package com.h3xstream.findsecbugs.password;

import com.mebigfatguy.fbcontrib.utils.Values;
import edu.umd.cs.findbugs.BugInstance;
import edu.umd.cs.findbugs.BugReporter;
import edu.umd.cs.findbugs.OpcodeStack;
import edu.umd.cs.findbugs.ba.XField;
import edu.umd.cs.findbugs.bcel.OpcodeStackDetector;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.charset.Charset;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import org.apache.bcel.classfile.JavaClass;
import org.apache.bcel.classfile.Method;
import org.eclipse.osgi.internal.loader.BundleLoader;

@OpcodeStack.CustomUserValue
/* loaded from: input_file:findsecbugs-plugin.jar:com/h3xstream/findsecbugs/password/ConstantPasswordDetector.class */
public class ConstantPasswordDetector extends OpcodeStackDetector {
    private static final String HARD_CODE_PASSWORD_TYPE = "HARD_CODE_PASSWORD";
    private static final String HARD_CODE_KEY_TYPE = "HARD_CODE_KEY";
    private final BugReporter bugReporter;
    private static final String CONFIG_DIR = "password-methods";
    private static final String METHODS_FILENAME = "password-methods-all.txt";
    private static final String GET_BYTES_STRING = "java/lang/String.getBytes(Ljava/lang/String;)[B";
    private static final String GET_BYTES = "java/lang/String.getBytes()[B";
    private static final String TO_CHAR_ARRAY = "java/lang/String.toCharArray()[C";
    private static final String BIGINTEGER_CONSTRUCTOR_STRING = "java/math/BigInteger.<init>(Ljava/lang/String;)V";
    private static final String BIGINTEGER_CONSTRUCTOR_STRING_RADIX = "java/math/BigInteger.<init>(Ljava/lang/String;I)V";
    private static final String BIGINTEGER_CONSTRUCTOR_BYTE = "java/math/BigInteger.<init>([B)V";
    private static final String BIGINTEGER_BYTE_SIGNUM = "java/math/BigInteger.<init>(I[B)V";
    private static final String PASSWORD_NAMES = ".*(pass|pwd|psw|secret|key|cipher|crypt|des|aes|mac|private|sign|cert).*";
    private static final Pattern PASSWORD_PATTERN;
    private static final Set<String> hardCodedFields;
    private static final Set<String> reportedFields;
    static final /* synthetic */ boolean $assertionsDisabled;
    private boolean staticInitializerSeen = false;
    private final Map<String, Collection<Integer>> sinkMethods = new HashMap();
    private boolean isFirstArrayStore = false;
    private boolean wasToConstArrayConversion = false;
    private String calledMethod = null;

    public ConstantPasswordDetector(BugReporter bugReporter) {
        this.bugReporter = bugReporter;
        try {
            loadMap(METHODS_FILENAME, this.sinkMethods, "#");
        } catch (IOException e) {
            throw new RuntimeException("cannot load resources", e);
        }
    }

    @Override // edu.umd.cs.findbugs.visitclass.BetterVisitor
    public void visit(JavaClass javaClass) {
        this.staticInitializerSeen = false;
        Method[] methods = javaClass.getMethods();
        int length = methods.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            Method method = methods[i];
            if (method.getName().equals("<clinit>")) {
                doVisitMethod(method);
                this.staticInitializerSeen = true;
                break;
            }
            i++;
        }
        this.isFirstArrayStore = false;
        this.wasToConstArrayConversion = false;
    }

    @Override // edu.umd.cs.findbugs.visitclass.PreorderVisitor
    public void visitAfter(JavaClass javaClass) {
        ArrayList arrayList = new ArrayList();
        for (String str : hardCodedFields) {
            if (isSuspiciousName(str, javaClass) && !reportedFields.contains(str)) {
                arrayList.add(str);
            }
        }
        reportBugSource(arrayList, 2);
        hardCodedFields.clear();
        reportedFields.clear();
        super.visitAfter(javaClass);
    }

    private static boolean isSuspiciousName(String str, JavaClass javaClass) {
        int length = javaClass.getClassName().length();
        if (length <= str.length()) {
            return PASSWORD_PATTERN.matcher(str.substring(length)).matches();
        }
        return PASSWORD_PATTERN.matcher(str.substring(Math.max(str.lastIndexOf(46), 0))).matches();
    }

    @Override // edu.umd.cs.findbugs.visitclass.BetterVisitor
    public void visit(Method method) {
        this.isFirstArrayStore = false;
        this.wasToConstArrayConversion = false;
    }

