package org.owasp.esapi.reference;

import com.j256.ormlite.stmt.query.SimpleComparison;
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.fileupload.FileItem;
import org.apache.commons.fileupload.ProgressListener;
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.HTTPUtilities;
import org.owasp.esapi.Logger;
import org.owasp.esapi.User;
import org.owasp.esapi.errors.AccessControlException;
import org.owasp.esapi.errors.AuthenticationException;
import org.owasp.esapi.errors.EncodingException;
import org.owasp.esapi.errors.EncryptionException;
import org.owasp.esapi.errors.IntegrityException;
import org.owasp.esapi.errors.IntrusionException;
import org.owasp.esapi.errors.ValidationException;
import org.owasp.esapi.errors.ValidationUploadException;
import org.owasp.esapi.filters.SafeRequest;
import org.owasp.esapi.filters.SafeResponse;

/* loaded from: classes.dex */
public class DefaultHTTPUtilities implements HTTPUtilities {
    private final Logger logger = ESAPI.getLogger("HTTPUtilities");
    int maxBytes = ESAPI.securityConfiguration().getAllowedFileUploadSize();
    private ThreadLocalRequest currentRequest = new ThreadLocalRequest(this, null);
    private ThreadLocalResponse currentResponse = new ThreadLocalResponse(this, null);

    /* loaded from: classes.dex */
    private class ThreadLocalRequest extends InheritableThreadLocal {
        final DefaultHTTPUtilities this$0;

        private ThreadLocalRequest(DefaultHTTPUtilities defaultHTTPUtilities) {
            this.this$0 = defaultHTTPUtilities;
        }

        ThreadLocalRequest(DefaultHTTPUtilities defaultHTTPUtilities, ThreadLocalRequest threadLocalRequest) {
            this(defaultHTTPUtilities);
        }

        public SafeRequest getRequest() {
            return (SafeRequest) super.get();
        }

        @Override // java.lang.ThreadLocal
        public Object initialValue() {
            return null;
        }

        public void setRequest(SafeRequest safeRequest) {
            super.set(safeRequest);
        }
    }

    /* loaded from: classes.dex */
    private class ThreadLocalResponse extends InheritableThreadLocal {
        final DefaultHTTPUtilities this$0;

        private ThreadLocalResponse(DefaultHTTPUtilities defaultHTTPUtilities) {
            this.this$0 = defaultHTTPUtilities;
        }

        ThreadLocalResponse(DefaultHTTPUtilities defaultHTTPUtilities, ThreadLocalResponse threadLocalResponse) {
            this(defaultHTTPUtilities);
        }

        public SafeResponse getResponse() {
            return (SafeResponse) super.get();
        }

        @Override // java.lang.ThreadLocal
        public Object initialValue() {
            return null;
        }

        public void setResponse(SafeResponse safeResponse) {
            super.set(safeResponse);
        }
    }

