package org.apache.solr.client.solrj.io.stream.expr;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.hadoop.hdfs.web.resources.OffsetParam;
import org.jline.reader.impl.LineReaderImpl;

/* loaded from: input_file:WEB-INF/lib/solr-solrj-8.11.2.jar:org/apache/solr/client/solrj/io/stream/expr/InjectionDefense.class */
public class InjectionDefense {
    private static final Pattern STRING_PARAM = Pattern.compile("\\?\\$\\?");
    private static final Pattern NUMBER_PARAM = Pattern.compile("\\?#\\?");
    private static final Pattern EXPRESSION_PARAM = Pattern.compile("\\?\\(\\d+\\)\\?");
    private static final Pattern EXPRESSION_COUNT = Pattern.compile("\\d+");
    private static final Pattern ANY_PARAM = Pattern.compile("\\?(?:[$#]|(?:\\(\\d+\\)))\\?");
    private static final Pattern INT_OR_FLOAT = Pattern.compile("-?\\d+(?:\\.\\d+)?");
    private String exprString;
    private int expressionCount;
    private List<String> params = new ArrayList();

    public InjectionDefense(String str) {
        this.exprString = str;
        checkExpression(str);
    }

    public static String stripComments(String str) {
        return StreamExpressionParser.stripComments(str);
    }

    public void addParameter(String str) {
        this.params.add(str);
    }

    public StreamExpression safeExpression() {
        StreamExpression parse = StreamExpressionParser.parse(buildExpression());
        int countExpressions = countExpressions(parse);
        if (countExpressions != this.expressionCount) {
            throw new InjectedExpressionException("Expected Expression count (" + this.expressionCount + ") does not match actual final expression count (" + countExpressions + ")! (possible injection attack?)");
        }
        return parse;
    }

    public String safeExpressionString() {
        String buildExpression = buildExpression();
        if (countExpressions(StreamExpressionParser.parse(buildExpression)) != this.expressionCount) {
            throw new InjectedExpressionException("Expected Expression count does not match Actual final expression count! (possible injection attack?)");
        }
        return buildExpression;
    }

    String buildExpression() {
        Matcher matcher = ANY_PARAM.matcher(this.exprString);
        StringBuffer stringBuffer = new StringBuffer();
        int i = 0;
        while (matcher.find()) {
            String group = matcher.group();
            int i2 = i;
            i++;
            String str = this.params.get(i2);
            if (group.contains(LineReaderImpl.DEFAULT_COMMENT_BEGIN) && !INT_OR_FLOAT.matcher(str).matches()) {
                throw new NumberFormatException("Argument " + i + " (" + str + ") is not numeric!");
            }
            matcher.appendReplacement(stringBuffer, str);
        }
        matcher.appendTail(stringBuffer);
        String trim = stringBuffer.toString().trim();
        if (trim.equals(stripComments(trim).trim())) {
            return stringBuffer.toString().trim();
        }
        throw new IllegalStateException("Comments are not allowed in prepared expressions for security reasons please pre-process stripComments() first. If there were no comments, then they have been injected by a parameter value.");
    }

    private void checkExpression(String str) {
        Matcher matcher = EXPRESSION_PARAM.matcher(NUMBER_PARAM.matcher(STRING_PARAM.matcher(str).replaceAll("foo")).replaceAll(OffsetParam.DEFAULT));
        StringBuffer stringBuffer = new StringBuffer();
        while (matcher.find()) {
            Matcher matcher2 = EXPRESSION_COUNT.matcher(matcher.group());
            matcher.appendReplacement(stringBuffer, "noop()");
            if (matcher2.find()) {
                Integer valueOf = Integer.valueOf(matcher2.group());
                if (valueOf.intValue() < 1) {
                    throw new IllegalStateException("Expression Param must contribute at least 1 expression! ?(1)? is the minimum allowed ");
                }
                this.expressionCount += valueOf.intValue() - 1;
            }
        }
        matcher.appendTail(stringBuffer);
        String stringBuffer2 = stringBuffer.toString();
        StreamExpression parse = StreamExpressionParser.parse(stringBuffer2);
        if (parse == null) {
            throw new IllegalStateException("Invalid expression (parse returned null):" + stringBuffer2);
        }
        this.expressionCount += countExpressions(parse);
    }

    private int countExpressions(StreamExpression streamExpression) {
        int i = 0;
        ArrayList arrayList = new ArrayList();
        arrayList.add(streamExpression);
        while (arrayList.size() > 0) {
            StreamExpressionParameter streamExpressionParameter = (StreamExpressionParameter) arrayList.remove(0);
            if (streamExpressionParameter instanceof StreamExpressionNamedParameter) {
                streamExpressionParameter = ((StreamExpressionNamedParameter) streamExpressionParameter).getParameter();
            }
            if (streamExpressionParameter instanceof StreamExpression) {
                i++;
                Iterator<StreamExpressionParameter> it = ((StreamExpression) streamExpressionParameter).getParameters().iterator();
                while (it.hasNext()) {
                    StreamExpressionParameter next = it.next();
                    if (next instanceof StreamExpressionNamedParameter) {
                        next = ((StreamExpressionNamedParameter) next).getParameter();
                    }
                    if (next instanceof StreamExpression) {
                        arrayList.add(next);
                    }
                }
            }
        }
        return i;
    }
}
