package io.codemodder.codemods;

import com.contrastsecurity.sarif.Result;
import com.github.javaparser.ast.CompilationUnit;
import com.github.javaparser.ast.Node;
import com.github.javaparser.ast.body.FieldDeclaration;
import com.github.javaparser.ast.body.VariableDeclarator;
import com.github.javaparser.ast.expr.Expression;
import com.github.javaparser.ast.expr.MethodCallExpr;
import com.github.javaparser.ast.expr.NameExpr;
import com.github.javaparser.ast.expr.ObjectCreationExpr;
import com.github.javaparser.ast.expr.VariableDeclarationExpr;
import com.github.javaparser.ast.stmt.ExpressionStmt;
import com.github.javaparser.ast.stmt.Statement;
import com.github.javaparser.ast.stmt.TryStmt;
import io.codemodder.Codemod;
import io.codemodder.CodemodInvocationContext;
import io.codemodder.CodemodReporterStrategy;
import io.codemodder.CompositeJavaParserChanger;
import io.codemodder.DependencyGAV;
import io.codemodder.Importance;
import io.codemodder.RegionNodeMatcher;
import io.codemodder.ReviewGuidance;
import io.codemodder.RuleSarif;
import io.codemodder.SarifPluginJavaParserChanger;
import io.codemodder.ast.ASTTransforms;
import io.codemodder.javaparser.JavaParserChanger;
import io.codemodder.javaparser.JavaParserTransformer;
import io.codemodder.providers.sarif.semgrep.SemgrepScan;
import io.github.pixee.security.ObjectInputFilters;
import java.util.List;
import java.util.Optional;
import javax.inject.Inject;

@Codemod(id = "pixee:java/harden-java-deserialization", importance = Importance.HIGH, reviewGuidance = ReviewGuidance.MERGE_WITHOUT_REVIEW)
/* loaded from: input_file:io/codemodder/codemods/HardenJavaDeserializationCodemod.class */
public final class HardenJavaDeserializationCodemod extends CompositeJavaParserChanger {

    /* loaded from: input_file:io/codemodder/codemods/HardenJavaDeserializationCodemod$AnonymousDeserializationShapeChanger.class */
    private static class AnonymousDeserializationShapeChanger extends SarifPluginJavaParserChanger<ObjectCreationExpr> {
        @Inject
        public AnonymousDeserializationShapeChanger(@SemgrepScan(ruleId = "harden-java-deserialization-anonymous") RuleSarif ruleSarif) {
            super(ruleSarif, ObjectCreationExpr.class, RegionNodeMatcher.MATCHES_START, CodemodReporterStrategy.empty());
        }

        public boolean onResultFound(CodemodInvocationContext codemodInvocationContext, CompilationUnit compilationUnit, ObjectCreationExpr objectCreationExpr, Result result) {
            JavaParserTransformer.replace(objectCreationExpr).withStaticMethod(ObjectInputFilters.class.getName(), "createSafeObjectInputStream").withStaticImport().withSameArguments();
            return true;
        }

        public List<DependencyGAV> dependenciesRequired() {
            return List.of(DependencyGAV.JAVA_SECURITY_TOOLKIT);
        }
    }

    /* loaded from: input_file:io/codemodder/codemods/HardenJavaDeserializationCodemod$VariableDeclarationDeserializationShapeChanger.class */
    private static final class VariableDeclarationDeserializationShapeChanger extends SarifPluginJavaParserChanger<VariableDeclarator> {
        @Inject
        public VariableDeclarationDeserializationShapeChanger(@SemgrepScan(ruleId = "harden-java-deserialization") RuleSarif ruleSarif) {
            super(ruleSarif, VariableDeclarator.class, RegionNodeMatcher.MATCHES_START, CodemodReporterStrategy.empty());
        }

        public boolean onResultFound(CodemodInvocationContext codemodInvocationContext, CompilationUnit compilationUnit, VariableDeclarator variableDeclarator, Result result) {
            Statement generateFilterHardeningStatement = generateFilterHardeningStatement(variableDeclarator.getNameAsExpression());
            Optional parentNode = variableDeclarator.getParentNode();
            if (parentNode.isEmpty()) {
                return false;
            }
            Node node = (Node) parentNode.get();
            Class<?> cls = node.getClass();
            if (FieldDeclaration.class.equals(cls) || !VariableDeclarationExpr.class.equals(cls)) {
                return false;
            }
            ExpressionStmt expressionStmt = (Node) node.getParentNode().get();
            Class<?> cls2 = expressionStmt.getClass();
            if (ExpressionStmt.class.equals(cls2)) {
                ASTTransforms.addStatementAfterStatement(expressionStmt, generateFilterHardeningStatement);
                ASTTransforms.addImportIfMissing(compilationUnit, ObjectInputFilters.class.getName());
                return true;
            }
            if (!TryStmt.class.equals(cls2)) {
                return false;
            }
            ASTTransforms.addStatementBeforeStatement(((TryStmt) expressionStmt).getTryBlock().getStatements().get(0), generateFilterHardeningStatement);
            ASTTransforms.addImportIfMissing(compilationUnit, ObjectInputFilters.class.getName());
            return true;
        }

        private Statement generateFilterHardeningStatement(Expression expression) {
            MethodCallExpr methodCallExpr = new MethodCallExpr(new NameExpr(ObjectInputFilters.class.getSimpleName()), "enableObjectFilterIfUnprotected");
            methodCallExpr.addArgument(expression);
            return new ExpressionStmt(methodCallExpr);
        }

        public List<DependencyGAV> dependenciesRequired() {
            return List.of(DependencyGAV.JAVA_SECURITY_TOOLKIT);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Inject
    public HardenJavaDeserializationCodemod(VariableDeclarationDeserializationShapeChanger variableDeclarationDeserializationShapeChanger, AnonymousDeserializationShapeChanger anonymousDeserializationShapeChanger) {
        super(new JavaParserChanger[]{variableDeclarationDeserializationShapeChanger, anonymousDeserializationShapeChanger});
    }
}
