package org.apache.struts2.interceptor.parameter;

import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.inject.Inject;
import com.opensymphony.xwork2.interceptor.MethodFilterInterceptor;
import com.opensymphony.xwork2.security.AcceptedPatternsChecker;
import com.opensymphony.xwork2.security.DefaultAcceptedPatternsChecker;
import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
import com.opensymphony.xwork2.util.ClearableValueStack;
import com.opensymphony.xwork2.util.DebugUtils;
import com.opensymphony.xwork2.util.MemberAccessValueStack;
import com.opensymphony.xwork2.util.TextParseUtil;
import com.opensymphony.xwork2.util.ValueStack;
import com.opensymphony.xwork2.util.ValueStackFactory;
import com.opensymphony.xwork2.util.reflection.ReflectionContextState;
import java.beans.BeanInfo;
import java.beans.IntrospectionException;
import java.beans.Introspector;
import java.beans.PropertyDescriptor;
import java.lang.reflect.AnnotatedElement;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.lang.reflect.ParameterizedType;
import java.lang.reflect.Type;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.TreeMap;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.ClassUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.struts2.StrutsConstants;
import org.apache.struts2.action.NoParameters;
import org.apache.struts2.action.ParameterNameAware;
import org.apache.struts2.action.ParameterValueAware;
import org.apache.struts2.dispatcher.HttpParameters;
import org.apache.struts2.dispatcher.Parameter;
import org.apache.struts2.interceptor.MessageStoreInterceptor;
import org.apache.struts2.ognl.ThreadAllowlist;

/* loaded from: input_file:WEB-INF/lib/struts2-core-6.6.1.jar:org/apache/struts2/interceptor/parameter/ParametersInterceptor.class */
public class ParametersInterceptor extends MethodFilterInterceptor {
    protected static final int PARAM_NAME_MAX_LENGTH = 100;
    private ValueStackFactory valueStackFactory;
    protected ThreadAllowlist threadAllowlist;
    private ExcludedPatternsChecker excludedPatterns;
    private AcceptedPatternsChecker acceptedPatterns;
    private static final Logger LOG = LogManager.getLogger((Class<?>) ParametersInterceptor.class);
    private static final Pattern DMI_IGNORED_PATTERN = Pattern.compile("^(action|method):.*", 2);
    static final Comparator<String> rbCollator = (str, str2) -> {
        int countOGNLCharacters = countOGNLCharacters(str);
        int countOGNLCharacters2 = countOGNLCharacters(str2);
        if (countOGNLCharacters < countOGNLCharacters2) {
            return -1;
        }
        if (countOGNLCharacters2 < countOGNLCharacters) {
            return 1;
        }
        return str.compareTo(str2);
    };
    private int paramNameMaxLength = 100;
    private boolean devMode = false;
    private boolean dmiEnabled = false;
    protected boolean ordered = false;
    protected boolean requireAnnotations = false;
    protected boolean requireAnnotationsTransitionMode = false;
    private Set<Pattern> excludedValuePatterns = null;
    private Set<Pattern> acceptedValuePatterns = null;

    @Inject
    public void setValueStackFactory(ValueStackFactory valueStackFactory) {
        this.valueStackFactory = valueStackFactory;
    }

    @Inject
    public void setThreadAllowlist(ThreadAllowlist threadAllowlist) {
        this.threadAllowlist = threadAllowlist;
    }

    @Inject(StrutsConstants.STRUTS_DEVMODE)
    public void setDevMode(String str) {
        this.devMode = BooleanUtils.toBoolean(str);
    }

    @Inject(value = StrutsConstants.STRUTS_PARAMETERS_REQUIRE_ANNOTATIONS, required = false)
    public void setRequireAnnotations(String str) {
        this.requireAnnotations = BooleanUtils.toBoolean(str);
    }

    @Inject(value = StrutsConstants.STRUTS_PARAMETERS_REQUIRE_ANNOTATIONS_TRANSITION, required = false)
    public void setRequireAnnotationsTransitionMode(String str) {
        this.requireAnnotationsTransitionMode = BooleanUtils.toBoolean(str);
    }

