package org.openrewrite.java.security.marshalling;

import java.util.Arrays;
import java.util.HashSet;
import java.util.Objects;
import java.util.Set;
import java.util.Stack;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.stream.Stream;
import org.openrewrite.Cursor;
import org.openrewrite.ExecutionContext;
import org.openrewrite.Recipe;
import org.openrewrite.TreeVisitor;
import org.openrewrite.internal.lang.Nullable;
import org.openrewrite.java.JavaIsoVisitor;
import org.openrewrite.java.JavaParser;
import org.openrewrite.java.JavaTemplate;
import org.openrewrite.java.JavaVisitor;
import org.openrewrite.java.MethodMatcher;
import org.openrewrite.java.tree.J;
import org.openrewrite.java.tree.JavaType;
import org.openrewrite.java.tree.TypeUtils;

/* loaded from: input_file:org/openrewrite/java/security/marshalling/SecureSnakeYamlConstructor.class */
public class SecureSnakeYamlConstructor extends Recipe {
    private static final MethodMatcher snakeYamlZeroArgumentConstructor = new MethodMatcher("org.yaml.snakeyaml.Yaml <constructor>()", true);
    private static final MethodMatcher snakeYamlRepresenterArgumentConstructor = new MethodMatcher("org.yaml.snakeyaml.Yaml <constructor>(org.yaml.snakeyaml.representer.Representer)", true);
    private static final MethodMatcher snakeYamlDumperArgumentConstructor = new MethodMatcher("org.yaml.snakeyaml.Yaml <constructor>(org.yaml.snakeyaml.DumperOptions)", true);

    public String getDisplayName() {
        return "Secure the use of SnakeYAML's constructor";
    }

    public String getDescription() {
        return "See the [paper](https://github.com/mbechler/marshalsec) on this subject.";
    }

    public Set<String> getTags() {
        return new HashSet(Arrays.asList("CWE-502", "CWE-94"));
    }

    public TreeVisitor<?, ExecutionContext> getVisitor() {
        return new JavaVisitor<ExecutionContext>() { // from class: org.openrewrite.java.security.marshalling.SecureSnakeYamlConstructor.1
            static final /* synthetic */ boolean $assertionsDisabled;

            public J visitMemberReference(J.MemberReference memberReference, ExecutionContext executionContext) {
                if (!SecureSnakeYamlConstructor.snakeYamlZeroArgumentConstructor.matches(memberReference.getMethodType())) {
                    return super.visitMemberReference(memberReference, executionContext);
                }
                maybeAddImport("org.yaml.snakeyaml.constructor.SafeConstructor");
                return JavaTemplate.builder("() -> new Yaml(new SafeConstructor())").imports(new String[]{"org.yaml.snakeyaml.Yaml"}).imports(new String[]{"org.yaml.snakeyaml.constructor.SafeConstructor"}).javaParser(JavaParser.fromJavaVersion().classpathFromResources(executionContext, new String[]{"snakeyaml-1.33"})).build().apply(getCursor(), memberReference.getCoordinates().replace(), new Object[0]);
            }

