package net.sourceforge.pmd.lang.apex.rule.security;

import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import net.sourceforge.pmd.lang.apex.ast.ASTAssignmentExpression;
import net.sourceforge.pmd.lang.apex.ast.ASTBinaryExpression;
import net.sourceforge.pmd.lang.apex.ast.ASTFieldDeclaration;
import net.sourceforge.pmd.lang.apex.ast.ASTMethod;
import net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression;
import net.sourceforge.pmd.lang.apex.ast.ASTReturnStatement;
import net.sourceforge.pmd.lang.apex.ast.ASTUserClass;
import net.sourceforge.pmd.lang.apex.ast.ASTVariableDeclaration;
import net.sourceforge.pmd.lang.apex.ast.ASTVariableExpression;
import net.sourceforge.pmd.lang.apex.ast.AccessNode;
import net.sourceforge.pmd.lang.apex.ast.ApexNode;
import net.sourceforge.pmd.lang.apex.rule.AbstractApexRule;
import net.sourceforge.pmd.lang.ast.Node;

/* loaded from: input_file:net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromURLParamRule.class */
public class ApexXSSFromURLParamRule extends AbstractApexRule {
    private static final String[] URL_PARAMETER_METHOD = {"ApexPages", "currentPage", "getParameters", "get"};
    private static final String[] HTML_ESCAPING = {"ESAPI", "encoder", "SFDC_HTMLENCODE"};
    private static final String[] JS_ESCAPING = {"ESAPI", "encoder", "SFDC_JSENCODE"};
    private static final String[] JSINHTML_ESCAPING = {"ESAPI", "encoder", "SFDC_JSINHTMLENCODE"};
    private static final String[] URL_ESCAPING = {"ESAPI", "encoder", "SFDC_URLENCODE"};
    private static final String[] STRING_HTML3 = {"String", "escapeHtml3"};
    private static final String[] STRING_HTML4 = {"String", "escapeHtml4"};
    private static final String[] STRING_XML = {"String", "escapeXml"};
    private static final String[] STRING_ECMASCRIPT = {"String", "escapeEcmaScript"};
    private static final String[] INTEGER_VALUEOF = {"Integer", "valueOf"};
    private static final String[] ID_VALUEOF = {"ID", "valueOf"};
    private static final String[] DOUBLE_VALUEOF = {"Double", "valueOf"};
    private static final String[] BOOLEAN_VALUEOF = {"Boolean", "valueOf"};
    private static final String[] STRING_ISEMPTY = {"String", "isEmpty"};
    private static final String[] STRING_ISBLANK = {"String", "isBlank"};
    private static final String[] STRING_ISNOTBLANK = {"String", "isNotBlank"};
    private final Set<String> urlParameterStrings = new HashSet();

    public ApexXSSFromURLParamRule() {
        setProperty(CODECLIMATE_CATEGORIES, new String[]{"Security"});
        setProperty(CODECLIMATE_REMEDIATION_MULTIPLIER, 50);
        setProperty(CODECLIMATE_BLOCK_HIGHLIGHTING, false);
    }

    @Override // net.sourceforge.pmd.lang.apex.rule.AbstractApexRule, net.sourceforge.pmd.lang.apex.ast.ApexParserVisitor
    public Object visit(ASTUserClass aSTUserClass, Object obj) {
        return (net.sourceforge.pmd.lang.apex.rule.internal.Helper.isTestMethodOrClass(aSTUserClass) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isSystemLevelClass(aSTUserClass)) ? obj : super.visit(aSTUserClass, obj);
    }

    @Override // net.sourceforge.pmd.lang.apex.rule.AbstractApexRule, net.sourceforge.pmd.lang.apex.ast.ApexParserVisitor
    public Object visit(ASTAssignmentExpression aSTAssignmentExpression, Object obj) {
        findTaintedVariables(aSTAssignmentExpression, obj);
        processVariableAssignments(aSTAssignmentExpression, obj, false);
        return obj;
    }

    @Override // net.sourceforge.pmd.lang.apex.rule.AbstractApexRule, net.sourceforge.pmd.lang.apex.ast.ApexParserVisitor
    public Object visit(ASTVariableDeclaration aSTVariableDeclaration, Object obj) {
        findTaintedVariables(aSTVariableDeclaration, obj);
        processVariableAssignments(aSTVariableDeclaration, obj, true);
        return obj;
    }