    @Inject
    public void setExcludedPatterns(ExcludedPatternsChecker excludedPatternsChecker) {
        this.excludedPatterns = excludedPatternsChecker;
    }

    @Inject
    public void setAcceptedPatterns(AcceptedPatternsChecker acceptedPatternsChecker) {
        this.acceptedPatterns = acceptedPatternsChecker;
    }

    @Inject(value = StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION, required = false)
    protected void setDynamicMethodInvocation(String str) {
        this.dmiEnabled = Boolean.parseBoolean(str);
    }

    public void setParamNameMaxLength(int i) {
        this.paramNameMaxLength = i;
    }

    private static int countOGNLCharacters(String str) {
        int i = 0;
        for (int length = str.length() - 1; length >= 0; length--) {
            char charAt = str.charAt(length);
            if (charAt == '.' || charAt == '[') {
                i++;
            }
        }
        return i;
    }

    @Override // com.opensymphony.xwork2.interceptor.MethodFilterInterceptor
    public String doIntercept(ActionInvocation actionInvocation) throws Exception {
        ActionContext invocationContext;
        HttpParameters retrieveParameters;
        Object action = actionInvocation.getAction();
        if (!(action instanceof NoParameters) && (retrieveParameters = retrieveParameters((invocationContext = actionInvocation.getInvocationContext()))) != null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Setting params {}", StringUtils.normalizeSpace(getParameterLogMap(retrieveParameters)));
            }
            Map<String, Object> contextMap = invocationContext.getContextMap();
            batchApplyReflectionContextState(contextMap, true);
            try {
                setParameters(action, invocationContext.getValueStack(), retrieveParameters);
                batchApplyReflectionContextState(contextMap, false);
                return actionInvocation.invoke();
            } catch (Throwable th) {
                batchApplyReflectionContextState(contextMap, false);
                throw th;
            }
        }
        return actionInvocation.invoke();
    }

    protected HttpParameters retrieveParameters(ActionContext actionContext) {
        return actionContext.getParameters();
    }

    protected void addParametersToContext(ActionContext actionContext, Map<String, ?> map) {
    }

    @Deprecated
    protected void setParameters(Object obj, ValueStack valueStack, HttpParameters httpParameters) {
        applyParameters(obj, valueStack, httpParameters);
    }

    protected void applyParameters(Object obj, ValueStack valueStack, HttpParameters httpParameters) {
        Map<String, Parameter> acceptableParameters = toAcceptableParameters(httpParameters, obj);
        ValueStack newStack = toNewStack(valueStack);
        batchApplyReflectionContextState(newStack.getContext(), true);
        applyMemberAccessProperties(newStack);
        applyParametersOnStack(newStack, acceptableParameters, obj);
        if (newStack instanceof ClearableValueStack) {
            valueStack.getActionContext().withConversionErrors(newStack.getActionContext().getConversionErrors());
        }
        addParametersToContext(ActionContext.getContext(), acceptableParameters);
    }

    protected void batchApplyReflectionContextState(Map<String, Object> map, boolean z) {
        ReflectionContextState.setCreatingNullObjects(map, z);
        ReflectionContextState.setDenyMethodExecution(map, z);
        ReflectionContextState.setReportingConversionErrors(map, z);
    }

    protected ValueStack toNewStack(ValueStack valueStack) {
        ValueStack createValueStack = this.valueStackFactory.createValueStack(valueStack);
        if (createValueStack instanceof ClearableValueStack) {
            ((ClearableValueStack) createValueStack).clearContextValues();
            createValueStack.getActionContext().withLocale(valueStack.getActionContext().getLocale()).withValueStack(valueStack);
        }
        return createValueStack;
    }

    protected void applyMemberAccessProperties(ValueStack valueStack) {
        if (valueStack instanceof MemberAccessValueStack) {
            ((MemberAccessValueStack) valueStack).useAcceptProperties(this.acceptedPatterns.getAcceptedPatterns());
            ((MemberAccessValueStack) valueStack).useExcludeProperties(this.excludedPatterns.getExcludedPatterns());
        }
    }

