package cn.gtmap.gtc.starter.gcas.filter.xss;

import cn.gtmap.gtc.feign.common.util.ObjectMapperUtils;
import cn.gtmap.gtc.starter.gcas.config.StaticCfgContext;
import cn.gtmap.gtc.starter.gcas.util.ClientIpUtils;
import java.io.IOException;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.CollectionUtils;
import org.springframework.util.PathMatcher;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.UrlPathHelper;

/* loaded from: input_file:cn/gtmap/gtc/starter/gcas/filter/xss/XssFilter.class */
public class XssFilter extends OncePerRequestFilter {
    private final boolean enabled;
    private final Collection<String> urls;
    private final Collection<String> excludes;
    private final boolean json;
    private final boolean xssSample;
    private PathMatcher pathMatcher = new AntPathMatcher();
    private UrlPathHelper urlPathHelper = new UrlPathHelper();

    public XssFilter(String str, boolean z, String str2, boolean z2) {
        this.xssSample = z2;
        HashSet hashSet = new HashSet();
        if (!StringUtils.isEmpty(str)) {
            hashSet.addAll(StringUtils.commaDelimitedListToSet(str));
        }
        if (!StringUtils.isEmpty(StaticCfgContext.getXssPath())) {
            hashSet.addAll(StringUtils.commaDelimitedListToSet(StaticCfgContext.getXssPath()));
        }
        if (CollectionUtils.isEmpty(hashSet)) {
            this.enabled = false;
        } else {
            this.enabled = true;
        }
        this.urls = hashSet;
        if (z || (StaticCfgContext.getXssJson() != null && StaticCfgContext.getXssJson().booleanValue())) {
            this.json = true;
        } else {
            this.json = false;
        }
        this.excludes = StringUtils.commaDelimitedListToSet(str2);
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (httpServletRequest.getServletPath().endsWith("/env") || httpServletRequest.getServletPath().endsWith("/heapdump") || httpServletRequest.getServletPath().contains("..;") || httpServletRequest.getServletPath().endsWith("/logfile") || httpServletRequest.getServletPath().endsWith("/mappings") || httpServletRequest.getServletPath().endsWith("/actuator/") || httpServletRequest.getServletPath().endsWith("/shutdown") || httpServletRequest.getServletPath().endsWith("/beans") || httpServletRequest.getServletPath().endsWith("/actuator")) {
            httpServletResponse.setContentType("text/plain;charset=utf-8");
            httpServletResponse.getWriter().write("# response_auth_error No permission");
            return;
        }
        if (!isExcludeMethod(httpServletRequest.getMethod())) {
            httpServletResponse.setContentType("application/json; charset=UTF-8");
            HashMap hashMap = new HashMap();
            hashMap.put("code", "1");
            hashMap.put("meg", "不支持的请求方式");
            httpServletResponse.getWriter().write(ObjectMapperUtils.toJson(hashMap));
            return;
        }
        if (this.enabled) {
            if ("application/xml".equalsIgnoreCase(httpServletRequest.getHeader("Content-Type"))) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            String lookupPathForRequest = this.urlPathHelper.getLookupPathForRequest(httpServletRequest);
            if (ClientIpUtils.matchUrl(this.pathMatcher, this.excludes, lookupPathForRequest)) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            } else if (ClientIpUtils.matchUrl(this.pathMatcher, StaticCfgContext.getXssExcludes(), lookupPathForRequest)) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            } else if (ClientIpUtils.matchUrl(this.pathMatcher, this.urls, lookupPathForRequest)) {
                filterChain.doFilter(new XssHttpServletRequestWrapper(httpServletRequest, this.json, this.xssSample), httpServletResponse);
                return;
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private boolean isExcludeMethod(String str) {
        return "GET".equalsIgnoreCase(str) || "PUT".equalsIgnoreCase(str) || "DELETE".equalsIgnoreCase(str) || "POST".equalsIgnoreCase(str) || "OPTION".equalsIgnoreCase(str) || "PATCH".equalsIgnoreCase(str) || "HEADER".equalsIgnoreCase(str) || "TRANCE".equalsIgnoreCase(str) || "CONNECT".equalsIgnoreCase(str);
    }
}
