package org.owasp.csrfguard.servlet;

import java.io.IOException;
import java.io.OutputStream;
import java.io.PrintWriter;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import javax.servlet.ServletConfig;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.owasp.csrfguard.CsrfGuard;
import org.owasp.csrfguard.CsrfGuardServletContextListener;
import org.owasp.csrfguard.log.LogLevel;
import org.owasp.csrfguard.util.CsrfGuardUtils;
import org.owasp.csrfguard.util.Streams;
import org.owasp.csrfguard.util.Writers;

/* loaded from: input_file:csrfguard-3.1.0.jar:org/owasp/csrfguard/servlet/JavaScriptServlet.class */
public final class JavaScriptServlet extends HttpServlet {
    private static final long serialVersionUID = -1459584282530150483L;
    private static final String TOKEN_NAME_IDENTIFIER = "%TOKEN_NAME%";
    private static final String TOKEN_VALUE_IDENTIFIER = "%TOKEN_VALUE%";
    private static final String DOMAIN_ORIGIN_IDENTIFIER = "%DOMAIN_ORIGIN%";
    private static final String DOMAIN_STRICT_IDENTIFIER = "%DOMAIN_STRICT%";
    private static final String INJECT_INTO_XHR_IDENTIFIER = "%INJECT_XHR%";
    private static final String INJECT_INTO_FORMS_IDENTIFIER = "%INJECT_FORMS%";
    private static final String INJECT_GET_FORMS_IDENTIFIER = "%INJECT_GET_FORMS%";
    private static final String INJECT_FORM_ATTRIBUTES_IDENTIFIER = "%INJECT_FORM_ATTRIBUTES%";
    private static final String INJECT_INTO_ATTRIBUTES_IDENTIFIER = "%INJECT_ATTRIBUTES%";
    private static final String CONTEXT_PATH_IDENTIFIER = "%CONTEXT_PATH%";
    private static final String SERVLET_PATH_IDENTIFIER = "%SERVLET_PATH%";
    private static final String X_REQUESTED_WITH_IDENTIFIER = "%X_REQUESTED_WITH%";
    private static final String TOKENS_PER_PAGE_IDENTIFIER = "%TOKENS_PER_PAGE%";
    private static ServletConfig servletConfig = null;
    private static Set<String> javascriptUris = new HashSet();

    public static ServletConfig getStaticServletConfig() {
        return servletConfig;
    }

    public void init(ServletConfig servletConfig2) {
        servletConfig = servletConfig2;
        CsrfGuardServletContextListener.printConfigIfConfigured(servletConfig.getServletContext(), "Printing properties after Javascript servlet, note, the javascript properties have now been initialized: ");
    }

    public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String header = httpServletRequest.getHeader("referer");
        boolean z = false;
        Pattern javascriptRefererPattern = CsrfGuard.getInstance().getJavascriptRefererPattern();
        if (header != null && !javascriptRefererPattern.matcher(header).matches()) {
            CsrfGuard.getInstance().getLogger().log(LogLevel.Error, "Referer domain " + header + " does not match regex: " + javascriptRefererPattern.pattern());
            httpServletResponse.sendError(404);
            z = true;
        }
        if (header != null && CsrfGuard.getInstance().isJavascriptRefererMatchDomain()) {
            String stringBuffer = httpServletRequest.getRequestURL().toString();
            if (!CsrfGuardUtils.httpProtocolAndDomain(header).equals(CsrfGuardUtils.httpProtocolAndDomain(stringBuffer))) {
                CsrfGuard.getInstance().getLogger().log(LogLevel.Error, "Referer domain " + header + " does not match request domain: " + stringBuffer);
                z = true;
                httpServletResponse.sendError(404);
            }
        }
        if (z) {
            return;
        }
        String str = httpServletRequest.getContextPath() + httpServletRequest.getServletPath();
        if (javascriptUris.size() < 100) {
            javascriptUris.add(str);
        }
        writeJavaScript(httpServletRequest, httpServletResponse);
    }

    public static Set<String> getJavascriptUris() {
        return javascriptUris;
    }

    public void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        CsrfGuard csrfGuard = CsrfGuard.getInstance();
        String header = httpServletRequest.getHeader("FETCH-CSRF-TOKEN");
        if (csrfGuard != null && header != null) {
            fetchCsrfToken(httpServletRequest, httpServletResponse);
        } else if (csrfGuard == null || !csrfGuard.isTokenPerPageEnabled()) {
            httpServletResponse.sendError(404);
        } else {
            writePageTokens(httpServletRequest, httpServletResponse);
        }
    }