    @Override // net.sourceforge.pmd.lang.apex.rule.AbstractApexRule, net.sourceforge.pmd.lang.apex.ast.ApexParserVisitor
    public Object visit(ASTFieldDeclaration aSTFieldDeclaration, Object obj) {
        findTaintedVariables(aSTFieldDeclaration, obj);
        processVariableAssignments(aSTFieldDeclaration, obj, true);
        return obj;
    }

    @Override // net.sourceforge.pmd.lang.apex.rule.AbstractApexRule, net.sourceforge.pmd.lang.apex.ast.ApexParserVisitor
    public Object visit(ASTMethodCallExpression aSTMethodCallExpression, Object obj) {
        processEscapingMethodCalls(aSTMethodCallExpression, obj);
        processInlineMethodCalls(aSTMethodCallExpression, obj, false);
        return obj;
    }

    @Override // net.sourceforge.pmd.lang.apex.rule.AbstractApexRule, net.sourceforge.pmd.lang.apex.ast.ApexParserVisitor
    public Object visit(ASTReturnStatement aSTReturnStatement, Object obj) {
        ASTBinaryExpression aSTBinaryExpression = (ASTBinaryExpression) aSTReturnStatement.getFirstChildOfType(ASTBinaryExpression.class);
        if (aSTBinaryExpression != null) {
            processBinaryExpression(aSTBinaryExpression, obj);
        }
        ASTMethodCallExpression aSTMethodCallExpression = (ASTMethodCallExpression) aSTReturnStatement.getFirstChildOfType(ASTMethodCallExpression.class);
        if (aSTMethodCallExpression != null && "string".equalsIgnoreCase(getReturnType(aSTReturnStatement))) {
            processInlineMethodCalls(aSTMethodCallExpression, obj, true);
        }
        List findChildrenOfType = aSTReturnStatement.findChildrenOfType(ASTVariableExpression.class);
        Iterator it = findChildrenOfType.iterator();
        while (it.hasNext()) {
            if (this.urlParameterStrings.contains(net.sourceforge.pmd.lang.apex.rule.internal.Helper.getFQVariableName((ASTVariableExpression) it.next()))) {
                addViolation(obj, (Node) findChildrenOfType.get(0));
            }
        }
        return obj;
    }

    private String getReturnType(ASTReturnStatement aSTReturnStatement) {
        ASTMethod aSTMethod = (ASTMethod) aSTReturnStatement.getFirstParentOfType(ASTMethod.class);
        return aSTMethod != null ? aSTMethod.getReturnType() : "";
    }

    private boolean isEscapingMethod(ASTMethodCallExpression aSTMethodCallExpression) {
        return net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, HTML_ESCAPING) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, JS_ESCAPING) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, JSINHTML_ESCAPING) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, URL_ESCAPING) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, STRING_HTML3) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, STRING_HTML4) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, STRING_XML) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, STRING_ECMASCRIPT) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, INTEGER_VALUEOF) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, DOUBLE_VALUEOF) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, BOOLEAN_VALUEOF) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, ID_VALUEOF) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, STRING_ISEMPTY) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, STRING_ISBLANK) || net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, STRING_ISNOTBLANK);
    }

    private void processInlineMethodCalls(ASTMethodCallExpression aSTMethodCallExpression, Object obj, boolean z) {
        ASTMethodCallExpression aSTMethodCallExpression2 = (ASTMethodCallExpression) aSTMethodCallExpression.getFirstChildOfType(ASTMethodCallExpression.class);
        if (aSTMethodCallExpression2 != null && !isEscapingMethod(aSTMethodCallExpression)) {
            processInlineMethodCalls(aSTMethodCallExpression2, obj, true);
        }
        if (net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, URL_PARAMETER_METHOD) && z) {
            addViolation(obj, aSTMethodCallExpression);
        }
    }

