package com.ohaotian.plugin.base.filter;

import com.alibaba.fastjson.JSONObject;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StreamUtils;

/* loaded from: input_file:com/ohaotian/plugin/base/filter/XssAndSqlHttpServletRequestWrapper.class */
public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private static final Logger log = LoggerFactory.getLogger(XssAndSqlHttpServletRequestWrapper.class);
    private static String key = "and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|;|or|like|where|union|order|by|table|from|grant|use|group_concat|column_name|information_schema.columns|table_schema|";
    private static Set<String> notAllowedKeyWords = new HashSet(0);
    private final byte[] body;
    private String currentUrl;

    public XssAndSqlHttpServletRequestWrapper(HttpServletRequest httpServletRequest) throws IOException {
        super(httpServletRequest);
        this.currentUrl = httpServletRequest.getRequestURI();
        this.body = StreamUtils.copyToByteArray(httpServletRequest.getInputStream());
    }

    public String getParameter(String str) {
        String parameter = super.getParameter(str);
        if (StringUtils.isEmpty(parameter)) {
            return null;
        }
        return cleanXss(parameter);
    }

    public Map<String, String[]> getParameterMap() {
        Map parameterMap = super.getParameterMap();
        if (null == parameterMap) {
            return null;
        }
        HashMap hashMap = new HashMap();
        for (String str : parameterMap.keySet()) {
            String cleanXss = cleanXss(str);
            int length = ((String[]) parameterMap.get(str)).length;
            String[] strArr = new String[length];
            for (int i = 0; i < length; i++) {
                strArr[i] = cleanXss(((String[]) parameterMap.get(str))[i]);
            }
            hashMap.put(cleanXss, strArr);
        }
        return hashMap;
    }

    public String getHeader(String str) {
        String header = super.getHeader(str);
        if (StringUtils.isEmpty(header)) {
            return null;
        }
        return cleanXss(header);
    }

    public String[] getParameterValues(String str) {
        String[] parameterValues = super.getParameterValues(str);
        if (parameterValues == null) {
            return null;
        }
        int length = parameterValues.length;
        String[] strArr = new String[length];
        for (int i = 0; i < length; i++) {
            strArr[i] = cleanXss(parameterValues[i]);
        }
        return strArr;
    }

    public ServletInputStream getInputStream() throws IOException {
        final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(this.body);
        return new ServletInputStream() { // from class: com.ohaotian.plugin.base.filter.XssAndSqlHttpServletRequestWrapper.1
            public int read() throws IOException {
                return byteArrayInputStream.read();
            }

            public boolean isFinished() {
                return false;
            }

            public boolean isReady() {
                return false;
            }

            public void setReadListener(ReadListener readListener) {
            }
        };
    }

    public BufferedReader getReader() throws IOException {
        return new BufferedReader(new InputStreamReader(getInputStream()));
    }

    private String cleanXss(String str) {
        return str.replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("<", "& lt;").replaceAll(">", "& gt;").replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;").replaceAll("'", "& #39;").replaceAll("eval\\((.*)\\)", "").replaceAll("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']", "\"\"").replaceAll("script", "");
    }

    private boolean checkValue(String str, String str2) {
        return str.contains(new StringBuilder().append(" ").append(str2).toString()) || str.contains(new StringBuilder().append(str2).append(" ").toString()) || str.contains(new StringBuilder().append(" ").append(str2).append(" ").toString());
    }

    public boolean checkSqlKeyWords(String str) {
        JSONObject parseObject;
        if (StringUtils.isEmpty(str) || (parseObject = JSONObject.parseObject(str)) == null) {
            return false;
        }
        for (Map.Entry entry : parseObject.entrySet()) {
            if (entry.getValue() != null) {
                if (!(entry.getValue() instanceof JSONObject)) {
                    for (String str2 : notAllowedKeyWords) {
                        if (checkValue(entry.getValue().toString().toLowerCase(), str2)) {
                            log.error(getRequestURI() + "参数中包含不允许sql的关键词(" + str2 + ")");
                            return true;
                        }
                    }
                } else if (JSONObject.parseObject(entry.getValue().toString()) != null) {
                    for (String str3 : notAllowedKeyWords) {
                        if (checkValue(entry.getValue().toString().toLowerCase(), str3)) {
                            log.error(getRequestURI() + "参数中包含不允许sql的关键词(" + str3 + ")");
                            return true;
                        }
                    }
                } else {
                    continue;
                }
            }
        }
        return false;
    }

    static {
        for (String str : key.split("\\|")) {
            notAllowedKeyWords.add(str);
        }
    }
}