    private void fetchCsrfToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        HttpSession session = httpServletRequest.getSession(true);
        CsrfGuard csrfGuard = CsrfGuard.getInstance();
        String str = csrfGuard.getTokenName() + ":" + ((String) session.getAttribute(csrfGuard.getSessionKey()));
        httpServletResponse.setContentType("text/plain");
        OutputStream outputStream = null;
        PrintWriter printWriter = null;
        try {
            outputStream = httpServletResponse.getOutputStream();
            printWriter = new PrintWriter(outputStream);
            printWriter.write(str);
            printWriter.flush();
            Writers.close(printWriter);
            Streams.close(outputStream);
        } catch (Throwable th) {
            Writers.close(printWriter);
            Streams.close(outputStream);
            throw th;
        }
    }

    private void writePageTokens(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        Map<String, String> map = (Map) httpServletRequest.getSession(true).getAttribute(CsrfGuard.PAGE_TOKENS_KEY);
        String parsePageTokens = map != null ? parsePageTokens(map) : "";
        httpServletResponse.setContentType("text/plain");
        httpServletResponse.setContentLength(parsePageTokens.length());
        OutputStream outputStream = null;
        PrintWriter printWriter = null;
        try {
            outputStream = httpServletResponse.getOutputStream();
            printWriter = new PrintWriter(outputStream);
            printWriter.write(parsePageTokens);
            printWriter.flush();
            Writers.close(printWriter);
            Streams.close(outputStream);
        } catch (Throwable th) {
            Writers.close(printWriter);
            Streams.close(outputStream);
            throw th;
        }
    }

    private void writeJavaScript(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        HttpSession session = httpServletRequest.getSession(true);
        CsrfGuard csrfGuard = CsrfGuard.getInstance();
        if (csrfGuard.isRotateEnabled() || csrfGuard.isTokenPerPageEnabled()) {
            httpServletResponse.setHeader("Cache-Control", "no-cache, no-store");
            httpServletResponse.setHeader("Pragma", "no-cache");
            httpServletResponse.setHeader("Expires", "0");
        } else {
            httpServletResponse.setHeader("Cache-Control", CsrfGuard.getInstance().getJavascriptCacheControl());
        }
        httpServletResponse.setContentType("text/javascript");
        String replace = CsrfGuard.getInstance().getJavascriptTemplateCode().replace(TOKEN_NAME_IDENTIFIER, CsrfGuardUtils.defaultString(csrfGuard.getTokenName())).replace(TOKEN_VALUE_IDENTIFIER, CsrfGuardUtils.defaultString((String) session.getAttribute(csrfGuard.getSessionKey()))).replace(INJECT_INTO_FORMS_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptInjectIntoForms())).replace(INJECT_GET_FORMS_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptInjectGetForms())).replace(INJECT_FORM_ATTRIBUTES_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptInjectFormAttributes())).replace(INJECT_INTO_ATTRIBUTES_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptInjectIntoAttributes())).replace(INJECT_INTO_XHR_IDENTIFIER, String.valueOf(csrfGuard.isAjaxEnabled())).replace(TOKENS_PER_PAGE_IDENTIFIER, String.valueOf(csrfGuard.isTokenPerPageEnabled())).replace(DOMAIN_ORIGIN_IDENTIFIER, CsrfGuardUtils.defaultString(parseDomain(httpServletRequest.getRequestURL()))).replace(DOMAIN_STRICT_IDENTIFIER, Boolean.toString(csrfGuard.isJavascriptDomainStrict())).replace(CONTEXT_PATH_IDENTIFIER, CsrfGuardUtils.defaultString(httpServletRequest.getContextPath())).replace(SERVLET_PATH_IDENTIFIER, CsrfGuardUtils.defaultString(httpServletRequest.getContextPath() + httpServletRequest.getServletPath())).replace(X_REQUESTED_WITH_IDENTIFIER, CsrfGuardUtils.defaultString(csrfGuard.getJavascriptXrequestedWith()));
        OutputStream outputStream = null;
        PrintWriter printWriter = null;
        try {
            outputStream = httpServletResponse.getOutputStream();
            printWriter = new PrintWriter(outputStream);
            printWriter.write(replace);
            printWriter.flush();
            Writers.close(printWriter);
            Streams.close(outputStream);
        } catch (Throwable th) {
            Writers.close(printWriter);
            Streams.close(outputStream);
            throw th;
        }
    }

    private String parsePageTokens(Map<String, String> map) {
        StringBuilder sb = new StringBuilder();
        Iterator<String> it = map.keySet().iterator();
        while (it.hasNext()) {
            String next = it.next();
            String str = map.get(next);
            sb.append(next);
            sb.append(':');
            sb.append(str);
            if (it.hasNext()) {
                sb.append(',');
            }
        }
        return sb.toString();
    }

    private String parseDomain(StringBuffer stringBuffer) {
        char charAt;
        String substring = stringBuffer.substring(stringBuffer.indexOf("://") + "://".length());
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < substring.length() && (charAt = substring.charAt(i)) != '/' && charAt != ':'; i++) {
            sb.append(charAt);
        }
        return sb.toString();
    }
}
