package org.sonar.php.checks.security;

import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import org.sonar.php.checks.CheckBundle;
import org.sonar.php.checks.CheckBundlePart;
import org.sonar.php.checks.TooManyFieldsInClassCheck;
import org.sonar.php.checks.regex.AbstractRegexCheck;
import org.sonar.php.checks.utils.CheckUtils;
import org.sonar.plugins.php.api.symbols.QualifiedName;
import org.sonar.plugins.php.api.tree.CompilationUnitTree;
import org.sonar.plugins.php.api.tree.Tree;
import org.sonar.plugins.php.api.tree.declaration.CallArgumentTree;
import org.sonar.plugins.php.api.tree.declaration.NamespaceNameTree;
import org.sonar.plugins.php.api.tree.expression.ArrayInitializerTree;
import org.sonar.plugins.php.api.tree.expression.ArrayPairTree;
import org.sonar.plugins.php.api.tree.expression.AssignmentExpressionTree;
import org.sonar.plugins.php.api.tree.expression.ExpressionTree;
import org.sonar.plugins.php.api.tree.expression.FunctionCallTree;
import org.sonar.plugins.php.api.tree.expression.LiteralTree;
import org.sonar.plugins.php.api.tree.expression.MemberAccessTree;
import org.sonar.plugins.php.api.tree.expression.NameIdentifierTree;
import org.sonar.plugins.php.api.tree.expression.NewExpressionTree;
import org.sonar.plugins.php.api.tree.statement.ReturnStatementTree;
import org.sonar.plugins.php.api.visitors.PHPVisitorCheck;

/* loaded from: input_file:org/sonar/php/checks/security/ClearTextProtocolsCheckPart.class */
public class ClearTextProtocolsCheckPart extends PHPVisitorCheck implements CheckBundlePart {
    private static final List<String> UNSAFE_PROTOCOLS = Arrays.asList("http://", "ftp://", "telnet://");
    private static final Map<String, String> ALTERNATIVE_PROTOCOLS = new HashMap();
    private static final String LOOPBACK_IPV4 = "^127(?:\\.[0-9]+){0,2}\\.[0-9]+$";
    private static final String LOOPBACK_IPV6 = "^(?:0*:){0,7}?:?0*1$";
    private static final Pattern LOOPBACK_IP;
    private static final QualifiedName SWIFTMAILER_QN;
    private static final QualifiedName PHPMAILER_QN;
    private static final Set<String> EXCEPTION_FULL_HOSTS;
    private static final Set<String> EXCEPTION_TOP_HOSTS;
    private static final String MESSAGE_PROTOCOL = "Using %s protocol is insecure. Use %s instead";
    private static final String MESSAGE_FTP = "Using ftp_connect() is insecure. Use ftp_ssl_connect() instead";
    private static final String MESSAGE_MAIL = "Mail transport without encryption is insecure. Specify an encryption";
    private boolean inLaravelConfigFile;
    private final Map<ExpressionTree, MailConfig> mailConfigs = new HashMap();
    private CheckBundle bundle;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/php/checks/security/ClearTextProtocolsCheckPart$LaravelMailConfig.class */
    public static class LaravelMailConfig extends MailConfig {
        private final ExpressionTree transport;

        public LaravelMailConfig(@Nullable ExpressionTree expressionTree, @Nullable ExpressionTree expressionTree2, @Nullable ExpressionTree expressionTree3) {
            super(expressionTree2, expressionTree3);
            this.transport = expressionTree;
        }

