package com.ohaotian.plugin.base.filter;

import com.alibaba.fastjson.JSONObject;
import com.ohaotian.plugin.base.exception.ZTBusinessException;
import java.io.BufferedReader;
import java.io.IOException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

@WebFilter({"/*"})
@Component
/* loaded from: input_file:com/ohaotian/plugin/base/filter/XssAndSqlFilter.class */
public class XssAndSqlFilter implements Filter {
    private static final Logger log = LoggerFactory.getLogger(XssAndSqlFilter.class);
    private static Set<String> notAllowedKeyWords = null;

    @Value("${security.xss.key:and|exec|insert|select|delete|update|count|%|chr|mid|master|truncate|char|declare|or|like|where|union|order|by|table|from|grant|use|group_concat|column_name|information_schema.columns|table_schema|}")
    private String securityXssKey;

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        servletRequest.setCharacterEncoding("utf-8");
        servletResponse.setContentType("text/html;charset=utf-8");
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        log.info("CrosXssFilter----->orignal url:{},ParameterMap:{}", httpServletRequest.getRequestURI(), JSONObject.toJSONString(httpServletRequest.getParameterMap()));
        XssAndSqlHttpServletRequestWrapper xssAndSqlHttpServletRequestWrapper = new XssAndSqlHttpServletRequestWrapper(httpServletRequest);
        String bodyString = getBodyString(xssAndSqlHttpServletRequestWrapper.getReader());
        servletRequest.getParameterMap();
        log.info("CrosXssFilter..........doFilter url:{},ParameterMap:{}", xssAndSqlHttpServletRequestWrapper.getRequestURI(), JSONObject.toJSONString(xssAndSqlHttpServletRequestWrapper.getParameterMap()));
        if (checkSqlKeyWords(bodyString)) {
            log.error("[" + httpServletRequest.getRequestURI() + "]，请求参数中包含不允许sql的关键词");
            throw new ZTBusinessException("[" + httpServletRequest.getRequestURI() + "]，请求参数中包含不允许sql的关键词");
        }
        filterChain.doFilter(xssAndSqlHttpServletRequestWrapper, servletResponse);
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    public static String getBodyString(BufferedReader bufferedReader) {
        String str = "";
        while (true) {
            try {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    break;
                }
                str = str + readLine;
            } catch (IOException e) {
                log.error("过滤参数异常：{}", e.getMessage());
            }
        }
        bufferedReader.close();
        return str;
    }

    private boolean checkValue(String str, String str2) {
        return str.contains(new StringBuilder().append(" ").append(str2).toString()) || str.contains(new StringBuilder().append(str2).append(" ").toString()) || str.contains(new StringBuilder().append(" ").append(str2).append(" ").toString());
    }

    public boolean checkSqlKeyWords(String str) {
        if (StringUtils.isEmpty(str)) {
            return false;
        }
        if (notAllowedKeyWords == null) {
            notAllowedKeyWords = new HashSet(0);
            for (String str2 : this.securityXssKey.split("\\|")) {
                notAllowedKeyWords.add(str2);
            }
        }
        try {
            JSONObject parseObject = JSONObject.parseObject(str);
            if (parseObject == null) {
                return false;
            }
            for (Map.Entry entry : parseObject.entrySet()) {
                if (entry.getValue() != null) {
                    if (!(entry.getValue() instanceof JSONObject)) {
                        Iterator<String> it = notAllowedKeyWords.iterator();
                        while (it.hasNext()) {
                            if (checkValue(entry.getValue().toString().toLowerCase(), it.next())) {
                                return true;
                            }
                        }
                    } else if (JSONObject.parseObject(entry.getValue().toString()) != null) {
                        Iterator<String> it2 = notAllowedKeyWords.iterator();
                        while (it2.hasNext()) {
                            if (checkValue(entry.getValue().toString().toLowerCase(), it2.next())) {
                                return true;
                            }
                        }
                    } else {
                        continue;
                    }
                }
            }
            return false;
        } catch (Exception e) {
            return false;
        }
    }
}
