package com.contrastsecurity.agent.plugins.protect.rules.jndiinjection;

import com.contrastsecurity.agent.commons.Throwables;
import com.contrastsecurity.agent.plugins.protect.AttackBlockedException;
import com.contrastsecurity.agent.plugins.protect.ProtectManager;
import com.contrastsecurity.agent.t;
import com.contrastsecurity.agent.util.L;
import com.contrastsecurity.thirdparty.com.contrastsecurity.secobs.semconv.ContrastSemanticAttributes;
import com.contrastsecurity.thirdparty.com.rabbitmq.client.ConnectionFactory;
import com.contrastsecurity.thirdparty.javax.inject.Inject;
import com.contrastsecurity.thirdparty.javax.inject.Singleton;
import com.contrastsecurity.thirdparty.org.apache.commons.lang.StringUtils;
import com.contrastsecurity.thirdparty.org.apache.logging.log4j.message.ParameterizedMessage;
import com.contrastsecurity.thirdparty.org.slf4j.Logger;
import com.contrastsecurity.thirdparty.org.slf4j.LoggerFactory;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Objects;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/* compiled from: ContrastJndiInjectionDispatcherImpl.java */
@Singleton
/* loaded from: input_file:com/contrastsecurity/agent/plugins/protect/rules/jndiinjection/a.class */
final class a implements ContrastJndiInjectionDispatcher {
    private final ProtectManager a;
    private final h b;
    private static final String[] c = {"rmi", ContrastSemanticAttributes.ContrastAuthenticationProtocolValues.LDAP, "dns", "iiop", "corbaname", "iiopname", "corbaloc", "ior", "t3", "t3s", "ormi", "http", "https", "ftp", "ftps"};
    private static final Pattern d = Pattern.compile("((?i)rir|iiop)?:?(\\d\\.\\d@)?(.+?)(:\\d+)?(/.*)?\\Z");
    private static final Logger e = LoggerFactory.getLogger((Class<?>) a.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    @Inject
    public a(ProtectManager protectManager, h hVar) {
        this.a = protectManager;
        this.b = hVar;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v20, types: [java.lang.Throwable, com.contrastsecurity.agent.plugins.protect.AttackBlockedException] */
    /* JADX WARN: Type inference failed for: r0v4, types: [com.contrastsecurity.agent.plugins.m] */
    /* JADX WARN: Type inference failed for: r0v5 */
    /* JADX WARN: Type inference failed for: r0v6 */
    /* JADX WARN: Type inference failed for: r0v7 */
    /* JADX WARN: Type inference failed for: r0v9, types: [com.contrastsecurity.agent.plugins.m] */
    @Override // java.lang.ContrastJndiInjectionDispatcher
    public void onLookup(String str, Object obj) {
        ?? startAspectTiming = this.a.currentContext().startAspectTiming(com.contrastsecurity.agent.telemetry.metrics.a.c.SINK_ANALYSIS);
        try {
            if (a(str, obj)) {
                if (startAspectTiming != 0) {
                    startAspectTiming.close();
                }
            } else {
                if (this.b.a(str, obj)) {
                    startAspectTiming = new AttackBlockedException("Detected an unauthorized JNDI lookup.");
                    throw startAspectTiming;
                }
                if (startAspectTiming != 0) {
                    startAspectTiming.close();
                }
            }
        } catch (Throwable th) {
            Throwables.throwIfCritical(th);
            Throwable th2 = startAspectTiming;
            Throwable th3 = startAspectTiming;
            if (th3 != 0) {
                try {
                    th3 = startAspectTiming;
                    th3.close();
                } catch (Throwable th4) {
                    Throwables.throwIfCritical(th4);
                    th2.addSuppressed(th3);
                }
            }
            throw th2;
        }
    }

    private static String[] a(String str) {
        if (str == null) {
            return null;
        }
        String[] split = str.split(",");
        for (int i = 0; i < split.length; i++) {
            if (split[i].startsWith(ParameterizedMessage.ERROR_MSG_SEPARATOR)) {
                split[i] = split[i].substring(1);
            }
        }
        return split;
    }

    boolean a(String str, Object obj) {
        if (StringUtils.isBlank(str)) {
            e.debug("InitialContext lookup is safe, because lookup is blank.");
            return true;
        }
        try {
            URI uri = new URI(str);
            if (a(uri)) {
                e.debug("InitialContext lookup is safe, because lookup {} is relative. Provider: {}", str, obj);
                return true;
            }
            if (!L.b(uri.getScheme(), c)) {
                return true;
            }
            if (!(obj instanceof String)) {
                e.debug("lookupURI {} detected in unconstrained InitialContext", str);
                return false;
            }
            try {
                URI uri2 = new URI((String) obj);
                if (a(uri2, uri)) {
                    return true;
                }
                e.debug("Dynamic protocol switching detected in InitialContext. Lookup {} does not share an origin with configured providerURI {}", str, uri2);
                return false;
            } catch (URISyntaxException e2) {
                e.debug("{} should always be a URI", obj, e2);
                return false;
            }
        } catch (URISyntaxException e3) {
            e.debug("InitialContext lookup is safe, because {} is not a valid URI", str);
            return true;
        }
    }

    @t
    static boolean a(URI uri) {
        return uri.getScheme() == null;
    }

    @t
    static boolean a(URI uri, URI uri2) {
        return uri2.isOpaque() ? c(uri, uri2) : b(uri, uri2);
    }

    static boolean b(URI uri, URI uri2) {
        if (StringUtils.isBlank(uri2.getFragment())) {
            return StringUtils.equalsIgnoreCase(uri.getScheme(), uri2.getScheme()) && StringUtils.equalsIgnoreCase(uri.getHost(), uri2.getHost()) && uri.getPort() == uri2.getPort();
        }
        e.debug("Lookup URI contained a fragment which is unsafe: {}, provider: {}", uri2, uri);
        return false;
    }

    static boolean c(URI uri, URI uri2) {
        String[] a;
        if (!StringUtils.equalsIgnoreCase(uri.getScheme(), uri2.getScheme())) {
            return false;
        }
        if ("IOR".equalsIgnoreCase(uri2.getScheme())) {
            return Objects.equals(uri2.getSchemeSpecificPart(), uri.getSchemeSpecificPart());
        }
        Matcher matcher = d.matcher(uri.getSchemeSpecificPart());
        if (!matcher.matches() || (a = a(matcher.group(3))) == null || StringUtils.isBlank(a[0])) {
            return false;
        }
        Matcher matcher2 = d.matcher(uri2.getSchemeSpecificPart());
        if (!matcher2.matches()) {
            return Objects.equals(uri.getSchemeSpecificPart(), uri2.getSchemeSpecificPart());
        }
        String[] a2 = a(matcher2.group(3));
        if (a2 == null || StringUtils.isBlank(a2[0]) || a2.length > 1) {
            return false;
        }
        if (a2[0].startsWith(ConnectionFactory.DEFAULT_VHOST)) {
            return true;
        }
        for (String str : a) {
            if (StringUtils.equalsIgnoreCase(str, a2[0])) {
                return true;
            }
        }
        return false;
    }
}
