package com.huo.web.security;

import com.huo.io.File;
import com.huo.io.file.PropertyFile;
import com.huo.security.newton.SI;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.struts2.ServletActionContext;
import org.apache.struts2.views.jsp.iterator.IteratorGeneratorTag;

/* loaded from: classes.dex */
public class InjectionInterceptor implements Interceptor {
    private static String[] refererArray = null;
    private static final long serialVersionUID = 1;
    public static Boolean __SYS_SHOVE_FLAG_IsUsed_InjectionInterceptor = false;
    private static List<String> validImgExtName = null;
    private static final String rule0 = "<[^>]+?style=[\\w]+?:expression\\(|\\b(alert|confirm|prompt)\\b|^\\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|/\\*.+?\\*/|<\\s*script\\b|<\\s*iframe\\b|<\\s*a\\b|<\\s*img\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)|[']+?.*?(OR|AND|[-]{2,}|UPDATE|CREATE|ALTER|DROP|TRUNCATE|SELECT|DELETE|EXEC|INSERT)\\b|\\b(OR|AND|[-]{2,}|UPDATE|CREATE|ALTER|DROP|TRUNCATE|SELECT|DELETE|EXEC|INSERT)\\b.*?[']+?";
    private static Pattern pattern0 = Pattern.compile(rule0, 2);
    private static final String rule1 = "<[^>]+?style=[\\w]+?:expression\\(|\\b(alert|confirm|prompt)\\b|^\\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|/\\*.+?\\*/|<\\s*script\\b|<\\s*iframe\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)|[']+?.*?(OR|AND|[-]{2,}|UPDATE|CREATE|ALTER|DROP|TRUNCATE|SELECT|DELETE|EXEC|INSERT)\\b|\\b(OR|AND|[-]{2,}|UPDATE|CREATE|ALTER|DROP|TRUNCATE|SELECT|DELETE|EXEC|INSERT)\\b.*?[']+?";
    private static Pattern pattern1 = Pattern.compile(rule1, 2);
    private static final String imgRule = "<img\\b[^<>]*?\\bsrc[\\s\t\r\n]*=[\\s\t\r\n]*[\"']?[\\s\t\r\n]*([^\\s\t\r\n\"'<>]*)[^<>]*?/?[\\s\t\r\n]*[/]*>";
    private static Pattern patternImg = Pattern.compile(imgRule, 2);
    private int exceptionLevel = 0;
    private HttpServletRequest request = null;
    private HttpServletResponse response = null;
    private Map<String, String[]> parameterMap = null;
    private Cookie[] cookies = null;
    private String referer = null;

    static {
        refererArray = null;
        PropertyFile propertyFile = null;
        try {
            propertyFile = new PropertyFile();
        } catch (Exception e) {
            System.err.println(e);
        }
        if (propertyFile != null) {
            String read = propertyFile.read("injectionInterceptor.referer.whitelist");
            if (StringUtils.isNotBlank(read)) {
                refererArray = read.split(IteratorGeneratorTag.DEFAULT_SEPARATOR);
            }
        }
    }

    private String buildReturnValue(String str) throws IOException {
        this.response.getWriter().println("InjectionInterceptorError: 系统检测到您提交的数据中存在恶意的注入型攻击数据(或 img 标签的 src 文件类型不合法)，请检查 " + str + " 数据，如果是系统误报，请联系我们处理，谢谢。给您带来了不便，十分抱歉！");
        return "InjectionInterceptorError";
    }

    private Boolean checkCookies(Pattern pattern, Boolean bool) {
        if (this.cookies == null || this.cookies.length == 0) {
            return false;
        }
        for (Cookie cookie : this.cookies) {
            if (checkData(pattern, cookie.getValue(), bool).booleanValue()) {
                return true;
            }
        }
        return false;
    }

    private Boolean checkData(Pattern pattern, String str, Boolean bool) {
        if (str == null || str.isEmpty()) {
            return false;
        }
        if (pattern.matcher(str).find()) {
            return true;
        }
        if (!bool.booleanValue()) {
            return false;
        }
        Matcher matcher = patternImg.matcher(str);
        while (matcher.find()) {
            if (!validImgExtName.contains(File.getExtensionName(matcher.group(1)).toLowerCase())) {
                return true;
            }
        }
        return false;
    }

    private Boolean checkReferer(Pattern pattern, Boolean bool) {
        if (this.referer == null || this.referer.isEmpty()) {
            return false;
        }
        if (refererArray != null) {
            for (String str : refererArray) {
                if (this.referer.startsWith(str)) {
                    return false;
                }
            }
        }
        return checkData(pattern, this.referer, bool).booleanValue();
    }

    private Boolean checkRequest(Pattern pattern, Boolean bool) {
        if (this.parameterMap.isEmpty()) {
            return false;
        }
        Iterator<String> it = this.parameterMap.keySet().iterator();
        while (it.hasNext()) {
            for (String str : this.parameterMap.get(it.next())) {
                if (checkData(pattern, str, bool).booleanValue()) {
                    return true;
                }
            }
        }
        return false;
    }

    private synchronized void initialize() {
        if (!__SYS_SHOVE_FLAG_IsUsed_InjectionInterceptor.booleanValue()) {
            __SYS_SHOVE_FLAG_IsUsed_InjectionInterceptor = true;
            validImgExtName = new ArrayList();
            validImgExtName.add(".jpg");
            validImgExtName.add(".jpeg");
            validImgExtName.add(".png");
            validImgExtName.add(".bmp");
            validImgExtName.add(".gif");
            validImgExtName.add(".tif");
            validImgExtName.add(".tiff");
        }
    }

    private String intercept(Pattern pattern, Boolean bool) throws IOException {
        if (checkCookies(pattern, bool).booleanValue()) {
            return buildReturnValue("Cookie");
        }
        if (checkReferer(pattern, bool).booleanValue()) {
            return buildReturnValue("Referer");
        }
        if (checkRequest(pattern, bool).booleanValue()) {
            return buildReturnValue("POST、GET");
        }
        return null;
    }

    private boolean isAjaxRequest() {
        String header = this.request.getHeader("X-Requested-With");
        return header != null && "XMLHttpRequest".equals(header);
    }

    @Override // com.opensymphony.xwork2.interceptor.Interceptor
    public void destroy() {
    }

    public int getExceptionLevel() {
        return this.exceptionLevel;
    }

    @Override // com.opensymphony.xwork2.interceptor.Interceptor
    public void init() {
    }

    @Override // com.opensymphony.xwork2.interceptor.Interceptor
    public String intercept(ActionInvocation actionInvocation) throws Exception {
        this.request = ServletActionContext.getRequest();
        this.response = ServletActionContext.getResponse();
        this.parameterMap = this.request.getParameterMap();
        this.cookies = this.request.getCookies();
        this.referer = this.request.getHeader("Referer");
        SI.go(this.request, this.response);
        if (this.parameterMap.isEmpty() && this.cookies == null && this.referer == null) {
            return actionInvocation.invoke();
        }
        if (!__SYS_SHOVE_FLAG_IsUsed_InjectionInterceptor.booleanValue()) {
            initialize();
        }
        String intercept = this.exceptionLevel == 0 ? intercept(pattern0, false) : this.exceptionLevel == 1 ? intercept(pattern1, true) : null;
        if (intercept == null) {
            return actionInvocation.invoke();
        }
        if (isAjaxRequest()) {
            return null;
        }
        return intercept;
    }

    public void setExceptionLevel(int i) {
        this.exceptionLevel = i;
    }
}