    protected Map<String, Parameter> toAcceptableParameters(HttpParameters httpParameters, Object obj) {
        HttpParameters initNewHttpParameters = initNewHttpParameters(httpParameters);
        Map<String, Parameter> initParameterMap = initParameterMap();
        for (Map.Entry<String, Parameter> entry : initNewHttpParameters.entrySet()) {
            String key = entry.getKey();
            Parameter value = entry.getValue();
            if (isAcceptableParameter(key, obj) && isAcceptableParameterValue(value, obj)) {
                initParameterMap.put(key, value);
            }
        }
        return initParameterMap;
    }

    protected Map<String, Parameter> initParameterMap() {
        return this.ordered ? new TreeMap(getOrderedComparator()) : new TreeMap();
    }

    protected HttpParameters initNewHttpParameters(HttpParameters httpParameters) {
        return this.ordered ? HttpParameters.create().withComparator(getOrderedComparator()).withParent(httpParameters).build() : HttpParameters.create().withParent(httpParameters).build();
    }

    protected void applyParametersOnStack(ValueStack valueStack, Map<String, Parameter> map, Object obj) {
        for (Map.Entry<String, Parameter> entry : map.entrySet()) {
            try {
                valueStack.setParameter(entry.getKey(), entry.getValue().getObject());
            } catch (RuntimeException e) {
                if (this.devMode) {
                    notifyDeveloperParameterException(obj, entry.getKey(), e.getMessage());
                }
            }
        }
    }

    protected void notifyDeveloperParameterException(Object obj, String str, String str2) {
        DebugUtils.notifyDeveloperOfError(LOG, obj, String.format("Unexpected Exception caught setting '%s' on '%s: %s", str, obj.getClass(), str2));
    }

    protected boolean isAcceptableParameter(String str, Object obj) {
        return acceptableName(str) && isAcceptableParameterNameAware(str, obj) && isParameterAnnotatedAndAllowlist(str, obj);
    }

    protected boolean isAcceptableParameterNameAware(String str, Object obj) {
        return !(obj instanceof ParameterNameAware) || ((ParameterNameAware) obj).acceptableParameterName(str);
    }

    protected boolean isParameterAnnotatedAndAllowlist(String str, Object obj) {
        if (!this.requireAnnotations) {
            return true;
        }
        Stream mapToObj = str.codePoints().mapToObj(i -> {
            return Character.valueOf((char) i);
        });
        Set<Character> set = DefaultAcceptedPatternsChecker.NESTING_CHARS;
        set.getClass();
        long count = mapToObj.filter((v1) -> {
            return r1.contains(v1);
        }).count();
        if (this.requireAnnotationsTransitionMode && count == 0) {
            return true;
        }
        int indexOfAny = StringUtils.indexOfAny(str, DefaultAcceptedPatternsChecker.NESTING_CHARS_STR);
        String substring = indexOfAny == -1 ? str : str.substring(0, indexOfAny);
        return hasValidAnnotatedMember(Character.toLowerCase(substring.charAt(0)) + substring.substring(1), obj, count);
    }

    protected boolean hasValidAnnotatedMember(String str, Object obj, long j) {
        BeanInfo beanInfo = getBeanInfo(obj);
        if (beanInfo == null) {
            return hasValidAnnotatedField(obj, str, j);
        }
        Optional findFirst = Arrays.stream(beanInfo.getPropertyDescriptors()).filter(propertyDescriptor -> {
            return propertyDescriptor.getName().equals(str);
        }).findFirst();
        if (findFirst.isPresent() && hasValidAnnotatedPropertyDescriptor(obj, (PropertyDescriptor) findFirst.get(), j)) {
            return true;
        }
        return hasValidAnnotatedField(obj, str, j);
    }