        /* JADX INFO: Access modifiers changed from: private */
        /* JADX WARN: Failed to find 'out' block for switch in B:11:0x006a. Please report as an issue. */
        public static LaravelMailConfig of(ArrayInitializerTree arrayInitializerTree) {
            ExpressionTree expressionTree = null;
            ExpressionTree expressionTree2 = null;
            ExpressionTree expressionTree3 = null;
            for (ArrayPairTree arrayPairTree : arrayInitializerTree.arrayPairs()) {
                if (arrayPairTree.key() != null && arrayPairTree.key().is(new Tree.Kind[]{Tree.Kind.REGULAR_STRING_LITERAL})) {
                    String trimQuotes = CheckUtils.trimQuotes(arrayPairTree.key());
                    boolean z = -1;
                    switch (trimQuotes.hashCode()) {
                        case -1512632445:
                            if (trimQuotes.equals("encryption")) {
                                z = 2;
                                break;
                            }
                            break;
                        case 3208616:
                            if (trimQuotes.equals("host")) {
                                z = true;
                                break;
                            }
                            break;
                        case 1052964649:
                            if (trimQuotes.equals("transport")) {
                                z = false;
                                break;
                            }
                            break;
                    }
                    switch (z) {
                        case false:
                            expressionTree = arrayPairTree.value();
                            break;
                        case TooManyFieldsInClassCheck.DEFAULT_COUNT_NON_PUBLIC /* 1 */:
                            expressionTree2 = arrayPairTree.value();
                            break;
                        case AbstractRegexCheck.PCRE_CASELESS /* 2 */:
                            expressionTree3 = arrayPairTree.value();
                            break;
                    }
                }
            }
            return new LaravelMailConfig(expressionTree, expressionTree2, expressionTree3);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean isSmtp() {
            return this.transport != null && this.transport.is(new Tree.Kind[]{Tree.Kind.REGULAR_STRING_LITERAL}) && "smtp".equals(CheckUtils.trimQuotes(this.transport));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/php/checks/security/ClearTextProtocolsCheckPart$MailConfig.class */
    public static class MailConfig {
        protected ExpressionTree host;
        protected ExpressionTree encryption;
        protected boolean hasUnknownState = false;

        protected MailConfig(@Nullable ExpressionTree expressionTree, @Nullable ExpressionTree expressionTree2) {
            this.host = expressionTree;
            this.encryption = expressionTree2;
        }

        protected boolean isClearText() {
            return !this.hasUnknownState && hasInsecureEncryption() && hasInsecureHost();
        }

        private boolean hasInsecureHost() {
            if (this.host == null) {
                return false;
            }
            LiteralTree assignedValue = CheckUtils.assignedValue(this.host);
            if (!assignedValue.is(new Tree.Kind[]{Tree.Kind.REGULAR_STRING_LITERAL})) {
                return false;
            }
            String lowerCase = CheckUtils.trimQuotes(assignedValue).toLowerCase(Locale.ROOT);
            return ("localhost".equals(lowerCase) || lowerCase.startsWith("ssl://") || lowerCase.startsWith("tls://") || ClearTextProtocolsCheckPart.LOOPBACK_IP.matcher(lowerCase).matches()) ? false : true;
        }

        private boolean hasInsecureEncryption() {
            if (this.encryption == null) {
                return true;
            }
            LiteralTree assignedValue = CheckUtils.assignedValue(this.encryption);
            if (!assignedValue.is(new Tree.Kind[]{Tree.Kind.REGULAR_STRING_LITERAL})) {
                return assignedValue.is(new Tree.Kind[]{Tree.Kind.NULL_LITERAL});
            }
            String lowerCase = CheckUtils.trimQuotes(assignedValue).toLowerCase(Locale.ROOT);
            return ("ssl".equals(lowerCase) || "tls".equals(lowerCase)) ? false : true;
        }

        protected void handleMethodCall(FunctionCallTree functionCallTree) {
        }

        protected void handleFieldAssignment(AssignmentExpressionTree assignmentExpressionTree) {
        }
    }

    /* loaded from: input_file:org/sonar/php/checks/security/ClearTextProtocolsCheckPart$PhpMailerMailConfig.class */
    private static class PhpMailerMailConfig extends MailConfig {
        private PhpMailerMailConfig() {
            super(null, null);
        }