    @Override // edu.umd.cs.findbugs.bcel.OpcodeStackDetector, edu.umd.cs.findbugs.visitclass.DismantleBytecode
    public void sawOpcode(int i) {
        if (isAlreadyAnalyzed()) {
            return;
        }
        markHardCodedItemsFromFlow();
        if (i == 188) {
            this.isFirstArrayStore = true;
        }
        if (isStoringToArray(i)) {
            markArraysHardCodedOrNot();
            this.isFirstArrayStore = false;
        }
        if (this.wasToConstArrayConversion) {
            markTopItemHardCoded();
            this.wasToConstArrayConversion = false;
        }
        if (i == 181 || i == 179) {
            saveArrayFieldIfHardCoded();
        }
        if (isInvokeInstruction(i)) {
            this.calledMethod = getCalledMethodName();
            this.wasToConstArrayConversion = isToConstArrayConversion();
            markBigIntegerHardCodedOrNot();
            reportBadSink();
        }
    }

    private boolean isAlreadyAnalyzed() {
        return getMethodName().equals("<clinit>") && this.staticInitializerSeen;
    }

    private void markHardCodedItemsFromFlow() {
        for (int i = 0; i < this.stack.getStackDepth(); i++) {
            OpcodeStack.Item stackItem = this.stack.getStackItem(i);
            if ((stackItem.getConstant() != null || stackItem.isNull()) && !stackItem.getSignature().startsWith("[")) {
                setHardCodedItem(stackItem);
            }
            if (hasHardCodedFieldSource(stackItem)) {
                setHardCodedItem(stackItem);
            }
        }
    }

    private boolean hasHardCodedFieldSource(OpcodeStack.Item item) {
        String[] split;
        int length;
        XField xField = item.getXField();
        if (xField == null || (length = (split = xField.toString().split(" ")).length) < 2) {
            return false;
        }
        String str = split[length - 1];
        if (isSupportedSignature(str)) {
            return hardCodedFields.contains(split[length - 2] + str);
        }
        return false;
    }

    private static boolean isStoringToArray(int i) {
        return i == 85 || i == 84 || i == 86 || i == 79;
    }

    private void markArraysHardCodedOrNot() {
        if (!hasHardCodedStackItem(0) || !hasHardCodedStackItem(1)) {
            this.stack.getStackItem(2).setUserValue(null);
        } else if (this.isFirstArrayStore) {
            setHardCodedItem(2);
        }
    }

    private void markTopItemHardCoded() {
        if (!$assertionsDisabled && this.stack.getStackDepth() <= 0) {
            throw new AssertionError();
        }
        setHardCodedItem(0);
    }

    private void saveArrayFieldIfHardCoded() {
        if (isSupportedSignature(getSigConstantOperand()) && hasHardCodedStackItem(0) && !this.stack.getStackItem(0).isNull()) {
            hardCodedFields.add(getFullFieldName());
        }
    }

    private static boolean isInvokeInstruction(int i) {
        return i >= 182 && i <= 185;
    }

    private boolean isToConstArrayConversion() {
        return isInMethodWithConst(TO_CHAR_ARRAY, 0) || isInMethodWithConst(GET_BYTES, 0) || isInMethodWithConst(GET_BYTES_STRING, 1);
    }

    private void markBigIntegerHardCodedOrNot() {
        if (isInMethodWithConst(BIGINTEGER_CONSTRUCTOR_STRING, 0) || isInMethodWithConst(BIGINTEGER_CONSTRUCTOR_BYTE, 0)) {
            setHardCodedItem(1);
        } else if (isInMethodWithConst(BIGINTEGER_CONSTRUCTOR_STRING_RADIX, 1) || isInMethodWithConst(BIGINTEGER_BYTE_SIGNUM, 0)) {
            setHardCodedItem(2);
        }
    }

    private void reportBadSink() {
        if (this.sinkMethods.containsKey(this.calledMethod)) {
            Collection<Integer> collection = this.sinkMethods.get(this.calledMethod);
            ArrayList arrayList = new ArrayList();
            for (Integer num : collection) {
                if (hasHardCodedStackItem(num.intValue()) && !this.stack.getStackItem(num.intValue()).isNull()) {
                    arrayList.add(num);
                    String stackFieldName = getStackFieldName(num.intValue());
                    if (stackFieldName != null) {
                        reportedFields.add(stackFieldName);
                    }
                }
            }
            if (arrayList.isEmpty()) {
                return;
            }
            reportBugSink(1, collection);
        }
    }