    private void findTaintedVariables(ApexNode<?> apexNode, Object obj) {
        ASTMethodCallExpression aSTMethodCallExpression = (ASTMethodCallExpression) apexNode.getFirstChildOfType(ASTMethodCallExpression.class);
        if (aSTMethodCallExpression != null) {
            if (net.sourceforge.pmd.lang.apex.rule.internal.Helper.isMethodCallChain(aSTMethodCallExpression, URL_PARAMETER_METHOD)) {
                ASTVariableExpression aSTVariableExpression = (ASTVariableExpression) apexNode.getFirstChildOfType(ASTVariableExpression.class);
                String str = null;
                if (apexNode instanceof ASTVariableDeclaration) {
                    str = ((ASTVariableDeclaration) apexNode).getType();
                }
                if (aSTVariableExpression != null && (str == null || !"id".equalsIgnoreCase(str))) {
                    this.urlParameterStrings.add(net.sourceforge.pmd.lang.apex.rule.internal.Helper.getFQVariableName(aSTVariableExpression));
                }
            }
            processEscapingMethodCalls(aSTMethodCallExpression, obj);
        }
    }

    private void processEscapingMethodCalls(ASTMethodCallExpression aSTMethodCallExpression, Object obj) {
        ASTMethodCallExpression aSTMethodCallExpression2 = (ASTMethodCallExpression) aSTMethodCallExpression.getFirstChildOfType(ASTMethodCallExpression.class);
        if (aSTMethodCallExpression2 != null) {
            processEscapingMethodCalls(aSTMethodCallExpression2, obj);
        }
        ASTVariableExpression aSTVariableExpression = (ASTVariableExpression) aSTMethodCallExpression.getFirstChildOfType(ASTVariableExpression.class);
        if (aSTVariableExpression == null || !this.urlParameterStrings.contains(net.sourceforge.pmd.lang.apex.rule.internal.Helper.getFQVariableName(aSTVariableExpression)) || isEscapingMethod(aSTMethodCallExpression)) {
            return;
        }
        addViolation(obj, aSTVariableExpression);
    }

    private void processVariableAssignments(ApexNode<?> apexNode, Object obj, boolean z) {
        ASTMethodCallExpression aSTMethodCallExpression = (ASTMethodCallExpression) apexNode.getFirstChildOfType(ASTMethodCallExpression.class);
        if (aSTMethodCallExpression != null) {
            String str = null;
            if (apexNode instanceof ASTVariableDeclaration) {
                str = ((ASTVariableDeclaration) apexNode).getType();
            }
            if (str == null || !"id".equalsIgnoreCase(str)) {
                processInlineMethodCalls(aSTMethodCallExpression, obj, false);
            }
        }
        List findChildrenOfType = apexNode.findChildrenOfType(ASTVariableExpression.class);
        switch (findChildrenOfType.size()) {
            case AccessNode.PUBLIC /* 1 */:
                List findChildrenOfType2 = apexNode.findChildrenOfType(ASTBinaryExpression.class);
                if (findChildrenOfType2.isEmpty()) {
                    return;
                }
                Iterator it = findChildrenOfType2.iterator();
                while (it.hasNext()) {
                    processBinaryExpression((ASTBinaryExpression) it.next(), obj);
                }
                return;
            case AccessNode.PRIVATE /* 2 */:
                ASTVariableExpression aSTVariableExpression = z ? (ASTVariableExpression) findChildrenOfType.get(0) : (ASTVariableExpression) findChildrenOfType.get(1);
                if (this.urlParameterStrings.contains(net.sourceforge.pmd.lang.apex.rule.internal.Helper.getFQVariableName(aSTVariableExpression))) {
                    addViolation(obj, aSTVariableExpression);
                    return;
                }
                return;
            default:
                return;
        }
    }

    private void processBinaryExpression(ApexNode<?> apexNode, Object obj) {
        ApexNode<?> apexNode2 = (ASTBinaryExpression) apexNode.getFirstChildOfType(ASTBinaryExpression.class);
        if (apexNode2 != null) {
            processBinaryExpression(apexNode2, obj);
        }
        ASTMethodCallExpression aSTMethodCallExpression = (ASTMethodCallExpression) apexNode.getFirstChildOfType(ASTMethodCallExpression.class);
        if (aSTMethodCallExpression != null) {
            processInlineMethodCalls(aSTMethodCallExpression, obj, true);
        }
        for (ASTVariableExpression aSTVariableExpression : apexNode.findChildrenOfType(ASTVariableExpression.class)) {
            if (this.urlParameterStrings.contains(net.sourceforge.pmd.lang.apex.rule.internal.Helper.getFQVariableName(aSTVariableExpression))) {
                addViolation(obj, aSTVariableExpression);
            }
        }
    }
}
