package org.sonar.php.checks.security;

import java.util.function.Predicate;
import org.sonar.check.Rule;
import org.sonar.php.checks.utils.type.FunctionCall;
import org.sonar.php.checks.utils.type.NewObjectCall;
import org.sonar.php.checks.utils.type.ObjectMemberFunctionCall;
import org.sonar.php.checks.utils.type.TreeValues;
import org.sonar.php.checks.utils.type.TypePredicateList;
import org.sonar.plugins.php.api.tree.Tree;
import org.sonar.plugins.php.api.tree.expression.ExpressionTree;
import org.sonar.plugins.php.api.tree.expression.FunctionCallTree;
import org.sonar.plugins.php.api.visitors.PHPVisitorCheck;

@Rule(key = "S4817")
/* loaded from: input_file:org/sonar/php/checks/security/XPathUsageCheck.class */
public class XPathUsageCheck extends PHPVisitorCheck {
    private static final String MESSAGE = "Make sure that executing this XPATH expression is safe.";
    private static final Predicate<TreeValues> XPATH_PREDICATES = new TypePredicateList(new ObjectMemberFunctionCall("query", new NewObjectCall("DOMXpath")), new ObjectMemberFunctionCall("evaluate", new NewObjectCall("DOMXpath")), new ObjectMemberFunctionCall("xpath", new NewObjectCall("SimpleXMLElement"), new FunctionCall("simplexml_load_file"), new FunctionCall("simplexml_load_string"), new FunctionCall("simplexml_import_dom")));

    public void visitFunctionCall(FunctionCallTree functionCallTree) {
        if (XPATH_PREDICATES.test(TreeValues.of(functionCallTree, context().symbolTable())) && firstArgIsNotHardcoded(functionCallTree)) {
            context().newIssue(this, functionCallTree, MESSAGE);
        }
        super.visitFunctionCall(functionCallTree);
    }

    private static boolean firstArgIsNotHardcoded(FunctionCallTree functionCallTree) {
        return (functionCallTree.arguments().isEmpty() || ((ExpressionTree) functionCallTree.arguments().get(0)).is(new Tree.Kind[]{Tree.Kind.REGULAR_STRING_LITERAL})) ? false : true;
    }
}