    @Deprecated
    protected boolean hasValidAnnotatedPropertyDescriptor(PropertyDescriptor propertyDescriptor, long j) {
        return hasValidAnnotatedPropertyDescriptor(null, propertyDescriptor, j);
    }

    protected boolean hasValidAnnotatedPropertyDescriptor(Object obj, PropertyDescriptor propertyDescriptor, long j) {
        Method writeMethod = j == 0 ? propertyDescriptor.getWriteMethod() : propertyDescriptor.getReadMethod();
        if (writeMethod == null) {
            return false;
        }
        if (getPermittedInjectionDepth(writeMethod) < j) {
            String format = String.format("Parameter injection for method [%s] on action [%s] rejected. Ensure it is annotated with @StrutsParameter with an appropriate 'depth'.", writeMethod.getName(), writeMethod.getDeclaringClass().getName());
            if (this.devMode) {
                DebugUtils.notifyDeveloperOfError(LOG, obj, format);
                return false;
            }
            LOG.debug(format);
            return false;
        }
        if (j >= 1) {
            allowlistClass(writeMethod.getReturnType());
        }
        if (j < 2) {
            return true;
        }
        allowlistReturnTypeIfParameterized(writeMethod);
        return true;
    }

    protected void allowlistReturnTypeIfParameterized(Method method) {
        allowlistParameterizedTypeArg(method.getGenericReturnType());
    }

    protected void allowlistParameterizedTypeArg(Type type) {
        if (type instanceof ParameterizedType) {
            Type[] actualTypeArguments = ((ParameterizedType) type).getActualTypeArguments();
            allowlistParamType(actualTypeArguments[0]);
            if (actualTypeArguments.length > 1) {
                allowlistParamType(actualTypeArguments[1]);
            }
        }
    }

    protected void allowlistParamType(Type type) {
        if (type instanceof Class) {
            allowlistClass((Class) type);
        }
    }

    protected void allowlistClass(Class<?> cls) {
        this.threadAllowlist.allowClass(cls);
        List<Class<?>> allSuperclasses = ClassUtils.getAllSuperclasses(cls);
        ThreadAllowlist threadAllowlist = this.threadAllowlist;
        threadAllowlist.getClass();
        allSuperclasses.forEach(threadAllowlist::allowClass);
        List<Class<?>> allInterfaces = ClassUtils.getAllInterfaces(cls);
        ThreadAllowlist threadAllowlist2 = this.threadAllowlist;
        threadAllowlist2.getClass();
        allInterfaces.forEach(threadAllowlist2::allowClass);
    }

    protected boolean hasValidAnnotatedField(Object obj, String str, long j) {
        try {
            Field declaredField = obj.getClass().getDeclaredField(str);
            if (!Modifier.isPublic(declaredField.getModifiers())) {
                return false;
            }
            if (getPermittedInjectionDepth(declaredField) < j) {
                String format = String.format("Parameter injection for field [%s] on action [%s] rejected. Ensure it is annotated with @StrutsParameter with an appropriate 'depth'.", str, obj.getClass().getName());
                if (this.devMode) {
                    DebugUtils.notifyDeveloperOfError(LOG, obj, format);
                    return false;
                }
                LOG.debug(format);
                return false;
            }
            if (j >= 1) {
                allowlistClass(declaredField.getType());
            }
            if (j < 2) {
                return true;
            }
            allowlistFieldIfParameterized(declaredField);
            return true;
        } catch (NoSuchFieldException e) {
            return false;
        }
    }

    protected void allowlistFieldIfParameterized(Field field) {
        allowlistParameterizedTypeArg(field.getGenericType());
    }

    protected int getPermittedInjectionDepth(AnnotatedElement annotatedElement) {
        StrutsParameter parameterAnnotation = getParameterAnnotation(annotatedElement);
        if (parameterAnnotation == null) {
            return -1;
        }
        return parameterAnnotation.depth();
    }

    protected StrutsParameter getParameterAnnotation(AnnotatedElement annotatedElement) {
        return (StrutsParameter) annotatedElement.getAnnotation(StrutsParameter.class);
    }

    protected BeanInfo getBeanInfo(Object obj) {
        try {
            return Introspector.getBeanInfo(obj.getClass());
        } catch (IntrospectionException e) {
            LOG.warn("Error introspecting Action {} for parameter injection validation", obj.getClass(), e);
            return null;
        }
    }

    protected boolean isAcceptableParameterValue(Parameter parameter, Object obj) {
        return isAcceptableParameterValueAware(parameter, obj) && acceptableValue(parameter.getName(), parameter.getValue());
    }

