package org.springframework.security.web.firewall;

import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Predicate;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.http.HttpMethod;
import org.springframework.jdbc.datasource.init.ScriptUtils;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-web-5.4.10.jar:org/springframework/security/web/firewall/StrictHttpFirewall.class */
public class StrictHttpFirewall implements HttpFirewall {
    private static final String ENCODED_PERCENT = "%25";
    private static final String PERCENT = "%";
    private Set<String> encodedUrlBlocklist = new HashSet();
    private Set<String> decodedUrlBlocklist = new HashSet();
    private Set<String> allowedHttpMethods = createDefaultAllowedHttpMethods();
    private Predicate<String> allowedHostnames = str -> {
        return true;
    };
    private Predicate<String> allowedHeaderNames = ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE;
    private Predicate<String> allowedHeaderValues = ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE;
    private Predicate<String> allowedParameterNames = ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE;
    private Predicate<String> allowedParameterValues = str -> {
        return true;
    };
    private static final Set<String> ALLOW_ANY_HTTP_METHOD = Collections.emptySet();
    private static final List<String> FORBIDDEN_ENCODED_PERIOD = Collections.unmodifiableList(Arrays.asList("%2e", "%2E"));
    private static final List<String> FORBIDDEN_SEMICOLON = Collections.unmodifiableList(Arrays.asList(ScriptUtils.DEFAULT_STATEMENT_SEPARATOR, "%3b", "%3B"));
    private static final List<String> FORBIDDEN_FORWARDSLASH = Collections.unmodifiableList(Arrays.asList("%2f", "%2F"));
    private static final List<String> FORBIDDEN_DOUBLE_FORWARDSLASH = Collections.unmodifiableList(Arrays.asList("//", "%2f%2f", "%2f%2F", "%2F%2f", "%2F%2F"));
    private static final List<String> FORBIDDEN_BACKSLASH = Collections.unmodifiableList(Arrays.asList("\\", "%5c", "%5C"));
    private static final List<String> FORBIDDEN_NULL = Collections.unmodifiableList(Arrays.asList("��", "%00"));
    private static final Pattern ASSIGNED_AND_NOT_ISO_CONTROL_PATTERN = Pattern.compile("[\\p{IsAssigned}&&[^\\p{IsControl}]]*");
    private static final Predicate<String> ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE = str -> {
        return ASSIGNED_AND_NOT_ISO_CONTROL_PATTERN.matcher(str).matches();
    };

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/spring-security-web-5.4.10.jar:org/springframework/security/web/firewall/StrictHttpFirewall$StrictFirewalledRequest.class */
    public class StrictFirewalledRequest extends FirewalledRequest {
        StrictFirewalledRequest(HttpServletRequest httpServletRequest) {
            super(httpServletRequest);
        }

        public long getDateHeader(String str) {
            if (str != null) {
                validateAllowedHeaderName(str);
            }
            return super.getDateHeader(str);
        }

        public int getIntHeader(String str) {
            if (str != null) {
                validateAllowedHeaderName(str);
            }
            return super.getIntHeader(str);
        }

        public String getHeader(String str) {
            if (str != null) {
                validateAllowedHeaderName(str);
            }
            String header = super.getHeader(str);
            if (header != null) {
                validateAllowedHeaderValue(header);
            }
            return header;
        }

        public Enumeration<String> getHeaders(String str) {
            if (str != null) {
                validateAllowedHeaderName(str);
            }
            final Enumeration headers = super.getHeaders(str);
            return new Enumeration<String>() { // from class: org.springframework.security.web.firewall.StrictHttpFirewall.StrictFirewalledRequest.1
                @Override // java.util.Enumeration
                public boolean hasMoreElements() {
                    return headers.hasMoreElements();
                }

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.Enumeration
                public String nextElement() {
                    String str2 = (String) headers.nextElement();
                    StrictFirewalledRequest.this.validateAllowedHeaderValue(str2);
                    return str2;
                }
            };
        }

        public Enumeration<String> getHeaderNames() {
            final Enumeration headerNames = super.getHeaderNames();
            return new Enumeration<String>() { // from class: org.springframework.security.web.firewall.StrictHttpFirewall.StrictFirewalledRequest.2
                @Override // java.util.Enumeration
                public boolean hasMoreElements() {
                    return headerNames.hasMoreElements();
                }

