package top.ibase4j.core.filter;

import com.alibaba.fastjson.JSON;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import top.ibase4j.core.util.DataUtil;
import top.ibase4j.core.util.FileUtil;
import top.ibase4j.core.util.WebUtil;

/* loaded from: input_file:top/ibase4j/core/filter/XssFilter.class */
public class XssFilter implements Filter {
    private Logger logger = LogManager.getLogger();
    private List<String> excludeUrls = new ArrayList();
    private List<String> noticeUrls = new ArrayList();

    public void init(FilterConfig filterConfig) throws ServletException {
        this.logger.info("init XssFilter..");
        this.excludeUrls = FileUtil.readFile(XssFilter.class.getResource("/").getFile() + "white/xssWhite.txt");
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String str = httpServletRequest.getServletPath() + (httpServletRequest.getPathInfo() == null ? "" : httpServletRequest.getPathInfo());
        String requestURI = httpServletRequest.getRequestURI();
        boolean z = false;
        if (WebUtil.isWhiteRequest(requestURI, this.excludeUrls.size(), this.excludeUrls)) {
            this.logger.info("该URL不作校验：" + str);
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        Iterator<String> it = this.noticeUrls.iterator();
        while (true) {
            if (it.hasNext()) {
                if (requestURI.indexOf(it.next()) >= 0) {
                    z = true;
                    break;
                }
            } else {
                break;
            }
        }
        this.logger.info("doFilter===>{}", str);
        Map<String, Object> parameterMap = WebUtil.getParameterMap(httpServletRequest);
        this.logger.info("request parameters===>{}", JSON.toJSONString(parameterMap));
        for (String str2 : parameterMap.keySet()) {
            if ("sign".equals(str2)) {
                this.logger.info("跳过签名字段");
            } else {
                Object obj = parameterMap.get(str2);
                if (obj != null && (obj instanceof String)) {
                    String obj2 = obj.toString();
                    if (str2.toLowerCase().contains("password")) {
                        continue;
                    } else {
                        if (z) {
                            obj2 = DataUtil.xssEncode(obj2);
                        }
                        if (checkSQLInject(obj2, str)) {
                            errorResponse(httpServletResponse, null);
                            return;
                        }
                    }
                }
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private void errorResponse(HttpServletResponse httpServletResponse, String str) throws IOException {
        httpServletResponse.setContentType("text/html; charset=UTF-8");
        PrintWriter writer = httpServletResponse.getWriter();
        writer.println("{\"code\":\"309\",\"msg\":\"输入项中不能包含非法字符。\", \"fieldName\": \"" + str + "\"}");
        writer.flush();
        writer.close();
    }

    public void destroy() {
        this.logger.info("destroy XssFilter.");
    }

    private boolean checkSQLInject(String str, String str2) {
        if (StringUtils.isEmpty(str) || !DataUtil.checkSQLInject(str)) {
            return false;
        }
        this.logger.info("xss防攻击拦截url:" + str2 + "，原因：特殊字符，传入str=" + str);
        return true;
    }
}