    private String getStackFieldName(int i) {
        XField xField = this.stack.getStackItem(i).getXField();
        if (xField == null) {
            return null;
        }
        String[] split = xField.toString().split(" ");
        if (split.length < 2) {
            return null;
        }
        return split[split.length - 2] + split[split.length - 1];
    }

    private void reportBugSink(int i, Collection<Integer> collection) {
        String str = HARD_CODE_KEY_TYPE;
        Iterator<Integer> it = collection.iterator();
        while (it.hasNext()) {
            String signature = this.stack.getStackItem(it.next().intValue()).getSignature();
            if (Values.SIG_JAVA_LANG_STRING.equals(signature) || "[C".equals(signature)) {
                str = HARD_CODE_PASSWORD_TYPE;
                break;
            }
        }
        BugInstance addCalledMethod = new BugInstance(this, str, i).addClass(this).addMethod(this).addSourceLine(this).addCalledMethod(this);
        for (Integer num : collection) {
            OpcodeStack.Item stackItem = this.stack.getStackItem(num.intValue());
            addCalledMethod.addParameterAnnotation(num.intValue(), "Hard coded parameter number (in reverse order) is").addFieldOrMethodValueSource(stackItem);
            Object constant = stackItem.getConstant();
            if (constant != null) {
                addCalledMethod.addString(constant.toString());
            }
        }
        this.bugReporter.reportBug(addCalledMethod);
    }

    private void reportBugSource(Collection<String> collection, int i) {
        if (collection.isEmpty()) {
            return;
        }
        String str = HARD_CODE_KEY_TYPE;
        Iterator<String> it = collection.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            } else if (it.next().endsWith("[C")) {
                str = HARD_CODE_PASSWORD_TYPE;
                break;
            }
        }
        BugInstance addClass = new BugInstance(this, str, i).addClass(this);
        Iterator<String> it2 = collection.iterator();
        while (it2.hasNext()) {
            addClass.addString("is hard coded in field " + it2.next() + " with suspicious name");
        }
        this.bugReporter.reportBug(addClass);
    }

    private void setHardCodedItem(int i) {
        setHardCodedItem(this.stack.getStackItem(i));
    }

    private void setHardCodedItem(OpcodeStack.Item item) {
        item.setUserValue(Boolean.TRUE);
    }

    private boolean hasHardCodedStackItem(int i) {
        return this.stack.getStackItem(i).getUserValue() != null;
    }

    private boolean isInMethodWithConst(String str, int i) {
        return str.equals(this.calledMethod) && hasHardCodedStackItem(i);
    }

    private String getFullFieldName() {
        return getDottedClassConstantOperand() + BundleLoader.DEFAULT_PACKAGE + getNameConstantOperand() + getSigConstantOperand();
    }

    private static boolean isSupportedSignature(String str) {
        return "[C".equals(str) || "[B".equals(str) || "Ljava/math/BigInteger;".equals(str);
    }

    private String getCalledMethodName() {
        return getClassConstantOperand() + BundleLoader.DEFAULT_PACKAGE + (getNameConstantOperand() + getSigConstantOperand());
    }

    private void loadMap(String str, Map<String, Collection<Integer>> map, String str2) throws IOException {
        BufferedReader bufferedReader = null;
        try {
            bufferedReader = getReader(str);
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    break;
                }
                String trim = readLine.trim();
                if (!trim.isEmpty()) {
                    String[] split = trim.split(str2);
                    int length = split.length - 1;
                    ArrayList arrayList = new ArrayList(length);
                    for (int i = 0; i < length; i++) {
                        arrayList.add(Integer.valueOf(Integer.parseInt(split[i + 1])));
                    }
                    map.put(split[0], arrayList);
                }
            }
            if (bufferedReader != null) {
                bufferedReader.close();
            }
        } catch (Throwable th) {
            if (bufferedReader != null) {
                bufferedReader.close();
            }
            throw th;
        }
    }

    private BufferedReader getReader(String str) {
        return new BufferedReader(new InputStreamReader(getClass().getClassLoader().getResourceAsStream("password-methods/" + str), Charset.forName("UTF-8")));
    }

    static {
        $assertionsDisabled = !ConstantPasswordDetector.class.desiredAssertionStatus();
        PASSWORD_PATTERN = Pattern.compile(PASSWORD_NAMES, 2);
        hardCodedFields = new HashSet();
        reportedFields = new HashSet();
    }
}
