package org.sonar.php.checks.security;

import java.util.Optional;
import org.sonar.check.Rule;
import org.sonar.php.checks.utils.CheckUtils;
import org.sonar.plugins.php.api.tree.Tree;
import org.sonar.plugins.php.api.tree.declaration.CallArgumentTree;
import org.sonar.plugins.php.api.tree.declaration.NamespaceNameTree;
import org.sonar.plugins.php.api.tree.expression.BinaryExpressionTree;
import org.sonar.plugins.php.api.tree.expression.ExpressionTree;
import org.sonar.plugins.php.api.tree.expression.FunctionCallTree;
import org.sonar.plugins.php.api.tree.expression.ParenthesisedExpressionTree;
import org.sonar.plugins.php.api.tree.expression.VariableIdentifierTree;
import org.sonar.plugins.php.api.visitors.PHPVisitorCheck;

@Rule(key = "S2755")
/* loaded from: input_file:org/sonar/php/checks/security/XxeCheck.class */
public class XxeCheck extends PHPVisitorCheck {
    @Override // org.sonar.plugins.php.api.visitors.PHPVisitorCheck, org.sonar.plugins.php.api.visitors.VisitorCheck
    public void visitFunctionCall(FunctionCallTree functionCallTree) {
        String lowerCaseFunctionName = CheckUtils.lowerCaseFunctionName(functionCallTree);
        ExpressionTree callee = functionCallTree.callee();
        if (callee.is(Tree.Kind.NAMESPACE_NAME) && "simplexml_load_string".equals(lowerCaseFunctionName)) {
            CheckUtils.argument(functionCallTree, "options", 2).ifPresent(callArgumentTree -> {
                checkSimpleXmlOption(callArgumentTree.value(), callArgumentTree);
            });
        } else if (callee.is(Tree.Kind.OBJECT_MEMBER_ACCESS)) {
            if ("load".equals(lowerCaseFunctionName) || "loadxml".equals(lowerCaseFunctionName)) {
                CheckUtils.argument(functionCallTree, "options", 1).ifPresent(callArgumentTree2 -> {
                    checkSimpleXmlOption(callArgumentTree2.value(), callArgumentTree2);
                });
            } else if ("setparserproperty".equals(lowerCaseFunctionName)) {
                checkSetParserProperty(functionCallTree);
            }
        }
        super.visitFunctionCall(functionCallTree);
    }

    private void checkSimpleXmlOption(ExpressionTree expressionTree, Tree tree) {
        if (expressionTree.is(Tree.Kind.NAMESPACE_NAME) && "LIBXML_NOENT".equals(((NamespaceNameTree) expressionTree).fullName())) {
            createIssue(tree);
            return;
        }
        if (expressionTree.is(Tree.Kind.BITWISE_OR)) {
            BinaryExpressionTree binaryExpressionTree = (BinaryExpressionTree) expressionTree;
            checkSimpleXmlOption(binaryExpressionTree.leftOperand(), tree);
            checkSimpleXmlOption(binaryExpressionTree.rightOperand(), tree);
        } else if (expressionTree.is(Tree.Kind.PARENTHESISED_EXPRESSION)) {
            checkSimpleXmlOption(((ParenthesisedExpressionTree) expressionTree).expression(), tree);
        } else if (expressionTree.is(Tree.Kind.VARIABLE_IDENTIFIER)) {
            CheckUtils.uniqueAssignedValue((VariableIdentifierTree) expressionTree).ifPresent(expressionTree2 -> {
                checkSimpleXmlOption(expressionTree2, tree);
            });
        }
    }

    private void checkSetParserProperty(FunctionCallTree functionCallTree) {
        Optional<CallArgumentTree> argument = CheckUtils.argument(functionCallTree, "property", 0);
        if (argument.isPresent() && "XMLReader::SUBST_ENTITIES".equalsIgnoreCase(CheckUtils.nameOf(argument.get().value()))) {
            Optional<CallArgumentTree> argument2 = CheckUtils.argument(functionCallTree, "value", 1);
            if (argument2.isPresent() && CheckUtils.isTrueValue(argument2.get().value())) {
                createIssue(functionCallTree);
            }
        }
    }

    private void createIssue(Tree tree) {
        context().newIssue(this, tree, "Disable access to external entities in XML parsing.");
    }
}