            public J visitNewClass(J.NewClass newClass, ExecutionContext executionContext) {
                Cursor outerMostExecutableBlock = SecureSnakeYamlConstructor.getOuterMostExecutableBlock(getCursor());
                if (outerMostExecutableBlock != null && !SecureSnakeYamlConstructor.isSnakeYamlUsedUnsafeOrEscapesScope(outerMostExecutableBlock)) {
                    return newClass;
                }
                if (SecureSnakeYamlConstructor.snakeYamlZeroArgumentConstructor.matches(newClass)) {
                    JavaType.Method constructorType = newClass.getConstructorType();
                    if (!$assertionsDisabled && constructorType == null) {
                        throw new AssertionError();
                    }
                    maybeAddImport("org.yaml.snakeyaml.constructor.SafeConstructor");
                    return JavaTemplate.builder("new Yaml(new SafeConstructor())").imports(new String[]{"org.yaml.snakeyaml.Yaml"}).imports(new String[]{"org.yaml.snakeyaml.constructor.SafeConstructor"}).javaParser(JavaParser.fromJavaVersion().classpathFromResources(executionContext, new String[]{"snakeyaml-1.33"})).build().apply(getCursor(), newClass.getCoordinates().replace(), new Object[0]);
                }
                if (SecureSnakeYamlConstructor.snakeYamlRepresenterArgumentConstructor.matches(newClass)) {
                    JavaType.Method constructorType2 = newClass.getConstructorType();
                    if (!$assertionsDisabled && constructorType2 == null) {
                        throw new AssertionError();
                    }
                    maybeAddImport("org.yaml.snakeyaml.constructor.SafeConstructor");
                    maybeAddImport("org.yaml.snakeyaml.DumperOptions");
                    return JavaTemplate.builder("new Yaml(new SafeConstructor(), #{any(org.yaml.snakeyaml.representer.Representer)}, new DumperOptions())").imports(new String[]{"org.yaml.snakeyaml.Yaml", "org.yaml.snakeyaml.DumperOptions", "org.yaml.snakeyaml.constructor.SafeConstructor", "org.yaml.snakeyaml.representer.Representer"}).javaParser(JavaParser.fromJavaVersion().classpathFromResources(executionContext, new String[]{"snakeyaml-1.33"})).build().apply(getCursor(), newClass.getCoordinates().replace(), new Object[]{newClass.getArguments().get(0)});
                }
                if (!SecureSnakeYamlConstructor.snakeYamlDumperArgumentConstructor.matches(newClass)) {
                    return super.visitNewClass(newClass, executionContext);
                }
                JavaType.Method constructorType3 = newClass.getConstructorType();
                if (!$assertionsDisabled && constructorType3 == null) {
                    throw new AssertionError();
                }
                maybeAddImport("org.yaml.snakeyaml.constructor.SafeConstructor");
                maybeAddImport("org.yaml.snakeyaml.representer.Representer");
                return JavaTemplate.builder("new Yaml(new SafeConstructor(), new Representer(), #{any(org.yaml.snakeyaml.DumperOptions)})").imports(new String[]{"org.yaml.snakeyaml.Yaml", "org.yaml.snakeyaml.DumperOptions", "org.yaml.snakeyaml.constructor.SafeConstructor", "org.yaml.snakeyaml.representer.Representer"}).javaParser(JavaParser.fromJavaVersion().classpathFromResources(executionContext, new String[]{"snakeyaml-1.33"})).build().apply(getCursor(), newClass.getCoordinates().replace(), new Object[]{newClass.getArguments().get(0)});
            }

            static {
                $assertionsDisabled = !SecureSnakeYamlConstructor.class.desiredAssertionStatus();
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v10, types: [org.openrewrite.java.security.marshalling.SecureSnakeYamlConstructor$2] */
    public static boolean isSnakeYamlUsedUnsafeOrEscapesScope(Cursor cursor) {
        J.Block block = (J.Block) cursor.getValue();
        final HashSet hashSet = new HashSet();
        Cursor parentOrThrow = cursor.getParentOrThrow();
        if (parentOrThrow.getValue() instanceof J.MethodDeclaration) {
            Stream stream = ((J.MethodDeclaration) parentOrThrow.getValue()).getParameters().stream();
            Class<J.VariableDeclarations> cls = J.VariableDeclarations.class;
            Objects.requireNonNull(J.VariableDeclarations.class);
            stream.filter((v1) -> {
                return r1.isInstance(v1);
            }).flatMap(statement -> {
                return ((J.VariableDeclarations) statement).getVariables().stream();
            }).forEach(namedVariable -> {
                hashSet.add(namedVariable.getSimpleName());
            });
        }
        AtomicBoolean atomicBoolean = new AtomicBoolean(false);
        new JavaIsoVisitor<AtomicBoolean>() { // from class: org.openrewrite.java.security.marshalling.SecureSnakeYamlConstructor.2
            final Stack<Set<String>> variablesDeclaredInScope = new Stack<>();

