOKEINTERFACE) {
                    INVOKEINTERFACE invokeinterface = (INVOKEINTERFACE) instruction;
                    if (invokeinterface.getMethodName(constantPool).startsWith("execute") && invokeinterface.getClassName(constantPool).equals("java.sql.Statement")) {
                        if (!((Constant) constantDataflow.getFactAtLocation(next).getStackValue(0)).isConstantString()) {
                            this.bugReporter.reportBug(new BugInstance(this, "SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE", 2).addClassAndMethod(methodGen, javaClass.getSourceFileName()).addSourceLine(methodGen, javaClass.getSourceFileName(), next.getHandle()));
                        }
                    }
                }
            }
        } catch (RuntimeException e) {
            System.out.println(new StringBuffer().append("Exception while checking for SQL injection in ").append(methodGen).append(" in ").append(javaClass.getSourceFileName()).toString());
            e.printStackTrace(System.out);
        }
    }

    @Override // edu.umd.cs.findbugs.Detector
    public void report() {
    }
}