    private Map queryToMap(String str) {
        TreeMap treeMap = new TreeMap();
        for (String str2 : str.split("&")) {
            try {
                String[] split = str2.split(SimpleComparison.EQUAL_TO_OPERATION);
                treeMap.put(ESAPI.encoder().decodeFromURL(split[0]), ESAPI.encoder().decodeFromURL(split[1]));
            } catch (EncodingException e) {
            }
        }
        return treeMap;
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public String addCSRFToken(String str) {
        User currentUser = ESAPI.authenticator().getCurrentUser();
        return currentUser.isAnonymous() ? str : (str.indexOf(63) == -1 && str.indexOf(38) == -1) ? new StringBuffer(String.valueOf(str)).append("?").append(currentUser.getCSRFToken()).toString() : new StringBuffer(String.valueOf(str)).append("&").append(currentUser.getCSRFToken()).toString();
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public void assertSecureRequest(HttpServletRequest httpServletRequest) throws AccessControlException {
        if (!isSecureChannel(httpServletRequest)) {
            throw new AccessControlException("Insecure request received", "Received non-SSL request");
        }
        String method = httpServletRequest.getMethod();
        if (!method.equals("POST")) {
            throw new AccessControlException("Insecure request received", new StringBuffer("Received request using ").append(method).append(" when only ").append("POST").append(" is allowed").toString());
        }
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public HttpSession changeSessionIdentifier(HttpServletRequest httpServletRequest) throws AuthenticationException {
        HttpSession session = httpServletRequest.getSession();
        HashMap hashMap = new HashMap();
        Enumeration attributeNames = session.getAttributeNames();
        while (attributeNames != null && attributeNames.hasMoreElements()) {
            String str = (String) attributeNames.nextElement();
            hashMap.put(str, session.getAttribute(str));
        }
        session.invalidate();
        HttpSession session2 = httpServletRequest.getSession();
        User currentUser = ESAPI.authenticator().getCurrentUser();
        currentUser.addSession(session2);
        currentUser.removeSession(session);
        for (Map.Entry entry : hashMap.entrySet()) {
            session2.setAttribute((String) entry.getKey(), entry.getValue());
        }
        return session2;
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public String decryptHiddenField(String str) {
        try {
            return ESAPI.encryptor().decrypt(str);
        } catch (EncryptionException e) {
            throw new IntrusionException("Invalid request", "Tampering detected. Hidden field data did not decrypt properly.", e);
        }
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public Map decryptQueryString(String str) throws EncryptionException {
        return queryToMap(ESAPI.encryptor().decrypt(str));
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public Map decryptStateFromCookie(HttpServletRequest httpServletRequest) throws EncryptionException {
        Cookie[] cookies = httpServletRequest.getCookies();
        Cookie cookie = null;
        for (int i = 0; i < cookies.length; i++) {
            if (cookies[i].getName().equals("state")) {
                cookie = cookies[i];
            }
        }
        return queryToMap(ESAPI.encryptor().decrypt(cookie.getValue()));
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public String encryptHiddenField(String str) throws EncryptionException {
        return ESAPI.encryptor().encrypt(str);
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public String encryptQueryString(String str) throws EncryptionException {
        return ESAPI.encryptor().encrypt(str);
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public void encryptStateInCookie(HttpServletResponse httpServletResponse, Map map) throws EncryptionException {
        StringBuffer stringBuffer = new StringBuffer();
        Iterator it = map.entrySet().iterator();
        while (it.hasNext()) {
            try {
                Map.Entry entry = (Map.Entry) it.next();
                String encodeForURL = ESAPI.encoder().encodeForURL(entry.getKey().toString());
                stringBuffer.append(new StringBuffer(String.valueOf(encodeForURL)).append(SimpleComparison.EQUAL_TO_OPERATION).append(ESAPI.encoder().encodeForURL(entry.getValue().toString())).toString());
                if (it.hasNext()) {
                    stringBuffer.append("&");
                }
            } catch (EncodingException e) {
                this.logger.error(Logger.SECURITY, false, "Problem encrypting state in cookie - skipping entry", e);
            }
        }
        httpServletResponse.addCookie(new Cookie("state", ESAPI.encryptor().encrypt(stringBuffer.toString())));
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public String getCSRFToken() {
        User currentUser = ESAPI.authenticator().getCurrentUser();
        if (currentUser == null) {
            return null;
        }
        return currentUser.getCSRFToken();
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public Cookie getCookie(HttpServletRequest httpServletRequest, String str) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                if (cookie.getName().equals(str)) {
                    return cookie;
                }
            }
        }
        return null;
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public SafeRequest getCurrentRequest() {
        SafeRequest safeRequest = (SafeRequest) this.currentRequest.get();
        if (safeRequest == null) {
            throw new NullPointerException("Cannot use current request until it is set with HTTPUtilities.setCurrentHTTP()");
        }
        return safeRequest;
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public SafeResponse getCurrentResponse() {
        SafeResponse safeResponse = (SafeResponse) this.currentResponse.get();
        if (safeResponse == null) {
            throw new NullPointerException("Cannot use current response until it is set with HTTPUtilities.setCurrentHTTP()");
        }
        return safeResponse;
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public List getSafeFileUploads(HttpServletRequest httpServletRequest, File file, File file2) throws ValidationException {
        if (!file.exists() && !file.mkdirs()) {
            throw new ValidationUploadException("Upload failed", new StringBuffer("Could not create temp directory: ").append(file.getAbsolutePath()).toString());
        }
        if (!file2.exists() && !file2.mkdirs()) {
            throw new ValidationUploadException("Upload failed", new StringBuffer("Could not create final upload directory: ").append(file2.getAbsolutePath()).toString());
        }
        ArrayList arrayList = new ArrayList();
        try {
            HttpSession session = httpServletRequest.getSession(false);
            if (!ServletFileUpload.isMultipartContent(httpServletRequest)) {
                throw new ValidationUploadException("Upload failed", "Not a multipart request");
            }
            ServletFileUpload servletFileUpload = new ServletFileUpload(new DiskFileItemFactory(0, file));
            servletFileUpload.setSizeMax(this.maxBytes);
            servletFileUpload.setProgressListener(new ProgressListener(this, session) { // from class: org.owasp.esapi.reference.DefaultHTTPUtilities.1
                private long megaBytes = -1;
                private long progress = 0;
                final DefaultHTTPUtilities this$0;
                private final HttpSession val$session;

