package net.sourceforge.pmd.lang.apex.rule.security;

import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import net.sourceforge.pmd.lang.apex.ast.ASTAssignmentExpression;
import net.sourceforge.pmd.lang.apex.ast.ASTBinaryExpression;
import net.sourceforge.pmd.lang.apex.ast.ASTFieldDeclaration;
import net.sourceforge.pmd.lang.apex.ast.ASTMethod;
import net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression;
import net.sourceforge.pmd.lang.apex.ast.ASTReturnStatement;
import net.sourceforge.pmd.lang.apex.ast.ASTUserClass;
import net.sourceforge.pmd.lang.apex.ast.ASTVariableDeclaration;
import net.sourceforge.pmd.lang.apex.ast.ASTVariableExpression;
import net.sourceforge.pmd.lang.apex.ast.AccessNode;
import net.sourceforge.pmd.lang.apex.ast.ApexNode;
import net.sourceforge.pmd.lang.apex.rule.AbstractApexRule;
import net.sourceforge.pmd.lang.apex.rule.internal.Helper;
import net.sourceforge.pmd.lang.ast.Node;

/* loaded from: input_file:net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromURLParamRule.class */
public class ApexXSSFromURLParamRule extends AbstractApexRule {
    private static final String[] URL_PARAMETER_METHOD = {"ApexPages", "currentPage", "getParameters", "get"};
    private static final String[] HTML_ESCAPING = {"ESAPI", "encoder", "SFDC_HTMLENCODE"};
    private static final String[] JS_ESCAPING = {"ESAPI", "encoder", "SFDC_JSENCODE"};
    private static final String[] JSINHTML_ESCAPING = {"ESAPI", "encoder", "SFDC_JSINHTMLENCODE"};
    private static final String[] URL_ESCAPING = {"ESAPI", "encoder", "SFDC_URLENCODE"};
    private static final String[] STRING_HTML3 = {"String", "escapeHtml3"};
    private static final String[] STRING_HTML4 = {"String", "escapeHtml4"};
    private static final String[] STRING_XML = {"String", "escapeXml"};
    private static final String[] STRING_ECMASCRIPT = {"String", "escapeEcmaScript"};
    private static final String[] INTEGER_VALUEOF = {"Integer", "valueOf"};
    private static final String[] ID_VALUEOF = {"ID", "valueOf"};
    private static final String[] DOUBLE_VALUEOF = {"Double", "valueOf"};
    private static final String[] BOOLEAN_VALUEOF = {"Boolean", "valueOf"};
    private static final String[] STRING_ISEMPTY = {"String", "isEmpty"};
    private static final String[] STRING_ISBLANK = {"String", "isBlank"};
    private static final String[] STRING_ISNOTBLANK = {"String", "isNotBlank"};
    private final Set<String> urlParameterStrings = new HashSet();

    @Override // net.sourceforge.pmd.lang.apex.ast.ApexVisitor
    public Object visit(ASTUserClass aSTUserClass, Object obj) {
        return (Helper.isTestMethodOrClass(aSTUserClass) || Helper.isSystemLevelClass(aSTUserClass)) ? obj : super.visit(aSTUserClass, (ASTUserClass) obj);
    }

    @Override // net.sourceforge.pmd.lang.apex.ast.ApexVisitor
    public Object visit(ASTAssignmentExpression aSTAssignmentExpression, Object obj) {
        findTaintedVariables(aSTAssignmentExpression, obj);
        processVariableAssignments(aSTAssignmentExpression, obj, false);
        return obj;
    }

    @Override // net.sourceforge.pmd.lang.apex.ast.ApexVisitor
    public Object visit(ASTVariableDeclaration aSTVariableDeclaration, Object obj) {
        findTaintedVariables(aSTVariableDeclaration, obj);
        processVariableAssignments(aSTVariableDeclaration, obj, true);
        return obj;
    }

    @Override // net.sourceforge.pmd.lang.apex.ast.ApexVisitor
    public Object visit(ASTFieldDeclaration aSTFieldDeclaration, Object obj) {
        findTaintedVariables(aSTFieldDeclaration, obj);
        processVariableAssignments(aSTFieldDeclaration, obj, true);
        return obj;
    }

