package org.sonar.php.checks.security;

import java.util.ArrayList;
import java.util.Collections;
import java.util.Objects;
import java.util.Optional;
import org.sonar.check.Rule;
import org.sonar.php.checks.utils.CheckUtils;
import org.sonar.php.tree.TreeUtils;
import org.sonar.php.tree.impl.declaration.ClassNamespaceNameTreeImpl;
import org.sonar.php.tree.impl.expression.MemberAccessTreeImpl;
import org.sonar.plugins.php.api.tree.Tree;
import org.sonar.plugins.php.api.tree.declaration.CallArgumentTree;
import org.sonar.plugins.php.api.tree.declaration.NamespaceNameTree;
import org.sonar.plugins.php.api.tree.expression.ArrayInitializerTree;
import org.sonar.plugins.php.api.tree.expression.BinaryExpressionTree;
import org.sonar.plugins.php.api.tree.expression.ExpressionTree;
import org.sonar.plugins.php.api.tree.expression.FunctionCallTree;
import org.sonar.plugins.php.api.tree.expression.ParenthesisedExpressionTree;
import org.sonar.plugins.php.api.tree.expression.VariableIdentifierTree;
import org.sonar.plugins.php.api.visitors.PHPVisitorCheck;
import org.sonar.plugins.php.api.visitors.PreciseIssue;

@Rule(key = "S2755")
/* loaded from: input_file:org/sonar/php/checks/security/XxeCheck.class */
public class XxeCheck extends PHPVisitorCheck {
    private static final String MESSAGE = "Disable access to external entities in XML parsing.";
    private static final String SECONDARY_MESSAGE = "This value enables external entities in XML parsing.";
    private static final String PROPAGATED_MESSAGE = "Propagated settings.";
    private static final String OPTIONS = "options";
    private static final Tree.Kind[] ARRAY = {Tree.Kind.ARRAY_INITIALIZER_BRACKET, Tree.Kind.ARRAY_INITIALIZER_FUNCTION};

    public void visitFunctionCall(FunctionCallTree functionCallTree) {
        String lowerCaseFunctionName = CheckUtils.lowerCaseFunctionName(functionCallTree);
        ExpressionTree callee = functionCallTree.callee();
        if (callee.is(new Tree.Kind[]{Tree.Kind.NAMESPACE_NAME}) && "simplexml_load_string".equals(lowerCaseFunctionName)) {
            CheckUtils.argument(functionCallTree, OPTIONS, 2).ifPresent(callArgumentTree -> {
                checkSimpleXmlOption(callArgumentTree.value(), callArgumentTree);
            });
        } else if (callee.is(new Tree.Kind[]{Tree.Kind.OBJECT_MEMBER_ACCESS})) {
            if ("load".equals(lowerCaseFunctionName) || "loadxml".equals(lowerCaseFunctionName)) {
                CheckUtils.argument(functionCallTree, OPTIONS, 1).ifPresent(callArgumentTree2 -> {
                    checkSimpleXmlOption(callArgumentTree2.value(), callArgumentTree2);
                });
            } else if ("setparserproperty".equals(lowerCaseFunctionName)) {
                checkSetParserProperty(functionCallTree);
            }
        } else if (callee.is(new Tree.Kind[]{Tree.Kind.CLASS_MEMBER_ACCESS}) && "build".equals(lowerCaseFunctionName) && isNamespaceMemberEqualTo("Cake\\Utility\\Xml", callee)) {
            CheckUtils.argument(functionCallTree, OPTIONS, 1).ifPresent(callArgumentTree3 -> {
                checkXmlBuildOption(callArgumentTree3.value(), callArgumentTree3);
            });
        }
        super.visitFunctionCall(functionCallTree);
    }

    private void checkSimpleXmlOption(ExpressionTree expressionTree, Tree tree) {
        if (expressionTree.is(new Tree.Kind[]{Tree.Kind.NAMESPACE_NAME}) && "LIBXML_NOENT".equals(((NamespaceNameTree) expressionTree).unqualifiedName())) {
            createIssue(tree);
            return;
        }
        if (expressionTree.is(new Tree.Kind[]{Tree.Kind.BITWISE_OR})) {
            BinaryExpressionTree binaryExpressionTree = (BinaryExpressionTree) expressionTree;
            checkSimpleXmlOption(binaryExpressionTree.leftOperand(), tree);
            checkSimpleXmlOption(binaryExpressionTree.rightOperand(), tree);
        } else if (expressionTree.is(new Tree.Kind[]{Tree.Kind.PARENTHESISED_EXPRESSION})) {
            checkSimpleXmlOption(((ParenthesisedExpressionTree) expressionTree).expression(), tree);
        } else if (expressionTree.is(new Tree.Kind[]{Tree.Kind.VARIABLE_IDENTIFIER})) {
            CheckUtils.uniqueAssignedValue((VariableIdentifierTree) expressionTree).ifPresent(expressionTree2 -> {
                checkSimpleXmlOption(expressionTree2, tree);
            });
        }
    }