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.Enumeration
                public String nextElement() {
                    String str = (String) headerNames.nextElement();
                    StrictFirewalledRequest.this.validateAllowedHeaderName(str);
                    return str;
                }
            };
        }

        public String getParameter(String str) {
            if (str != null) {
                validateAllowedParameterName(str);
            }
            String parameter = super.getParameter(str);
            if (parameter != null) {
                validateAllowedParameterValue(parameter);
            }
            return parameter;
        }

        public Map<String, String[]> getParameterMap() {
            Map<String, String[]> parameterMap = super.getParameterMap();
            for (Map.Entry<String, String[]> entry : parameterMap.entrySet()) {
                String key = entry.getKey();
                String[] value = entry.getValue();
                validateAllowedParameterName(key);
                for (String str : value) {
                    validateAllowedParameterValue(str);
                }
            }
            return parameterMap;
        }

        public Enumeration<String> getParameterNames() {
            final Enumeration parameterNames = super.getParameterNames();
            return new Enumeration<String>() { // from class: org.springframework.security.web.firewall.StrictHttpFirewall.StrictFirewalledRequest.3
                @Override // java.util.Enumeration
                public boolean hasMoreElements() {
                    return parameterNames.hasMoreElements();
                }

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.Enumeration
                public String nextElement() {
                    String str = (String) parameterNames.nextElement();
                    StrictFirewalledRequest.this.validateAllowedParameterName(str);
                    return str;
                }
            };
        }

        public String[] getParameterValues(String str) {
            if (str != null) {
                validateAllowedParameterName(str);
            }
            String[] parameterValues = super.getParameterValues(str);
            if (parameterValues != null) {
                for (String str2 : parameterValues) {
                    validateAllowedParameterValue(str2);
                }
            }
            return parameterValues;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void validateAllowedHeaderName(String str) {
            if (!StrictHttpFirewall.this.allowedHeaderNames.test(str)) {
                throw new RequestRejectedException("The request was rejected because the header name \"" + str + "\" is not allowed.");
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void validateAllowedHeaderValue(String str) {
            if (!StrictHttpFirewall.this.allowedHeaderValues.test(str)) {
                throw new RequestRejectedException("The request was rejected because the header value \"" + str + "\" is not allowed.");
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void validateAllowedParameterName(String str) {
            if (!StrictHttpFirewall.this.allowedParameterNames.test(str)) {
                throw new RequestRejectedException("The request was rejected because the parameter name \"" + str + "\" is not allowed.");
            }
        }

        private void validateAllowedParameterValue(String str) {
            if (!StrictHttpFirewall.this.allowedParameterValues.test(str)) {
                throw new RequestRejectedException("The request was rejected because the parameter value \"" + str + "\" is not allowed.");
            }
        }

        @Override // org.springframework.security.web.firewall.FirewalledRequest
        public void reset() {
        }
    }

    public StrictHttpFirewall() {
        urlBlocklistsAddAll(FORBIDDEN_SEMICOLON);
        urlBlocklistsAddAll(FORBIDDEN_FORWARDSLASH);
        urlBlocklistsAddAll(FORBIDDEN_DOUBLE_FORWARDSLASH);
        urlBlocklistsAddAll(FORBIDDEN_BACKSLASH);
        urlBlocklistsAddAll(FORBIDDEN_NULL);
        this.encodedUrlBlocklist.add(ENCODED_PERCENT);
        this.encodedUrlBlocklist.addAll(FORBIDDEN_ENCODED_PERIOD);
        this.decodedUrlBlocklist.add("%");
    }

    public void setUnsafeAllowAnyHttpMethod(boolean z) {
        this.allowedHttpMethods = z ? ALLOW_ANY_HTTP_METHOD : createDefaultAllowedHttpMethods();
    }

    public void setAllowedHttpMethods(Collection<String> collection) {
        Assert.notNull(collection, "allowedHttpMethods cannot be null");
        this.allowedHttpMethods = collection != ALLOW_ANY_HTTP_METHOD ? new HashSet<>(collection) : ALLOW_ANY_HTTP_METHOD;
    }