        @Override // org.sonar.php.checks.security.ClearTextProtocolsCheckPart.MailConfig
        protected void handleFieldAssignment(AssignmentExpressionTree assignmentExpressionTree) {
            NameIdentifierTree member = assignmentExpressionTree.variable().member();
            if (!member.is(new Tree.Kind[]{Tree.Kind.NAME_IDENTIFIER})) {
                this.hasUnknownState = true;
                return;
            }
            String text = member.text();
            ExpressionTree value = assignmentExpressionTree.value();
            if ("SMTPSecure".equals(text)) {
                this.encryption = value;
            } else if ("Host".equals(text)) {
                this.host = value;
            }
        }
    }

    /* loaded from: input_file:org/sonar/php/checks/security/ClearTextProtocolsCheckPart$SwiftMailConfig.class */
    private static class SwiftMailConfig extends MailConfig {
        public SwiftMailConfig(@Nullable ExpressionTree expressionTree, @Nullable ExpressionTree expressionTree2) {
            super(expressionTree, expressionTree2);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static SwiftMailConfig of(NewExpressionTree newExpressionTree) {
            FunctionCallTree expression = newExpressionTree.expression();
            return new SwiftMailConfig((ExpressionTree) CheckUtils.argument(expression, "host", 0).map((v0) -> {
                return v0.value();
            }).orElse(null), (ExpressionTree) CheckUtils.argument(expression, "encryption", 2).map((v0) -> {
                return v0.value();
            }).orElse(null));
        }

        @Override // org.sonar.php.checks.security.ClearTextProtocolsCheckPart.MailConfig
        protected void handleMethodCall(FunctionCallTree functionCallTree) {
            if (functionCallTree.callArguments().size() != 1) {
                return;
            }
            NameIdentifierTree member = functionCallTree.callee().member();
            if (!member.is(new Tree.Kind[]{Tree.Kind.NAME_IDENTIFIER})) {
                this.hasUnknownState = true;
                return;
            }
            String text = member.text();
            ExpressionTree value = ((CallArgumentTree) functionCallTree.callArguments().get(0)).value();
            if ("setEncryption".equalsIgnoreCase(text)) {
                this.encryption = value;
            } else if ("setHost".equalsIgnoreCase(text)) {
                this.host = value;
            }
        }
    }

    public void visitCompilationUnit(CompilationUnitTree compilationUnitTree) {
        this.inLaravelConfigFile = context().getPhpFile().uri().getPath().endsWith("config/mail.php");
        super.visitCompilationUnit(compilationUnitTree);
        this.mailConfigs.forEach((expressionTree, mailConfig) -> {
            if (mailConfig.isClearText()) {
                context().newIssue(getBundle(), mailConfig.encryption != null ? mailConfig.encryption : expressionTree, MESSAGE_MAIL);
            }
        });
        this.mailConfigs.clear();
    }

    public void visitLiteral(LiteralTree literalTree) {
        if (literalTree.is(new Tree.Kind[]{Tree.Kind.REGULAR_STRING_LITERAL})) {
            String lowerCase = CheckUtils.trimQuotes(literalTree).trim().toLowerCase(Locale.ROOT);
            if (lowerCase.matches("\\S+") && startsWithUnsafeProtocol(lowerCase) && !isExceptionUrl(lowerCase, literalTree)) {
                Stream<String> stream = ALTERNATIVE_PROTOCOLS.keySet().stream();
                Objects.requireNonNull(lowerCase);
                stream.filter(lowerCase::startsWith).findFirst().ifPresent(str -> {
                    context().newIssue(getBundle(), literalTree, String.format(MESSAGE_PROTOCOL, str, ALTERNATIVE_PROTOCOLS.get(str)));
                });
            }
        }
    }

    private static boolean isExceptionUrl(String str, LiteralTree literalTree) {
        return UNSAFE_PROTOCOLS.contains(str) ? !literalTree.getParent().is(new Tree.Kind[]{Tree.Kind.CONCATENATION}) : hasExceptionHost(str);
    }