                {
                    this.this$0 = this;
                    this.val$session = session;
                }

                public void update(long j, long j2, int i) {
                    if (i == 0) {
                        return;
                    }
                    long j3 = j / 1000000;
                    if (this.megaBytes != j3) {
                        this.megaBytes = j3;
                        this.progress = (long) ((j / j2) * 100.0d);
                        if (this.val$session != null) {
                            this.val$session.setAttribute("progress", Long.toString(this.progress));
                        }
                    }
                }
            });
            for (FileItem fileItem : servletFileUpload.parseRequest(httpServletRequest)) {
                if (!fileItem.isFormField() && fileItem.getName() != null && !fileItem.getName().equals("")) {
                    String str = fileItem.getName().split("[\\/\\\\]")[r9.length - 1];
                    if (!ESAPI.validator().isValidFileName("upload", str, false)) {
                        throw new ValidationUploadException(new StringBuffer("Upload only simple filenames with the following extensions ").append(ESAPI.securityConfiguration().getAllowedFileExtensions()).toString(), "Upload failed isValidFileName check");
                    }
                    this.logger.info(Logger.SECURITY, true, new StringBuffer("File upload requested: ").append(str).toString());
                    File file3 = new File(file2, str);
                    if (file3.exists()) {
                        String[] split = str.split("\\/.");
                        String str2 = split.length > 1 ? split[split.length - 1] : "";
                        file3 = File.createTempFile(str.substring(0, str.length() - str2.length()), new StringBuffer(".").append(str2).toString(), file2);
                    }
                    fileItem.write(file3);
                    arrayList.add(file3);
                    fileItem.delete();
                    this.logger.fatal(Logger.SECURITY, true, new StringBuffer("File successfully uploaded: ").append(file3).toString());
                    if (session != null) {
                        session.setAttribute("progress", Long.toString(0L));
                    }
                }
            }
            return arrayList;
        } catch (Exception e) {
            if (e instanceof ValidationUploadException) {
                throw ((ValidationException) e);
            }
            throw new ValidationUploadException("Upload failure", new StringBuffer("Problem during upload:").append(e.getMessage()).toString(), e);
        }
    }