    private void checkSetParserProperty(FunctionCallTree functionCallTree) {
        Optional<CallArgumentTree> argument = CheckUtils.argument(functionCallTree, "property", 0);
        if (argument.isPresent() && "XMLReader::SUBST_ENTITIES".equalsIgnoreCase(CheckUtils.nameOf(argument.get().value()))) {
            Optional<CallArgumentTree> argument2 = CheckUtils.argument(functionCallTree, "value", 1);
            if (argument2.isPresent() && CheckUtils.isTrueValue(argument2.get().value())) {
                createIssue(functionCallTree);
            }
        }
    }

    private void checkXmlBuildOption(ExpressionTree expressionTree, Tree tree) {
        if (expressionTree.is(new Tree.Kind[]{Tree.Kind.VARIABLE_IDENTIFIER})) {
            CheckUtils.uniqueAssignedValue((VariableIdentifierTree) expressionTree).filter(expressionTree2 -> {
                return !expressionTree2.toString().equals(tree.toString());
            }).ifPresent(expressionTree3 -> {
                checkXmlBuildOption(expressionTree3, tree);
            });
        } else if (expressionTree.is(ARRAY)) {
            CheckUtils.arrayValue((ArrayInitializerTree) expressionTree, "loadEntities").ifPresent(expressionTree4 -> {
                raiseIssueIfTrue(expressionTree4, tree);
            });
        }
    }

    private void raiseIssueIfTrue(ExpressionTree expressionTree, Tree tree) {
        ExpressionTree assignedValue = CheckUtils.assignedValue(expressionTree);
        ArrayList arrayList = new ArrayList();
        while (assignedValue.is(new Tree.Kind[]{Tree.Kind.VARIABLE_IDENTIFIER})) {
            arrayList.add(assignedValue);
            assignedValue = CheckUtils.assignedValue(assignedValue);
        }
        if (CheckUtils.isFalseValue(assignedValue)) {
            return;
        }
        PreciseIssue createIssue = createIssue(tree);
        createIssue.secondary(assignedValue, SECONDARY_MESSAGE);
        arrayList.forEach(tree2 -> {
            createIssue.secondary(tree2, PROPAGATED_MESSAGE);
        });
    }

    private PreciseIssue createIssue(Tree tree) {
        return context().newIssue(this, tree, MESSAGE);
    }

    private static Optional<String> namespaceMemberFullQualifiedName(ExpressionTree expressionTree) {
        Optional of = Optional.of(expressionTree);
        Class<MemberAccessTreeImpl> cls = MemberAccessTreeImpl.class;
        Objects.requireNonNull(MemberAccessTreeImpl.class);
        Optional map = of.filter((v1) -> {
            return r1.isInstance(v1);
        }).map(expressionTree2 -> {
            return ((MemberAccessTreeImpl) expressionTree2).object();
        });
        Class<ClassNamespaceNameTreeImpl> cls2 = ClassNamespaceNameTreeImpl.class;
        Objects.requireNonNull(ClassNamespaceNameTreeImpl.class);
        Optional filter = map.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<ClassNamespaceNameTreeImpl> cls3 = ClassNamespaceNameTreeImpl.class;
        Objects.requireNonNull(ClassNamespaceNameTreeImpl.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        }).map(classNamespaceNameTreeImpl -> {
            return classNamespaceNameTreeImpl.symbol().qualifiedName().toString();
        });
    }

    private static boolean isNamespaceMemberEqualTo(String str, ExpressionTree expressionTree) {
        return namespaceMemberFullQualifiedName(expressionTree).filter(str2 -> {
            return str.equalsIgnoreCase(str2) || isNameInNamespaceEqualTo(str, expressionTree, str2);
        }).isPresent();
    }

    private static boolean isNameInNamespaceEqualTo(String str, ExpressionTree expressionTree, String str2) {
        return Optional.ofNullable(TreeUtils.findAncestorWithKind(expressionTree, Collections.singletonList(Tree.Kind.NAMESPACE_STATEMENT))).map((v0) -> {
            return v0.namespaceName();
        }).filter(namespaceNameTree -> {
            return (namespaceNameTree.fullName() + "\\" + str).equalsIgnoreCase(str2);
        }).isPresent();
    }
}