    @Override // net.sourceforge.pmd.lang.apex.ast.ApexVisitor
    public Object visit(ASTMethodCallExpression aSTMethodCallExpression, Object obj) {
        processEscapingMethodCalls(aSTMethodCallExpression, obj);
        processInlineMethodCalls(aSTMethodCallExpression, obj, false);
        return obj;
    }

    @Override // net.sourceforge.pmd.lang.apex.ast.ApexVisitor
    public Object visit(ASTReturnStatement aSTReturnStatement, Object obj) {
        ASTBinaryExpression firstChild = aSTReturnStatement.firstChild(ASTBinaryExpression.class);
        if (firstChild != null) {
            processBinaryExpression(firstChild, obj);
        }
        ASTMethodCallExpression aSTMethodCallExpression = (ASTMethodCallExpression) aSTReturnStatement.firstChild(ASTMethodCallExpression.class);
        if (aSTMethodCallExpression != null && "string".equalsIgnoreCase(getReturnType(aSTReturnStatement))) {
            processInlineMethodCalls(aSTMethodCallExpression, obj, true);
        }
        List list = aSTReturnStatement.children(ASTVariableExpression.class).toList();
        Iterator it = list.iterator();
        while (it.hasNext()) {
            if (this.urlParameterStrings.contains(Helper.getFQVariableName((ASTVariableExpression) it.next()))) {
                asCtx(obj).addViolation((Node) list.get(0));
            }
        }
        return obj;
    }

    private String getReturnType(ASTReturnStatement aSTReturnStatement) {
        ASTMethod first = aSTReturnStatement.ancestors(ASTMethod.class).first();
        return first != null ? first.getReturnType() : "";
    }

    private boolean isEscapingMethod(ASTMethodCallExpression aSTMethodCallExpression) {
        return Helper.isMethodCallChain(aSTMethodCallExpression, HTML_ESCAPING) || Helper.isMethodCallChain(aSTMethodCallExpression, JS_ESCAPING) || Helper.isMethodCallChain(aSTMethodCallExpression, JSINHTML_ESCAPING) || Helper.isMethodCallChain(aSTMethodCallExpression, URL_ESCAPING) || Helper.isMethodCallChain(aSTMethodCallExpression, STRING_HTML3) || Helper.isMethodCallChain(aSTMethodCallExpression, STRING_HTML4) || Helper.isMethodCallChain(aSTMethodCallExpression, STRING_XML) || Helper.isMethodCallChain(aSTMethodCallExpression, STRING_ECMASCRIPT) || Helper.isMethodCallChain(aSTMethodCallExpression, INTEGER_VALUEOF) || Helper.isMethodCallChain(aSTMethodCallExpression, DOUBLE_VALUEOF) || Helper.isMethodCallChain(aSTMethodCallExpression, BOOLEAN_VALUEOF) || Helper.isMethodCallChain(aSTMethodCallExpression, ID_VALUEOF) || Helper.isMethodCallChain(aSTMethodCallExpression, STRING_ISEMPTY) || Helper.isMethodCallChain(aSTMethodCallExpression, STRING_ISBLANK) || Helper.isMethodCallChain(aSTMethodCallExpression, STRING_ISNOTBLANK);
    }

    private void processInlineMethodCalls(ASTMethodCallExpression aSTMethodCallExpression, Object obj, boolean z) {
        ASTMethodCallExpression aSTMethodCallExpression2 = (ASTMethodCallExpression) aSTMethodCallExpression.firstChild(ASTMethodCallExpression.class);
        if (aSTMethodCallExpression2 != null && !isEscapingMethod(aSTMethodCallExpression)) {
            processInlineMethodCalls(aSTMethodCallExpression2, obj, true);
        }
        if (Helper.isMethodCallChain(aSTMethodCallExpression, URL_PARAMETER_METHOD) && z) {
            asCtx(obj).addViolation(aSTMethodCallExpression);
        }
    }