    protected boolean isAcceptableParameterValueAware(Parameter parameter, Object obj) {
        return !(obj instanceof ParameterValueAware) || ((ParameterValueAware) obj).acceptableParameterValue(parameter.getValue());
    }

    protected Comparator<String> getOrderedComparator() {
        return rbCollator;
    }

    protected String getParameterLogMap(HttpParameters httpParameters) {
        return httpParameters == null ? MessageStoreInterceptor.NONE : (String) httpParameters.entrySet().stream().map(entry -> {
            return String.format("%s => %s ", entry.getKey(), ((Parameter) entry.getValue()).getValue());
        }).collect(Collectors.joining());
    }

    protected boolean acceptableName(String str) {
        return isAcceptableName(str);
    }

    protected boolean isAcceptableName(String str) {
        if (isIgnoredDMI(str)) {
            LOG.trace("DMI is enabled, ignoring DMI method: {}", str);
            return false;
        }
        boolean z = isWithinLengthLimit(str) && !isExcluded(str) && isAccepted(str);
        if (this.devMode && z) {
            LOG.debug("Parameter [{}] was accepted and will be appended to action!", str);
        }
        return z;
    }

    private boolean isIgnoredDMI(String str) {
        if (this.dmiEnabled) {
            return DMI_IGNORED_PATTERN.matcher(str).matches();
        }
        return false;
    }

    protected boolean acceptableValue(String str, String str2) {
        return isAcceptableValue(str, str2);
    }

    protected boolean isAcceptableValue(String str, String str2) {
        boolean z = str2 == null || str2.isEmpty() || (!isParamValueExcluded(str2) && isParamValueAccepted(str2));
        if (!z) {
            if (this.devMode) {
                LOG.warn("Value [{}] of parameter [{}] was not accepted and will be dropped!", StringUtils.normalizeSpace(str2), StringUtils.normalizeSpace(str));
            } else {
                LOG.debug("Value [{}] of parameter [{}] was not accepted and will be dropped!", StringUtils.normalizeSpace(str2), StringUtils.normalizeSpace(str));
            }
        }
        return z;
    }

    protected boolean isWithinLengthLimit(String str) {
        boolean z = str.length() <= this.paramNameMaxLength;
        if (!z) {
            if (this.devMode) {
                LOG.warn("Parameter [{}] is too long, allowed length is [{}]. Use Interceptor Parameter Overriding to override the limit, see more at\nhttps://struts.apache.org/core-developers/interceptors.html#interceptor-parameter-overriding", str, Integer.valueOf(this.paramNameMaxLength));
            } else {
                LOG.warn("Parameter [{}] is too long, allowed length is [{}]", str, Integer.valueOf(this.paramNameMaxLength));
            }
        }
        return z;
    }

    protected boolean isAccepted(String str) {
        AcceptedPatternsChecker.IsAccepted isAccepted = this.acceptedPatterns.isAccepted(str);
        if (isAccepted.isAccepted()) {
            return true;
        }
        if (this.devMode) {
            LOG.warn("Parameter [{}] didn't match accepted pattern [{}]! See Accepted / Excluded patterns at\nhttps://struts.apache.org/security/#accepted--excluded-patterns", str, isAccepted.getAcceptedPattern());
            return false;
        }
        LOG.debug("Parameter [{}] didn't match accepted pattern [{}]!", str, isAccepted.getAcceptedPattern());
        return false;
    }

    protected boolean isExcluded(String str) {
        ExcludedPatternsChecker.IsExcluded isExcluded = this.excludedPatterns.isExcluded(str);
        if (!isExcluded.isExcluded()) {
            return false;
        }
        if (this.devMode) {
            LOG.warn("Parameter [{}] matches excluded pattern [{}]! See Accepted / Excluded patterns at\nhttps://struts.apache.org/security/#accepted--excluded-patterns", str, isExcluded.getExcludedPattern());
            return true;
        }
        LOG.debug("Parameter [{}] matches excluded pattern [{}]!", str, isExcluded.getExcludedPattern());
        return true;
    }

