package com.contrastsecurity.agent.plugins.security.policy.rules.providers.internal.k;

import com.contrastsecurity.agent.apps.Application;
import com.contrastsecurity.agent.commons.Throwables;
import com.contrastsecurity.agent.plugins.security.policy.rules.providers.ApplicationAnalyzer;
import com.contrastsecurity.agent.plugins.security.policy.rules.providers.ProviderUtil;
import com.contrastsecurity.agent.plugins.security.x;
import com.contrastsecurity.agent.t;
import com.contrastsecurity.agent.util.C0493w;
import com.contrastsecurity.agent.util.P;
import com.contrastsecurity.thirdparty.javax.inject.Inject;
import com.contrastsecurity.thirdparty.net.n3.nanoxml.XMLElement;
import com.contrastsecurity.thirdparty.org.slf4j.Logger;
import com.contrastsecurity.thirdparty.org.slf4j.LoggerFactory;

/* compiled from: VerbAnalyzer.java */
/* loaded from: input_file:com/contrastsecurity/agent/plugins/security/policy/rules/providers/internal/k/a.class */
final class a extends ApplicationAnalyzer {
    private final ProviderUtil a;
    private final x.g b;
    private static final String c = "verb-tampering";
    private static final Logger d = LoggerFactory.getLogger((Class<?>) a.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    @Inject
    public a(ProviderUtil providerUtil, x xVar) {
        this.a = providerUtil;
        this.b = xVar.f();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v1 */
    /* JADX WARN: Type inference failed for: r0v2 */
    /* JADX WARN: Type inference failed for: r0v5 */
    /* JADX WARN: Type inference failed for: r0v8 */
    /* JADX WARN: Type inference failed for: r0v9 */
    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.ApplicationAnalyzer
    public void onApplicationResolution(Application application, String str) {
        d.debug("Starting WEB-INF analysis for verb tampering for {}", application.getResolvedFilePath());
        Throwable th = str;
        try {
            if (th != 0) {
                th = a(application, str);
            } else {
                Logger logger = d;
                logger.debug("No web.xml to analyze for verb tampering weakness");
                th = logger;
            }
        } catch (Throwable th2) {
            Throwables.throwIfCritical(th2);
            d.warn("Unknown error searching web.xml looking for verb tampering vulnerabilities", th);
        }
    }

    @t
    boolean a(Application application, String str) {
        XMLElement a = P.a(str);
        if (a == null || P.a(a, "deny-uncovered-http-methods")) {
            return false;
        }
        int i = 0;
        boolean z = false;
        for (C0493w c0493w : P.a(str, a, "security-constraint", "http-method", 5)) {
            if (!c0493w.b().contains("http-method-omission")) {
                z = true;
                int i2 = i;
                i++;
                a(application, c0493w, i2);
            }
        }
        return z;
    }

    private void a(Application application, C0493w c0493w, int i) {
        this.a.reportFinding(application, c, c0493w.b(), this.b.a(c, i), null, false, null);
    }
}