    public void visitFunctionCall(FunctionCallTree functionCallTree) {
        if ("ftp_connect".equalsIgnoreCase(CheckUtils.getFunctionName(functionCallTree))) {
            context().newIssue(getBundle(), functionCallTree.callee(), MESSAGE_FTP);
        }
        super.visitFunctionCall(functionCallTree);
    }

    public void visitReturnStatement(ReturnStatementTree returnStatementTree) {
        ExpressionTree expression;
        if (this.inLaravelConfigFile && (expression = returnStatementTree.expression()) != null && isArray(expression)) {
            checkLaravelMailConfig((ArrayInitializerTree) expression);
        }
        super.visitReturnStatement(returnStatementTree);
    }

    public void visitNewExpression(NewExpressionTree newExpressionTree) {
        if (isInstantiationOf(newExpressionTree, SWIFTMAILER_QN)) {
            this.mailConfigs.putIfAbsent(newExpressionTree, SwiftMailConfig.of(newExpressionTree));
        } else if (isInstantiationOf(newExpressionTree, PHPMAILER_QN)) {
            this.mailConfigs.putIfAbsent(newExpressionTree, new PhpMailerMailConfig());
        }
        super.visitNewExpression(newExpressionTree);
    }

    private boolean isInstantiationOf(NewExpressionTree newExpressionTree, QualifiedName qualifiedName) {
        FunctionCallTree expression = newExpressionTree.expression();
        if (expression.is(new Tree.Kind[]{Tree.Kind.FUNCTION_CALL}) && expression.callee().is(new Tree.Kind[]{Tree.Kind.NAMESPACE_NAME})) {
            return qualifiedName.equals(getFullyQualifiedName((NamespaceNameTree) expression.callee()));
        }
        return false;
    }

    public void visitMemberAccess(MemberAccessTree memberAccessTree) {
        super.visitMemberAccess(memberAccessTree);
        NewExpressionTree originalNewExpression = getOriginalNewExpression(memberAccessTree.object());
        if (originalNewExpression == null || !this.mailConfigs.containsKey(originalNewExpression)) {
            return;
        }
        FunctionCallTree parent = memberAccessTree.getParent();
        if (parent.is(new Tree.Kind[]{Tree.Kind.FUNCTION_CALL})) {
            this.mailConfigs.get(originalNewExpression).handleMethodCall(parent);
        } else if (parent.is(new Tree.Kind[]{Tree.Kind.ASSIGNMENT}) && ((AssignmentExpressionTree) parent).variable() == memberAccessTree) {
            this.mailConfigs.get(originalNewExpression).handleFieldAssignment((AssignmentExpressionTree) parent);
        }
    }

    private static NewExpressionTree getOriginalNewExpression(ExpressionTree expressionTree) {
        NewExpressionTree skipParenthesis = CheckUtils.skipParenthesis(CheckUtils.assignedValue(expressionTree));
        if (skipParenthesis.is(new Tree.Kind[]{Tree.Kind.NEW_EXPRESSION})) {
            return skipParenthesis;
        }
        if (expressionTree.is(new Tree.Kind[]{Tree.Kind.FUNCTION_CALL}) && ((FunctionCallTree) expressionTree).callee().is(new Tree.Kind[]{Tree.Kind.OBJECT_MEMBER_ACCESS})) {
            return getOriginalNewExpression(((FunctionCallTree) expressionTree).callee().object());
        }
        return null;
    }

