package cn.gtmap.gtc.starter.gcas.filter.xss;

import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.Charset;
import java.util.regex.Pattern;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.safety.Whitelist;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;

/* loaded from: input_file:cn/gtmap/gtc/starter/gcas/filter/xss/XssHttpServletRequestWrapper.class */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private final boolean json;
    private static final Logger logger = LoggerFactory.getLogger(XssHttpServletRequestWrapper.class);
    private static final Whitelist whitelist = Whitelist.none();
    private static final Document.OutputSettings outputSettings = new Document.OutputSettings().prettyPrint(false);
    private static final String WINDOW_EVENT_REGEX = "onafterprint|onbeforeprint|onbeforeonload|onblur|onerror|onfocus|onhashchange|onload|onmessage|onoffline|ononline|onpagehide|onpageshow|onpopstate|onredo|onresize|onstorage|onundo|onunload";
    private static final Pattern p_window_event = Pattern.compile(WINDOW_EVENT_REGEX, 2);
    private static final String FORM_EVENT_REGEX = "onblur|onchange|oncontextmenu|onfocus|onformchange|onforminput|oninput|oninvalid|onreset|onselect|onsubmit";
    private static final Pattern p_form_event = Pattern.compile(FORM_EVENT_REGEX, 2);
    private static final String KEYBOARD_EVENT_REGEX = "onkeydown|onkeypress|onkeyup";
    private static final Pattern p_keyboard_event = Pattern.compile(KEYBOARD_EVENT_REGEX, 2);
    private static final String MOUSE_EVENT_REGEX = "onclick|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onmousewheel|onscroll";
    private static final Pattern p_mouse_event = Pattern.compile(MOUSE_EVENT_REGEX, 2);
    private static final String MEDIA_EVENT_REGEX = "onabort|oncanplay|oncanplaythrough|ondurationchange|onemptied|onended|onerror|onloadeddata|onloadedmetadata|onloadstart|onpause|onplay|onplaying|onprogress|onratechange|onreadystatechange|onseeked|onseeking|onstalled|onsuspend|ontimeupdate|onvolumechange|onwaiting";
    private static final Pattern p_media_event = Pattern.compile(MEDIA_EVENT_REGEX, 2);
    private static final String OTHER_EVENT_REGEX = "onshow|ontoggle|window|having|location|alert|eval|Content-Type:|Content-Transfer-Encoding:|function";
    private static final Pattern p_other_event = Pattern.compile(OTHER_EVENT_REGEX, 2);
    private static final String SQL_EVENT_REGEX = "'|and|exec|execute|insert|select|delete|update|drop|chr|sitename|net user|xp_cmdshell|create|from|grant|group_concat|column_name|information_schema.columns|table_schema|union|where|order|by|mid|master|truncate|char|declare|or|--|like";
    private static final Pattern p_sql_event = Pattern.compile(SQL_EVENT_REGEX, 2);

    public XssHttpServletRequestWrapper(HttpServletRequest httpServletRequest, boolean z) {
        super(httpServletRequest);
        this.json = z;
    }

    public String getHeader(String str) {
        return convent(super.getHeader(str));
    }

    public String getParameter(String str) {
        return convent(super.getParameter(str));
    }

    public String[] getParameterValues(String str) {
        String[] parameterValues = super.getParameterValues(str);
        if (parameterValues == null) {
            return super.getParameterValues(str);
        }
        int length = parameterValues.length;
        String[] strArr = new String[length];
        for (int i = 0; i < length; i++) {
            strArr[i] = convent(parameterValues[i]);
        }
        return strArr;
    }

    public ServletInputStream getInputStream() throws IOException {
        if (!this.json) {
            return super.getInputStream();
        }
        final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(convent(getRequestBody(super.getInputStream())).getBytes());
        return new ServletInputStream() { // from class: cn.gtmap.gtc.starter.gcas.filter.xss.XssHttpServletRequestWrapper.1
            public int read() throws IOException {
                return byteArrayInputStream.read();
            }

            public boolean isFinished() {
                return false;
            }

            public boolean isReady() {
                return false;
            }

            public void setReadListener(ReadListener readListener) {
            }
        };
    }

    private String getRequestBody(InputStream inputStream) {
        StringBuilder sb = new StringBuilder();
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream, Charset.forName("UTF-8")));
        while (true) {
            try {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    break;
                }
                sb.append(readLine);
            } catch (IOException e) {
                logger.warn("getRequestBody", e);
            }
        }
        return sb.toString();
    }

    public static String convent(String str) {
        if (StringUtils.isEmpty(str)) {
            return str;
        }
        String str2 = str;
        try {
            str2 = Jsoup.clean(str2, "", whitelist, outputSettings);
        } catch (Exception e) {
            logger.warn("convent", e);
        }
        String lowerCase = str2.toLowerCase();
        if (hasHtml(lowerCase)) {
            throw new IllegalArgumentException("您发送请求中的参数中含有非法字符");
        }
        if (sqlXss(lowerCase)) {
            throw new IllegalArgumentException("您发送请求中的参数中含有非法字符");
        }
        if (lowerCase.contains("count(")) {
            throw new IllegalArgumentException("您发送请求中的参数中含有非法字符");
        }
        return str2;
    }

    private static boolean sqlXss(String str) {
        return p_sql_event.matcher(str).find();
    }

    private static String sqlConvent(String str) {
        String[] split = str.split(" ");
        for (String str2 : "'|and|exec|execute|insert|select|delete|update|count|drop|%|chr|mid|master|truncate|char|declare|sitename|net user|xp_cmdshell|;|or|-|+|,|like'|and|exec|execute|insert|create|drop|table|from|grant|use|group_concat|column_name|having|+having+|information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|chr|mid|master|truncate|char|declare|or|;|-|--|,|like|//|/|%|#".split("\\|")) {
            for (int i = 0; i < split.length; i++) {
                if (split[i].equalsIgnoreCase(str2)) {
                    split[i] = "forbid";
                }
            }
        }
        StringBuilder sb = new StringBuilder();
        for (int i2 = 0; i2 < split.length; i2++) {
            if (i2 == split.length - 1) {
                sb.append(split[i2]);
            } else {
                sb.append(split[i2] + " ");
            }
        }
        return sb.toString();
    }

    private static boolean hasHtml(String str) {
        return p_window_event.matcher(str).find() || p_form_event.matcher(str).find() || p_keyboard_event.matcher(str).find() || p_mouse_event.matcher(str).find() || p_media_event.matcher(str).find() || p_other_event.matcher(str).find() || str.contains("||");
    }

    private static String removeHtml(String str) {
        return p_other_event.matcher(p_media_event.matcher(p_mouse_event.matcher(p_keyboard_event.matcher(p_form_event.matcher(p_window_event.matcher(str).replaceAll("forbid")).replaceAll("forbid")).replaceAll("forbid")).replaceAll("forbid")).replaceAll("forbid")).replaceAll("forbid").trim();
    }
}