    private void findTaintedVariables(ApexNode<?> apexNode, Object obj) {
        ASTMethodCallExpression aSTMethodCallExpression = (ASTMethodCallExpression) apexNode.firstChild(ASTMethodCallExpression.class);
        if (aSTMethodCallExpression != null) {
            if (Helper.isMethodCallChain(aSTMethodCallExpression, URL_PARAMETER_METHOD)) {
                ASTVariableExpression firstChild = apexNode.firstChild(ASTVariableExpression.class);
                String str = null;
                if (apexNode instanceof ASTVariableDeclaration) {
                    str = ((ASTVariableDeclaration) apexNode).getType();
                }
                if (firstChild != null && (str == null || !"id".equalsIgnoreCase(str))) {
                    this.urlParameterStrings.add(Helper.getFQVariableName(firstChild));
                }
            }
            processEscapingMethodCalls(aSTMethodCallExpression, obj);
        }
    }

    private void processEscapingMethodCalls(ASTMethodCallExpression aSTMethodCallExpression, Object obj) {
        ASTMethodCallExpression aSTMethodCallExpression2 = (ASTMethodCallExpression) aSTMethodCallExpression.firstChild(ASTMethodCallExpression.class);
        if (aSTMethodCallExpression2 != null) {
            processEscapingMethodCalls(aSTMethodCallExpression2, obj);
        }
        ASTVariableExpression firstChild = aSTMethodCallExpression.firstChild(ASTVariableExpression.class);
        if (firstChild == null || !this.urlParameterStrings.contains(Helper.getFQVariableName(firstChild)) || isEscapingMethod(aSTMethodCallExpression)) {
            return;
        }
        asCtx(obj).addViolation(firstChild);
    }

    private void processVariableAssignments(ApexNode<?> apexNode, Object obj, boolean z) {
        ASTMethodCallExpression aSTMethodCallExpression = (ASTMethodCallExpression) apexNode.firstChild(ASTMethodCallExpression.class);
        if (aSTMethodCallExpression != null) {
            String str = null;
            if (apexNode instanceof ASTVariableDeclaration) {
                str = ((ASTVariableDeclaration) apexNode).getType();
            }
            if (str == null || !"id".equalsIgnoreCase(str)) {
                processInlineMethodCalls(aSTMethodCallExpression, obj, false);
            }
        }
        List list = apexNode.children(ASTVariableExpression.class).toList();
        switch (list.size()) {
            case AccessNode.PUBLIC /* 1 */:
                List list2 = apexNode.children(ASTBinaryExpression.class).toList();
                if (list2.isEmpty()) {
                    return;
                }
                Iterator it = list2.iterator();
                while (it.hasNext()) {
                    processBinaryExpression((ASTBinaryExpression) it.next(), obj);
                }
                return;
            case AccessNode.PRIVATE /* 2 */:
                ASTVariableExpression aSTVariableExpression = z ? (ASTVariableExpression) list.get(0) : (ASTVariableExpression) list.get(1);
                if (this.urlParameterStrings.contains(Helper.getFQVariableName(aSTVariableExpression))) {
                    asCtx(obj).addViolation(aSTVariableExpression);
                    return;
                }
                return;
            default:
                return;
        }
    }

    private void processBinaryExpression(ApexNode<?> apexNode, Object obj) {
        ASTBinaryExpression firstChild = apexNode.firstChild(ASTBinaryExpression.class);
        if (firstChild != null) {
            processBinaryExpression(firstChild, obj);
        }
        ASTMethodCallExpression aSTMethodCallExpression = (ASTMethodCallExpression) apexNode.firstChild(ASTMethodCallExpression.class);
        if (aSTMethodCallExpression != null) {
            processInlineMethodCalls(aSTMethodCallExpression, obj, true);
        }
        for (ASTVariableExpression aSTVariableExpression : apexNode.children(ASTVariableExpression.class)) {
            if (this.urlParameterStrings.contains(Helper.getFQVariableName(aSTVariableExpression))) {
                asCtx(obj).addViolation(aSTVariableExpression);
            }
        }
    }
}
