package org.sonar.javascript.checks;

import org.sonar.check.Priority;
import org.sonar.check.Rule;
import org.sonar.javascript.checks.utils.CheckUtils;
import org.sonar.plugins.javascript.api.symbols.Type;
import org.sonar.plugins.javascript.api.tree.Tree;
import org.sonar.plugins.javascript.api.tree.expression.CallExpressionTree;
import org.sonar.plugins.javascript.api.tree.expression.DotMemberExpressionTree;
import org.sonar.plugins.javascript.api.tree.expression.ExpressionTree;
import org.sonar.plugins.javascript.api.visitors.DoubleDispatchVisitorCheck;
import org.sonar.squidbridge.annotations.SqaleConstantRemediation;
import org.sonar.squidbridge.annotations.SqaleSubCharacteristic;

@SqaleSubCharacteristic("SECURITY_FEATURES")
@Rule(key = "S2819", name = "Cross-document messaging domains should be carefully restricted", priority = Priority.CRITICAL, tags = {"html5", "security", Tags.OWASP_A3})
@SqaleConstantRemediation("10min")
/* loaded from: input_file:META-INF/lib/javascript-checks-2.11.jar:org/sonar/javascript/checks/PostMessageCheck.class */
public class PostMessageCheck extends DoubleDispatchVisitorCheck {
    private static final String POST_MESSAGE = "postMessage";
    private static final String MESSAGE = "Make sure this cross-domain message is being sent to the intended domain.";

    @Override // org.sonar.plugins.javascript.api.visitors.DoubleDispatchVisitor
    public void visitCallExpression(CallExpressionTree callExpressionTree) {
        if (callExpressionTree.callee().is(Tree.Kind.DOT_MEMBER_EXPRESSION)) {
            DotMemberExpressionTree dotMemberExpressionTree = (DotMemberExpressionTree) callExpressionTree.callee();
            if ((dotMemberExpressionTree.object().types().contains(Type.Kind.WINDOW) || hasWindowLikeName(dotMemberExpressionTree.object())) && CheckUtils.asString(dotMemberExpressionTree.property()).equals(POST_MESSAGE)) {
                addLineIssue(dotMemberExpressionTree.property(), MESSAGE);
            }
        }
        super.visitCallExpression(callExpressionTree);
    }

    private static boolean hasWindowLikeName(ExpressionTree expressionTree) {
        String asString = CheckUtils.asString(expressionTree);
        return asString.contains("window") || asString.contains("Window");
    }
}
