package org.jahia.modules.webflowfilter;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Set;
import java.util.stream.Collectors;
import javax.lang.model.SourceVersion;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.jahia.bin.filters.AbstractServletFilter;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.PropertyAccessorUtils;

@Component(immediate = true, service = {AbstractServletFilter.class})
/* loaded from: input_file:org/jahia/modules/webflowfilter/WebflowFilter.class */
public class WebflowFilter extends AbstractServletFilter {
    private static final Logger logger = LoggerFactory.getLogger(WebflowFilter.class);

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    @Activate
    public void activate() {
        setUrlPatterns(new String[]{"/cms/*"});
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        Set keySet = servletRequest.getParameterMap().keySet();
        if (!keySet.stream().anyMatch(str -> {
            return str.startsWith("webflowexecution");
        }) || keySet.stream().filter(str2 -> {
            return str2.startsWith("_") || str2.contains("classLoader");
        }).allMatch(this::checkValidExpression)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        ((HttpServletResponse) servletResponse).sendError(400);
        if (logger.isWarnEnabled()) {
            logger.warn("Invalid parameters sent to webflow, potential attack from {} : {}", servletRequest.getRemoteAddr(), keySet.stream().filter(str3 -> {
                return (str3.startsWith("_") || str3.contains("classLoader")) && !checkValidExpression(str3);
            }).collect(Collectors.joining(",")));
        }
    }

    private boolean checkValidExpression(String str) {
        ArrayList arrayList = new ArrayList();
        while (true) {
            int firstNestedPropertySeparatorIndex = PropertyAccessorUtils.getFirstNestedPropertySeparatorIndex(str);
            arrayList.add(PropertyAccessorUtils.getPropertyName(firstNestedPropertySeparatorIndex != -1 ? str.substring(0, firstNestedPropertySeparatorIndex) : str));
            if (firstNestedPropertySeparatorIndex == -1) {
                for (int i = 0; i < arrayList.size(); i++) {
                    if (!SourceVersion.isName((CharSequence) arrayList.get(i))) {
                        return false;
                    }
                }
                return true;
            }
            if (str.length() == firstNestedPropertySeparatorIndex + 1) {
                return false;
            }
            str = str.substring(firstNestedPropertySeparatorIndex + 1);
        }
    }
}