    protected boolean isParamValueExcluded(String str) {
        if (!hasParamValuesToExclude()) {
            LOG.debug("'excludedValuePatterns' not defined so anything is allowed");
            return false;
        }
        for (Pattern pattern : this.excludedValuePatterns) {
            if (pattern.matcher(str).matches()) {
                if (this.devMode) {
                    LOG.warn("Parameter value [{}] matches excluded pattern [{}]! See Accepting/Excluding parameter values at\nhttps://struts.apache.org/core-developers/parameters-interceptor#excluding-parameter-values", str, this.excludedValuePatterns);
                    return true;
                }
                LOG.debug("Parameter value [{}] matches excluded pattern [{}]", str, pattern);
                return true;
            }
        }
        return false;
    }

    protected boolean isParamValueAccepted(String str) {
        if (!hasParamValuesToAccept()) {
            LOG.debug("'acceptedValuePatterns' not defined so anything is allowed");
            return true;
        }
        Iterator<Pattern> it = this.acceptedValuePatterns.iterator();
        while (it.hasNext()) {
            if (it.next().matcher(str).matches()) {
                return true;
            }
        }
        if (this.devMode) {
            LOG.warn("Parameter value [{}] didn't match accepted pattern [{}]! See Accepting/Excluding parameter values at\nhttps://struts.apache.org/core-developers/parameters-interceptor#excluding-parameter-values", str, this.acceptedValuePatterns);
            return false;
        }
        LOG.debug("Parameter value [{}] was not accepted!", str);
        return false;
    }

    private boolean hasParamValuesToExclude() {
        return (this.excludedValuePatterns == null || this.excludedValuePatterns.isEmpty()) ? false : true;
    }

    private boolean hasParamValuesToAccept() {
        return (this.acceptedValuePatterns == null || this.acceptedValuePatterns.isEmpty()) ? false : true;
    }

    public boolean isOrdered() {
        return this.ordered;
    }

    public void setOrdered(boolean z) {
        this.ordered = z;
    }

    public void setAcceptParamNames(String str) {
        this.acceptedPatterns.setAcceptedPatterns(str);
    }

    public void setExcludeParams(String str) {
        this.excludedPatterns.setExcludedPatterns(str);
    }

    public void setAcceptedValuePatterns(String str) {
        Set<String> commaDelimitedStringToSet = TextParseUtil.commaDelimitedStringToSet(str);
        if (this.acceptedValuePatterns == null) {
            LOG.debug("Sets accepted value patterns to [{}], note this may impact the safety of your application!", commaDelimitedStringToSet);
        } else {
            LOG.warn("Replacing accepted patterns [{}] with [{}], be aware that this may impact safety of your application!", this.acceptedValuePatterns, commaDelimitedStringToSet);
        }
        this.acceptedValuePatterns = new HashSet(commaDelimitedStringToSet.size());
        try {
            Iterator<String> it = commaDelimitedStringToSet.iterator();
            while (it.hasNext()) {
                this.acceptedValuePatterns.add(Pattern.compile(it.next(), 2));
            }
        } finally {
            this.acceptedValuePatterns = Collections.unmodifiableSet(this.acceptedValuePatterns);
        }
    }

    public void setExcludedValuePatterns(String str) {
        Set<String> commaDelimitedStringToSet = TextParseUtil.commaDelimitedStringToSet(str);
        if (this.excludedValuePatterns == null) {
            LOG.debug("Setting excluded value patterns to [{}]", commaDelimitedStringToSet);
        } else {
            LOG.warn("Replacing excluded value patterns [{}] with [{}], be aware that this may impact safety of your application!", this.excludedValuePatterns, commaDelimitedStringToSet);
        }
        this.excludedValuePatterns = new HashSet(commaDelimitedStringToSet.size());
        try {
            Iterator<String> it = commaDelimitedStringToSet.iterator();
            while (it.hasNext()) {
                this.excludedValuePatterns.add(Pattern.compile(it.next(), 2));
            }
        } finally {
            this.excludedValuePatterns = Collections.unmodifiableSet(this.excludedValuePatterns);
        }
    }
}
