package org.sonar.java.checks.security;

import java.util.Collections;
import java.util.List;
import javax.annotation.CheckForNull;
import javax.xml.transform.TransformerFactory;
import org.sonar.check.Rule;
import org.sonar.java.checks.helpers.ConstantUtils;
import org.sonar.java.checks.methods.AbstractMethodDetection;
import org.sonar.java.matcher.MethodMatcher;
import org.sonar.java.matcher.TypeCriteria;
import org.sonar.java.model.LiteralUtils;
import org.sonar.plugins.java.api.tree.Arguments;
import org.sonar.plugins.java.api.tree.BaseTreeVisitor;
import org.sonar.plugins.java.api.tree.ExpressionTree;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.Tree;

@Rule(key = "S4435")
/* loaded from: input_file:org/sonar/java/checks/security/SecureXmlTransformerCheck.class */
public class SecureXmlTransformerCheck extends AbstractMethodDetection {
    private static final String TRANSFORMER_FACTORY_CLASS_NAME = TransformerFactory.class.getName();

    /* loaded from: input_file:org/sonar/java/checks/security/SecureXmlTransformerCheck$MethodBodyVisitor.class */
    private static class MethodBodyVisitor extends BaseTreeVisitor {
        private static final MethodMatcher SET_FEATURE = MethodMatcher.create().typeDefinition(TypeCriteria.subtypeOf(SecureXmlTransformerCheck.TRANSFORMER_FACTORY_CLASS_NAME)).name("setFeature").parameters(new String[]{"java.lang.String", "boolean"});
        private static final MethodMatcher SET_ATTRIBUTE = MethodMatcher.create().typeDefinition(TypeCriteria.subtypeOf(SecureXmlTransformerCheck.TRANSFORMER_FACTORY_CLASS_NAME)).name("setAttribute").parameters(new String[]{"java.lang.String", "java.lang.Object"});
        private boolean hasSecureProcessingFeature;
        private boolean hasSecuredExternalDtd;
        private boolean hasSecuredExternalStylesheet;

        private MethodBodyVisitor() {
            this.hasSecureProcessingFeature = false;
            this.hasSecuredExternalDtd = false;
            this.hasSecuredExternalStylesheet = false;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean foundCallsToSecuringMethods() {
            return this.hasSecureProcessingFeature || (this.hasSecuredExternalDtd && this.hasSecuredExternalStylesheet);
        }

        public void visitMethodInvocation(MethodInvocationTree methodInvocationTree) {
            Arguments arguments = methodInvocationTree.arguments();
            if (SET_FEATURE.matches(methodInvocationTree) && "http://javax.xml.XMLConstants/feature/secure-processing".equals(ConstantUtils.resolveAsStringConstant((ExpressionTree) arguments.get(0))) && LiteralUtils.isTrue((Tree) arguments.get(1))) {
                this.hasSecureProcessingFeature = true;
            }
            if (SET_ATTRIBUTE.matches(methodInvocationTree)) {
                String resolveAsStringConstant = ConstantUtils.resolveAsStringConstant((ExpressionTree) arguments.get(0));
                if ("".equals(ConstantUtils.resolveAsStringConstant((ExpressionTree) arguments.get(1)))) {
                    if ("http://javax.xml.XMLConstants/property/accessExternalDTD".equals(resolveAsStringConstant)) {
                        this.hasSecuredExternalDtd = true;
                    } else if ("http://javax.xml.XMLConstants/property/accessExternalStylesheet".equals(resolveAsStringConstant)) {
                        this.hasSecuredExternalStylesheet = true;
                    }
                }
            }
            super.visitMethodInvocation(methodInvocationTree);
        }
    }

    @Override // org.sonar.java.checks.methods.AbstractMethodDetection
    protected List<MethodMatcher> getMethodInvocationMatchers() {
        return Collections.singletonList(MethodMatcher.create().typeDefinition(TRANSFORMER_FACTORY_CLASS_NAME).name("newInstance").withAnyParameters());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.sonar.java.checks.methods.AbstractMethodDetection
    public void onMethodInvocationFound(MethodInvocationTree methodInvocationTree) {
        Tree enclosingMethod = enclosingMethod(methodInvocationTree);
        if (enclosingMethod == null) {
            return;
        }
        MethodBodyVisitor methodBodyVisitor = new MethodBodyVisitor();
        enclosingMethod.accept(methodBodyVisitor);
        if (methodBodyVisitor.foundCallsToSecuringMethods()) {
            return;
        }
        reportIssue(methodInvocationTree.methodSelect(), "Secure this \"Transformer\" by either disabling external DTDs or enabling secure processing.");
    }

    @CheckForNull
    private static Tree enclosingMethod(Tree tree) {
        Tree tree2;
        Tree parent = tree.parent();
        while (true) {
            tree2 = parent;
            if (tree2.is(new Tree.Kind[]{Tree.Kind.CLASS, Tree.Kind.METHOD})) {
                break;
            }
            parent = tree2.parent();
        }
        if (tree2.is(new Tree.Kind[]{Tree.Kind.CLASS})) {
            return null;
        }
        return tree2;
    }
}
