package com.contrastsecurity.agent.plugins.protect.rules.cve.spring.el;

import com.contrastsecurity.agent.apps.Application;
import com.contrastsecurity.agent.apps.ApplicationManager;
import com.contrastsecurity.agent.config.ConfigProperty;
import com.contrastsecurity.agent.context.ExecutionContext;
import com.contrastsecurity.agent.messages.app.activity.protect.AttackResult;
import com.contrastsecurity.agent.messages.app.activity.protect.details.UserInputDTM;
import com.contrastsecurity.agent.plugins.protect.C0386w;
import com.contrastsecurity.agent.plugins.protect.EnumC0388y;
import com.contrastsecurity.agent.plugins.protect.InterfaceC0327d;
import com.contrastsecurity.agent.plugins.protect.ProtectContext;
import com.contrastsecurity.agent.plugins.protect.ProtectManager;
import com.contrastsecurity.agent.plugins.protect.ProtectRuleId;
import com.contrastsecurity.agent.plugins.protect.R;
import com.contrastsecurity.agent.plugins.protect.ag;
import com.contrastsecurity.agent.plugins.protect.ah;
import com.contrastsecurity.agent.plugins.protect.rules.C;
import com.contrastsecurity.agent.plugins.protect.rules.InterfaceC0342a;
import com.contrastsecurity.agent.plugins.protect.rules.n;
import com.contrastsecurity.agent.util.L;
import com.contrastsecurity.thirdparty.javax.inject.Inject;
import com.contrastsecurity.thirdparty.javax.inject.Singleton;
import com.contrastsecurity.thirdparty.org.slf4j.Logger;
import com.contrastsecurity.thirdparty.org.slf4j.LoggerFactory;
import java.util.List;

/* compiled from: Cve_2011_2730Rule.java */
@Singleton
/* loaded from: input_file:com/contrastsecurity/agent/plugins/protect/rules/cve/spring/el/h.class */
public final class h implements InterfaceC0342a, k, n {
    private final ApplicationManager b;
    private final InterfaceC0327d c;
    private final ProtectManager d;
    private final ExecutionContext.b<C> e = ExecutionContext.b.a(C.class);
    private final R f;
    private static final String h = "spring-web";
    private static final String[] g = {"getClassLoader", "getClass", "newInstance", "getURL", "param.", "applicationScope."};
    private static final String[] i = {"3.0.5.release.jar", "3.0.4.release.jar", "3.0.2.release.jar", "3.0.1.release.jar", "3.0.0.release.jar", "2.5.7.release.jar", "2.5.6.jar", "2.5.6.sec03.jar", "2.5.6.sec02.jar", "2.5.6.sec01.jar", "2.5.5.jar", "2.5.4.jar", "2.5.3.jar", "2.5.2.jar", "2.5.1.jar", "2.5.0.jar"};
    private static final Logger j = LoggerFactory.getLogger((Class<?>) h.class);

    @Inject
    public h(ApplicationManager applicationManager, InterfaceC0327d interfaceC0327d, ProtectManager protectManager, com.contrastsecurity.agent.config.e eVar) {
        this.b = applicationManager;
        this.c = interfaceC0327d;
        this.d = protectManager;
        this.f = new C0386w(eVar, ConfigProperty.PROTECT_CVE_2011_2730_MODE);
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.s
    public ProtectRuleId getRuleId() {
        return ProtectRuleId.CVE_2011_2730;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.s
    public R getProtectRuleMode() {
        return this.f;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.n
    public com.contrastsecurity.agent.plugins.protect.C evaluateInput(UserInputDTM.InputType inputType, String str, String str2, String str3, int i2) {
        if (str2 == null || ag.a(i2, 4) || str2.length() <= 8) {
            return null;
        }
        if ((str2.contains("${") || str2.contains("%{")) && L.a(str2, g)) {
            return new com.contrastsecurity.agent.plugins.protect.C(EnumC0388y.MATCHED_ATTACK_SIGNATURE);
        }
        return null;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.n
    public boolean appliesToInputType(UserInputDTM.InputType inputType) {
        return UserInputDTM.InputType.PARAMETER_VALUE == inputType;
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.InterfaceC0342a
    public void onApplicationProfiled(Application application) {
        application.context().put(this.e, a(application));
    }

    private C a(Application application) {
        for (String str : application.getLibraryFactNames()) {
            if (str != null && str.contains(h)) {
                for (String str2 : i) {
                    if (str.endsWith(str2)) {
                        return C.a(str, str2);
                    }
                }
            }
        }
        return C.d();
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.cve.spring.el.k
    public boolean a(ProtectContext protectContext, String str) {
        boolean z = false;
        j.debug("EL detected in impending evaluation: {}", str);
        Application current = this.b.current();
        if (current == null) {
            return false;
        }
        if (appliesToApplication(current)) {
            List<ah> inputs = protectContext.getInputs(ProtectRuleId.CVE_2011_2730);
            if (inputs != null) {
                for (ah ahVar : inputs) {
                    UserInputDTM b = ahVar.b(str);
                    if (ahVar.c() && b != null) {
                        z = z || this.d.canBlock(this);
                        a(b, str, z);
                    }
                }
            }
        } else {
            j.trace("No app currently, exiting");
        }
        return z;
    }

    private void a(UserInputDTM userInputDTM, String str, boolean z) {
        Application current = this.b.current();
        if (current == null) {
            return;
        }
        C c = (C) current.context().get(this.e);
        if (c == null || !c.a()) {
            throw new IllegalStateException("Attempting to report a vulnerability for " + ProtectRuleId.CVE_2011_2730.id() + " but no vulnerable library detected");
        }
        this.c.a(ProtectRuleId.CVE_2011_2730, (ProtectRuleId) new ElInjectionDetailsDTM(str, c.c(), c.b()), userInputDTM, z ? AttackResult.BLOCKED : AttackResult.EXPLOITED);
    }

    @Override // com.contrastsecurity.agent.plugins.protect.rules.n
    public boolean appliesToApplication(Application application) {
        C c;
        return (application == null || (c = (C) application.context().get(this.e)) == null || !c.a()) ? false : true;
    }
}