    public boolean isSecureChannel(HttpServletRequest httpServletRequest) {
        return (httpServletRequest.getRequestURL() == null || httpServletRequest.getRequestURL().toString().length() == 0 || httpServletRequest.getRequestURL().charAt(4) != 's') ? false : true;
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public void killAllCookies(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                killCookie(httpServletRequest, httpServletResponse, cookie.getName());
            }
        }
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public void killCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        String str2 = "//";
        String str3 = "";
        Cookie cookie = ESAPI.httpUtilities().getCookie(httpServletRequest, str);
        if (cookie != null) {
            str2 = cookie.getPath();
            str3 = cookie.getDomain();
        }
        Cookie cookie2 = new Cookie(str, "deleted");
        cookie2.setMaxAge(0);
        if (str3 != null) {
            cookie2.setDomain(str3);
        }
        if (str2 != null) {
            cookie2.setPath(str2);
        }
        httpServletResponse.addCookie(cookie2);
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public void logHTTPRequest(HttpServletRequest httpServletRequest, Logger logger) {
        logHTTPRequest(httpServletRequest, logger, null);
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public void logHTTPRequest(HttpServletRequest httpServletRequest, Logger logger, List list) {
        StringBuffer stringBuffer = new StringBuffer();
        Iterator it = httpServletRequest.getParameterMap().keySet().iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            String[] strArr = (String[]) httpServletRequest.getParameterMap().get(str);
            for (int i = 0; i < strArr.length; i++) {
                stringBuffer.append(new StringBuffer(String.valueOf(str)).append(SimpleComparison.EQUAL_TO_OPERATION).toString());
                if (list == null || !list.contains(str)) {
                    stringBuffer.append(strArr[i]);
                } else {
                    stringBuffer.append("********");
                }
                if (i < strArr.length - 1) {
                    stringBuffer.append("&");
                }
            }
            if (it.hasNext()) {
                stringBuffer.append("&");
            }
        }
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (int i2 = 0; i2 < cookies.length; i2++) {
                if (!cookies[i2].getName().equals("JSESSIONID")) {
                    stringBuffer.append(new StringBuffer("+").append(cookies[i2].getName()).append(SimpleComparison.EQUAL_TO_OPERATION).append(cookies[i2].getValue()).toString());
                }
            }
        }
        logger.info(Logger.SECURITY, true, new StringBuffer(String.valueOf(httpServletRequest.getMethod())).append(" ").append((Object) httpServletRequest.getRequestURL()).append(stringBuffer.length() > 0 ? new StringBuffer("?").append((Object) stringBuffer).toString() : "").toString());
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public void safeSendForward(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) throws AccessControlException, ServletException, IOException {
        if (!str2.startsWith("WEB-INF")) {
            throw new AccessControlException("Forward failed", new StringBuffer("Bad forward location: ").append(str2).toString());
        }
        httpServletRequest.getRequestDispatcher(str2).forward(httpServletRequest, httpServletResponse);
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public void setCurrentHTTP(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        SafeRequest safeRequest = null;
        SafeResponse safeResponse = null;
        if (httpServletRequest instanceof SafeRequest) {
            safeRequest = (SafeRequest) httpServletRequest;
        } else if (httpServletRequest != null) {
            safeRequest = new SafeRequest(httpServletRequest);
        }
        if (httpServletResponse instanceof SafeResponse) {
            safeResponse = (SafeResponse) httpServletResponse;
        } else if (httpServletRequest != null) {
            safeResponse = new SafeResponse(httpServletResponse);
        }
        this.currentRequest.set(safeRequest);
        this.currentResponse.set(safeResponse);
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public void setNoCacheHeaders(HttpServletResponse httpServletResponse) {
        httpServletResponse.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
        httpServletResponse.setHeader("Pragma", "no-cache");
        httpServletResponse.setDateHeader("Expires", -1L);
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public String setRememberToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, int i, String str2, String str3) {
        User currentUser = ESAPI.authenticator().getCurrentUser();
        try {
            killCookie(httpServletRequest, httpServletResponse, HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME);
            String seal = ESAPI.encryptor().seal(new StringBuffer(String.valueOf(ESAPI.randomizer().getRandomString(8, DefaultEncoder.CHAR_ALPHANUMERICS))).append(":").append(currentUser.getAccountName()).append(":").append(str).toString(), ESAPI.encryptor().getRelativeTimeStamp(i * Logger.FATAL));
            Cookie cookie = new Cookie(HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME, seal);
            cookie.setMaxAge(i);
            cookie.setDomain(str2);
            cookie.setPath(str3);
            httpServletResponse.addCookie(cookie);
            this.logger.info(Logger.SECURITY, true, new StringBuffer("Enabled remember me token for ").append(currentUser.getAccountName()).toString());
            return seal;
        } catch (IntegrityException e) {
            this.logger.warning(Logger.SECURITY, false, new StringBuffer("Attempt to set remember me token failed for ").append(currentUser.getAccountName()).toString(), e);
            return null;
        }
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public void setSafeContentType(HttpServletResponse httpServletResponse) {
        httpServletResponse.setContentType(((DefaultSecurityConfiguration) ESAPI.securityConfiguration()).getResponseContentType());
    }

    @Override // org.owasp.esapi.HTTPUtilities
    public void verifyCSRFToken(HttpServletRequest httpServletRequest) throws IntrusionException {
        User currentUser = ESAPI.authenticator().getCurrentUser();
        if (httpServletRequest.getAttribute(currentUser.getCSRFToken()) == null && httpServletRequest.getParameter(currentUser.getCSRFToken()) == null) {
            throw new IntrusionException("Authentication failed", "Possibly forged HTTP request without proper CSRF token detected");
        }
    }
}