    public void setAllowSemicolon(boolean z) {
        if (z) {
            urlBlocklistsRemoveAll(FORBIDDEN_SEMICOLON);
        } else {
            urlBlocklistsAddAll(FORBIDDEN_SEMICOLON);
        }
    }

    public void setAllowUrlEncodedSlash(boolean z) {
        if (z) {
            urlBlocklistsRemoveAll(FORBIDDEN_FORWARDSLASH);
        } else {
            urlBlocklistsAddAll(FORBIDDEN_FORWARDSLASH);
        }
    }

    public void setAllowUrlEncodedDoubleSlash(boolean z) {
        if (z) {
            urlBlocklistsRemoveAll(FORBIDDEN_DOUBLE_FORWARDSLASH);
        } else {
            urlBlocklistsAddAll(FORBIDDEN_DOUBLE_FORWARDSLASH);
        }
    }

    public void setAllowUrlEncodedPeriod(boolean z) {
        if (z) {
            this.encodedUrlBlocklist.removeAll(FORBIDDEN_ENCODED_PERIOD);
        } else {
            this.encodedUrlBlocklist.addAll(FORBIDDEN_ENCODED_PERIOD);
        }
    }

    public void setAllowBackSlash(boolean z) {
        if (z) {
            urlBlocklistsRemoveAll(FORBIDDEN_BACKSLASH);
        } else {
            urlBlocklistsAddAll(FORBIDDEN_BACKSLASH);
        }
    }

    public void setAllowNull(boolean z) {
        if (z) {
            urlBlocklistsRemoveAll(FORBIDDEN_NULL);
        } else {
            urlBlocklistsAddAll(FORBIDDEN_NULL);
        }
    }

    public void setAllowUrlEncodedPercent(boolean z) {
        if (z) {
            this.encodedUrlBlocklist.remove(ENCODED_PERCENT);
            this.decodedUrlBlocklist.remove("%");
        } else {
            this.encodedUrlBlocklist.add(ENCODED_PERCENT);
            this.decodedUrlBlocklist.add("%");
        }
    }

    public void setAllowedHeaderNames(Predicate<String> predicate) {
        Assert.notNull(predicate, "allowedHeaderNames cannot be null");
        this.allowedHeaderNames = predicate;
    }

    public void setAllowedHeaderValues(Predicate<String> predicate) {
        Assert.notNull(predicate, "allowedHeaderValues cannot be null");
        this.allowedHeaderValues = predicate;
    }

    public void setAllowedParameterNames(Predicate<String> predicate) {
        Assert.notNull(predicate, "allowedParameterNames cannot be null");
        this.allowedParameterNames = predicate;
    }

    public void setAllowedParameterValues(Predicate<String> predicate) {
        Assert.notNull(predicate, "allowedParameterValues cannot be null");
        this.allowedParameterValues = predicate;
    }

    public void setAllowedHostnames(Predicate<String> predicate) {
        Assert.notNull(predicate, "allowedHostnames cannot be null");
        this.allowedHostnames = predicate;
    }

    private void urlBlocklistsAddAll(Collection<String> collection) {
        this.encodedUrlBlocklist.addAll(collection);
        this.decodedUrlBlocklist.addAll(collection);
    }

    private void urlBlocklistsRemoveAll(Collection<String> collection) {
        this.encodedUrlBlocklist.removeAll(collection);
        this.decodedUrlBlocklist.removeAll(collection);
    }

    @Override // org.springframework.security.web.firewall.HttpFirewall
    public FirewalledRequest getFirewalledRequest(HttpServletRequest httpServletRequest) throws RequestRejectedException {
        rejectForbiddenHttpMethod(httpServletRequest);
        rejectedBlocklistedUrls(httpServletRequest);
        rejectedUntrustedHosts(httpServletRequest);
        if (!isNormalized(httpServletRequest)) {
            throw new RequestRejectedException("The request was rejected because the URL was not normalized.");
        }
        if (containsOnlyPrintableAsciiCharacters(httpServletRequest.getRequestURI())) {
            return new StrictFirewalledRequest(httpServletRequest);
        }
        throw new RequestRejectedException("The requestURI was rejected because it can only contain printable ASCII characters.");
    }

