package com.lenovo.cloud.framework.custom.security.filter;

import com.lenovo.cloud.framework.custom.security.config.properties.SqlInjectionProperties;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.AntPathMatcher;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:com/lenovo/cloud/framework/custom/security/filter/SqlInjectionFilter.class */
public class SqlInjectionFilter extends OncePerRequestFilter {
    private static final Logger logger = LoggerFactory.getLogger(SqlInjectionFilter.class);
    private final AntPathMatcher pathMatcher;
    private final SqlInjectionProperties properties;
    private final List<Pattern> sqlPatterns = initializeSqlPatterns();

    public SqlInjectionFilter(AntPathMatcher antPathMatcher, SqlInjectionProperties sqlInjectionProperties) {
        this.pathMatcher = antPathMatcher;
        this.properties = sqlInjectionProperties;
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (isExcludedUrl(httpServletRequest.getRequestURI())) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } else if (!checkSqlInjection(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } else {
            logger.info("SQL injection attack detected - URL: {}, Method: {}, Parameters: {}", new Object[]{httpServletRequest.getRequestURI(), httpServletRequest.getMethod(), httpServletRequest.getParameterMap()});
            httpServletResponse.sendError(403, this.properties.isShowDetails() ? "SQL injection attack detected" : "Invalid request");
        }
    }

    private boolean isExcludedUrl(String str) {
        return this.properties.getExcludeUrls().stream().anyMatch(str2 -> {
            return this.pathMatcher.match(str2, str);
        });
    }

    private boolean checkSqlInjection(HttpServletRequest httpServletRequest) {
        for (Map.Entry entry : httpServletRequest.getParameterMap().entrySet()) {
            String str = (String) entry.getKey();
            for (String str2 : (String[]) entry.getValue()) {
                if (checkSqlInjectionPattern(str2)) {
                    logAttack(str, str2);
                    return true;
                }
            }
        }
        return false;
    }

    private boolean checkSqlInjectionPattern(String str) {
        if (str == null || str.trim().isEmpty()) {
            return false;
        }
        Iterator<String> it = this.properties.getCustomRules().iterator();
        while (it.hasNext()) {
            if (Pattern.compile(it.next(), 2).matcher(str).find()) {
                return true;
            }
        }
        Iterator<String> it2 = this.properties.getSqlKeywords().iterator();
        while (it2.hasNext()) {
            if (str.toLowerCase().contains(it2.next().toLowerCase())) {
                return true;
            }
        }
        Iterator<Pattern> it3 = this.sqlPatterns.iterator();
        while (it3.hasNext()) {
            if (it3.next().matcher(str).find()) {
                return true;
            }
        }
        return false;
    }

    private void logAttack(String str, String str2) {
        if (this.properties.isLogAttack()) {
            logger.warn("SQL injection attack detected - Parameter: {}, Value: {}", str, str2);
        }
    }

    private List<Pattern> initializeSqlPatterns() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(Pattern.compile("(?i)(select|insert|update|delete|drop|union|exec|declare|xp_cmdshell)"));
        arrayList.add(Pattern.compile("(?i)(--|;|'|\"|/\\*|\\*/)"));
        arrayList.add(Pattern.compile("(?i)(or\\s+1\\s*=\\s*1|or\\s+'1'\\s*=\\s*'1')"));
        if (this.properties.isStrictMode()) {
            arrayList.add(Pattern.compile("(?i)(waitfor|delay|shutdown|backup|restore)"));
            arrayList.add(Pattern.compile("(?i)(sysdatabases|sysobjects|syscolumns)"));
            arrayList.add(Pattern.compile("(?i)(@@version|@@servername|@@language)"));
        }
        return arrayList;
    }
}
