package org.sonar.php.checks.security;

import org.sonar.check.Rule;
import org.sonar.php.checks.utils.CheckUtils;
import org.sonar.plugins.php.api.tree.Tree;
import org.sonar.plugins.php.api.tree.declaration.CallArgumentTree;
import org.sonar.plugins.php.api.tree.expression.ExpressionTree;
import org.sonar.plugins.php.api.tree.expression.FunctionCallTree;
import org.sonar.plugins.php.api.visitors.PHPVisitorCheck;

@Rule(key = "S5328")
/* loaded from: input_file:org/sonar/php/checks/security/SessionFixationCheck.class */
public class SessionFixationCheck extends PHPVisitorCheck {
    private static final String MESSAGE = "Make sure the session ID being set is cryptographically secure and is not user-supplied.";

    public void visitFunctionCall(FunctionCallTree functionCallTree) {
        if (isFunctionCall(functionCallTree, "session_id") && hasArguments(functionCallTree) && !isFunctionCall(firstCallArgument(functionCallTree), "session_create_id")) {
            context().newIssue(this, functionCallTree, MESSAGE);
        }
        super.visitFunctionCall(functionCallTree);
    }

    private static boolean isFunctionCall(ExpressionTree expressionTree, String str) {
        return expressionTree.is(new Tree.Kind[]{Tree.Kind.FUNCTION_CALL}) && str.equals(CheckUtils.getLowerCaseFunctionName((FunctionCallTree) expressionTree));
    }

    private static ExpressionTree firstCallArgument(FunctionCallTree functionCallTree) {
        return ((CallArgumentTree) functionCallTree.callArguments().get(0)).value();
    }

    private boolean hasArguments(FunctionCallTree functionCallTree) {
        return !functionCallTree.callArguments().isEmpty();
    }
}