    private void rejectForbiddenHttpMethod(HttpServletRequest httpServletRequest) {
        if (this.allowedHttpMethods != ALLOW_ANY_HTTP_METHOD && !this.allowedHttpMethods.contains(httpServletRequest.getMethod())) {
            throw new RequestRejectedException("The request was rejected because the HTTP method \"" + httpServletRequest.getMethod() + "\" was not included within the list of allowed HTTP methods " + this.allowedHttpMethods);
        }
    }

    private void rejectedBlocklistedUrls(HttpServletRequest httpServletRequest) {
        for (String str : this.encodedUrlBlocklist) {
            if (encodedUrlContains(httpServletRequest, str)) {
                throw new RequestRejectedException("The request was rejected because the URL contained a potentially malicious String \"" + str + "\"");
            }
        }
        for (String str2 : this.decodedUrlBlocklist) {
            if (decodedUrlContains(httpServletRequest, str2)) {
                throw new RequestRejectedException("The request was rejected because the URL contained a potentially malicious String \"" + str2 + "\"");
            }
        }
    }

    private void rejectedUntrustedHosts(HttpServletRequest httpServletRequest) {
        String serverName = httpServletRequest.getServerName();
        if (serverName != null && !this.allowedHostnames.test(serverName)) {
            throw new RequestRejectedException("The request was rejected because the domain " + serverName + " is untrusted.");
        }
    }

    @Override // org.springframework.security.web.firewall.HttpFirewall
    public HttpServletResponse getFirewalledResponse(HttpServletResponse httpServletResponse) {
        return new FirewalledResponse(httpServletResponse);
    }

    private static Set<String> createDefaultAllowedHttpMethods() {
        HashSet hashSet = new HashSet();
        hashSet.add(HttpMethod.DELETE.name());
        hashSet.add(HttpMethod.GET.name());
        hashSet.add(HttpMethod.HEAD.name());
        hashSet.add(HttpMethod.OPTIONS.name());
        hashSet.add(HttpMethod.PATCH.name());
        hashSet.add(HttpMethod.POST.name());
        hashSet.add(HttpMethod.PUT.name());
        return hashSet;
    }

    private static boolean isNormalized(HttpServletRequest httpServletRequest) {
        return isNormalized(httpServletRequest.getRequestURI()) && isNormalized(httpServletRequest.getContextPath()) && isNormalized(httpServletRequest.getServletPath()) && isNormalized(httpServletRequest.getPathInfo());
    }

    private static boolean encodedUrlContains(HttpServletRequest httpServletRequest, String str) {
        if (valueContains(httpServletRequest.getContextPath(), str)) {
            return true;
        }
        return valueContains(httpServletRequest.getRequestURI(), str);
    }

    private static boolean decodedUrlContains(HttpServletRequest httpServletRequest, String str) {
        return valueContains(httpServletRequest.getServletPath(), str) || valueContains(httpServletRequest.getPathInfo(), str);
    }

    private static boolean containsOnlyPrintableAsciiCharacters(String str) {
        int length = str.length();
        for (int i = 0; i < length; i++) {
            char charAt = str.charAt(i);
            if (charAt < ' ' || charAt > '~') {
                return false;
            }
        }
        return true;
    }

    private static boolean valueContains(String str, String str2) {
        return str != null && str.contains(str2);
    }

    private static boolean isNormalized(String str) {
        if (str == null) {
            return true;
        }
        int length = str.length();
        while (true) {
            int i = length;
            if (i <= 0) {
                return true;
            }
            int lastIndexOf = str.lastIndexOf(47, i - 1);
            int i2 = i - lastIndexOf;
            if (i2 == 2 && str.charAt(lastIndexOf + 1) == '.') {
                return false;
            }
            if (i2 == 3 && str.charAt(lastIndexOf + 1) == '.' && str.charAt(lastIndexOf + 2) == '.') {
                return false;
            }
            length = lastIndexOf;
        }
    }

    public Set<String> getEncodedUrlBlocklist() {
        return this.encodedUrlBlocklist;
    }

    public Set<String> getDecodedUrlBlocklist() {
        return this.decodedUrlBlocklist;
    }

    @Deprecated
    public Set<String> getEncodedUrlBlacklist() {
        return getEncodedUrlBlocklist();
    }

    public Set<String> getDecodedUrlBlacklist() {
        return getDecodedUrlBlocklist();
    }
}
