package org.squashtest.tm.web.backend.filter.xss;

import java.util.Arrays;
import java.util.Enumeration;
import java.util.Map;
import java.util.Objects;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.nodes.Entities;
import org.jsoup.safety.Safelist;
import org.owasp.encoder.esapi.ESAPIEncoder;
import org.owasp.esapi.errors.IntrusionException;

/* loaded from: input_file:WEB-INF/classes/org/squashtest/tm/web/backend/filter/xss/XSSRequestWrapper.class */
public class XSSRequestWrapper extends HttpServletRequestWrapper {
    private static final String HEADER_REFERER = "referer";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/classes/org/squashtest/tm/web/backend/filter/xss/XSSRequestWrapper$StripOptions.class */
    public enum StripOptions {
        STRICT(true, true),
        ALLOW_MIXED_ENCODING(true, false);

        final boolean restrictMultiple;
        final boolean restrictMixed;

        StripOptions(boolean z, boolean z2) {
            this.restrictMultiple = z;
            this.restrictMixed = z2;
        }

        /* renamed from: values, reason: to resolve conflict with enum method */
        public static StripOptions[] valuesCustom() {
            StripOptions[] valuesCustom = values();
            int length = valuesCustom.length;
            StripOptions[] stripOptionsArr = new StripOptions[length];
            System.arraycopy(valuesCustom, 0, stripOptionsArr, 0, length);
            return stripOptionsArr;
        }
    }

    public XSSRequestWrapper(HttpServletRequest httpServletRequest) {
        super(httpServletRequest);
    }

    @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
    public Map<String, String[]> getParameterMap() {
        Map<String, String[]> parameterMap = super.getParameterMap();
        if (Objects.isNull(parameterMap)) {
            return null;
        }
        parameterMap.forEach(this::stripXSS);
        return parameterMap;
    }

    @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
    public String[] getParameterValues(String str) {
        String[] parameterValues = super.getParameterValues(str);
        if (Objects.isNull(parameterValues)) {
            return null;
        }
        stripXSS(str, parameterValues);
        return parameterValues;
    }

    @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
    public String getParameter(String str) {
        String parameter = super.getParameter(str);
        stripXSS(str, parameter);
        return parameter;
    }

    @Override // javax.servlet.http.HttpServletRequestWrapper, javax.servlet.http.HttpServletRequest
    public Enumeration<String> getHeaders(String str) {
        Enumeration<String> headers = super.getHeaders(str);
        while (headers.hasMoreElements()) {
            for (String str2 : headers.nextElement().split(",")) {
                stripXSS(str, str2);
            }
        }
        return super.getHeaders(str);
    }

    @Override // javax.servlet.http.HttpServletRequestWrapper, javax.servlet.http.HttpServletRequest
    public String getHeader(String str) {
        String header = super.getHeader(str);
        stripXSS(str, header);
        return header;
    }

    private void stripXSS(String str, String[] strArr) {
        Arrays.stream(strArr).forEach(str2 -> {
            stripXSS(str, str2);
        });
    }

    private void stripXSS(String str, String str2) {
        if (str.equals(HEADER_REFERER)) {
            doStripXSS(str2, StripOptions.ALLOW_MIXED_ENCODING);
        } else {
            doStripXSS(str2, StripOptions.STRICT);
        }
    }

    private void doStripXSS(String str, StripOptions stripOptions) {
        if (str != null) {
            String trim = ESAPIEncoder.getInstance().canonicalize(str, stripOptions.restrictMultiple, stripOptions.restrictMixed).replace("��", "").trim();
            new Document.OutputSettings().escapeMode(Entities.EscapeMode.xhtml);
            if (!Jsoup.isValid(trim, Safelist.none())) {
                throw new IntrusionException("", String.format("Xss protection activated. Escaped value %s. Raw value was %s", trim, str));
            }
        }
    }
}