    private void checkLaravelMailConfig(ArrayInitializerTree arrayInitializerTree) {
        ArrayInitializerTree arrayInitializerTree2 = (ArrayInitializerTree) arrayInitializerTree.arrayPairs().stream().filter(arrayPairTree -> {
            return arrayPairTree.key() != null;
        }).filter(arrayPairTree2 -> {
            return arrayPairTree2.key().is(new Tree.Kind[]{Tree.Kind.REGULAR_STRING_LITERAL});
        }).filter(arrayPairTree3 -> {
            return "mailers".equals(CheckUtils.trimQuotes(arrayPairTree3.key()));
        }).filter(arrayPairTree4 -> {
            return isArray(arrayPairTree4.value());
        }).map(arrayPairTree5 -> {
            return arrayPairTree5.value();
        }).findFirst().orElse(null);
        if (arrayInitializerTree2 == null) {
            return;
        }
        for (ArrayPairTree arrayPairTree6 : arrayInitializerTree2.arrayPairs()) {
            if (arrayPairTree6.key() != null && isArray(arrayPairTree6.value())) {
                LaravelMailConfig of = LaravelMailConfig.of(arrayPairTree6.value());
                if (of.isSmtp()) {
                    this.mailConfigs.put(arrayPairTree6.key(), of);
                }
            }
        }
    }

    @Override // org.sonar.php.checks.CheckBundlePart
    public void setBundle(CheckBundle checkBundle) {
        this.bundle = checkBundle;
    }

    @Override // org.sonar.php.checks.CheckBundlePart
    public CheckBundle getBundle() {
        return this.bundle;
    }

    private static boolean startsWithUnsafeProtocol(String str) {
        Stream<String> stream = UNSAFE_PROTOCOLS.stream();
        Objects.requireNonNull(str);
        return stream.anyMatch(str::startsWith);
    }

    private static boolean hasExceptionHost(String str) {
        try {
            URI uri = new URI(str);
            String host = uri.getHost();
            if (host == null) {
                host = uri.getAuthority();
            }
            if (host != null && !"localhost".equals(host) && !LOOPBACK_IP.matcher(host).matches()) {
                Stream<String> stream = EXCEPTION_FULL_HOSTS.stream();
                String str2 = host;
                Objects.requireNonNull(str2);
                if (!stream.anyMatch((v1) -> {
                    return r1.equals(v1);
                })) {
                    Stream<String> stream2 = EXCEPTION_TOP_HOSTS.stream();
                    String str3 = host;
                    Objects.requireNonNull(str3);
                    if (!stream2.anyMatch(str3::matches)) {
                        return false;
                    }
                }
            }
            return true;
        } catch (URISyntaxException e) {
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isArray(Tree tree) {
        return tree.is(new Tree.Kind[]{Tree.Kind.ARRAY_INITIALIZER_BRACKET, Tree.Kind.ARRAY_INITIALIZER_FUNCTION});
    }

    static {
        ALTERNATIVE_PROTOCOLS.put("http", "https");
        ALTERNATIVE_PROTOCOLS.put("ftp", "sftp, scp or ftps");
        ALTERNATIVE_PROTOCOLS.put("telnet", "ssh");
        LOOPBACK_IP = Pattern.compile("^127(?:\\.[0-9]+){0,2}\\.[0-9]+$|^(?:0*:){0,7}?:?0*1$");
        SWIFTMAILER_QN = QualifiedName.qualifiedName("Swift_SmtpTransport");
        PHPMAILER_QN = QualifiedName.qualifiedName("PHPMailer\\PHPMailer\\PHPMailer");
        EXCEPTION_FULL_HOSTS = new HashSet(Arrays.asList("www.w3.org", "xml.apache.org", "schemas.xmlsoap.org", "schemas.openxmlformats.org", "rdfs.org", "purl.org", "xmlns.com", "schemas.google.com", "a9.com", "ns.adobe.com", "ltsc.ieee.org", "docbook.org", "graphml.graphdrawing.org", "json-schema.org"));
        EXCEPTION_TOP_HOSTS = new HashSet(Arrays.asList("(.*\\.)?example\\.com$", "(.*\\.)?example\\.org$", "(.*\\.)?test\\.com$"));
    }
}