            {
                this.variablesDeclaredInScope.push(hashSet);
            }

            boolean isVariableInScope(String str) {
                Stream flatMap = this.variablesDeclaredInScope.stream().flatMap((v0) -> {
                    return v0.stream();
                });
                Objects.requireNonNull(str);
                return flatMap.anyMatch((v1) -> {
                    return r1.equals(v1);
                });
            }

            /* renamed from: visitBlock, reason: merged with bridge method [inline-methods] */
            public J.Block m577visitBlock(J.Block block2, AtomicBoolean atomicBoolean2) {
                if (atomicBoolean2.get()) {
                    return block2;
                }
                this.variablesDeclaredInScope.push(new HashSet());
                J.Block visitBlock = super.visitBlock(block2, atomicBoolean2);
                this.variablesDeclaredInScope.pop();
                return visitBlock;
            }

            /* renamed from: visitVariable, reason: merged with bridge method [inline-methods] */
            public J.VariableDeclarations.NamedVariable m574visitVariable(J.VariableDeclarations.NamedVariable namedVariable2, AtomicBoolean atomicBoolean2) {
                J.VariableDeclarations.NamedVariable visitVariable = super.visitVariable(namedVariable2, atomicBoolean2);
                this.variablesDeclaredInScope.peek().add(visitVariable.getSimpleName());
                return visitVariable;
            }

            /* renamed from: visitMethodInvocation, reason: merged with bridge method [inline-methods] */
            public J.MethodInvocation m576visitMethodInvocation(J.MethodInvocation methodInvocation, AtomicBoolean atomicBoolean2) {
                if (methodInvocation.getSelect() != null && isSnakeYamlType(methodInvocation.getSelect().getType()) && methodInvocation.getName().getSimpleName().startsWith("load")) {
                    atomicBoolean2.set(true);
                    return methodInvocation;
                }
                if (!methodInvocation.getArguments().stream().anyMatch(expression -> {
                    return isSnakeYamlType(expression.getType());
                })) {
                    return super.visitMethodInvocation(methodInvocation, atomicBoolean2);
                }
                atomicBoolean2.set(true);
                return methodInvocation;
            }

            /* renamed from: visitAssignment, reason: merged with bridge method [inline-methods] */
            public J.Assignment m578visitAssignment(J.Assignment assignment, AtomicBoolean atomicBoolean2) {
                if (!(isSnakeYamlType(assignment.getAssignment().getType()) && (assignment.getVariable() instanceof J.Identifier) && !isVariableInScope(assignment.getVariable().getSimpleName())) && (assignment.getVariable() instanceof J.Identifier)) {
                    return super.visitAssignment(assignment, atomicBoolean2);
                }
                atomicBoolean2.set(true);
                return assignment;
            }

            /* renamed from: visitReturn, reason: merged with bridge method [inline-methods] */
            public J.Return m575visitReturn(J.Return r5, AtomicBoolean atomicBoolean2) {
                if (r5.getExpression() == null || !isSnakeYamlType(r5.getExpression().getType())) {
                    return super.visitReturn(r5, atomicBoolean2);
                }
                atomicBoolean2.set(true);
                return r5;
            }

            private boolean isSnakeYamlType(@Nullable JavaType javaType) {
                return TypeUtils.isAssignableTo("org.yaml.snakeyaml.Yaml", javaType);
            }
        }.visit(block, atomicBoolean, cursor.getParentOrThrow());
        return atomicBoolean.get();
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Nullable
    public static Cursor getOuterMostExecutableBlock(Cursor cursor) {
        Cursor cursor2 = null;
        Objects.requireNonNull(cursor);
        Iterable<Cursor> iterable = cursor::getPathAsCursors;
        for (Cursor cursor3 : iterable) {
            Object value = cursor3.getValue();
            if (value instanceof J.Block) {
                if (J.Block.isStaticOrInitBlock(cursor3)) {
                    return cursor3;
                }
                cursor2 = cursor3;
            }
            if (value instanceof J.ClassDeclaration) {
                return null;
            }
            if (value instanceof J.MethodDeclaration) {
                return cursor2;
            }
        }
        return null;
    }
}
