package com.atlassian.jira.security.xsrf;

import com.atlassian.jira.config.properties.JiraSystemProperties;
import com.atlassian.jira.ofbiz.JiraSQLInterceptorFactory;
import com.atlassian.jira.util.collect.CollectionBuilder;
import com.atlassian.jira.util.log.Log4jKit;
import com.atlassian.jira.web.action.JiraWebActionSupport;
import electric.util.wml.IWMLConstants;
import java.io.InputStreamReader;
import java.lang.reflect.Method;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.io.IOUtils;
import org.apache.commons.io.LineIterator;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.ofbiz.core.entity.jdbc.interceptors.connection.ConnectionPoolState;
import org.ofbiz.core.entity.jdbc.interceptors.connection.SQLConnectionInterceptor;
import org.osgi.framework.AdminPermission;
import org.slf4j.MDC;
import webwork.action.ActionContext;
import webwork.action.ActionSupport;

/* loaded from: input_file:WEB-INF/classes/com/atlassian/jira/security/xsrf/XsrfVulnerabilityDetectionSQLInterceptor.class */
public class XsrfVulnerabilityDetectionSQLInterceptor implements SQLConnectionInterceptor {
    private static final String XSRF_VULNERABILITY_DETECTION_SQLINTERCEPTOR_DONE = "XsrfVulnerabilityDetectionSQLInterceptorDone";
    private static final Logger log = Logger.getLogger(XsrfVulnerabilityDetectionSQLInterceptor.class);
    static final List<String> methodsToIgnore = CollectionBuilder.list("com.atlassian.sal.jira.lifecycle.JiraLifecycleManager.onJiraStart", "com.atlassian.jira.security.login.LoginStoreImpl.recordLoginAttempt", "com.atlassian.jira.user.DefaultUserHistoryManager.addItemToHistory");
    static final List<String> actionWhiteList = new ArrayList();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/classes/com/atlassian/jira/security/xsrf/XsrfVulnerabilityDetectionSQLInterceptor$CallStack.class */
    public static class CallStack extends RuntimeException {
        private CallStack() {
        }

        public boolean hasMethodsWeAreInterestedIn() {
            for (StackTraceElement stackTraceElement : getStackTrace()) {
                if (XsrfVulnerabilityDetectionSQLInterceptor.methodsToIgnore.contains(stackTraceElement.getClassName() + "." + stackTraceElement.getMethodName())) {
                    return false;
                }
            }
            return true;
        }

        public boolean isProtectedAction() {
            StackTraceElement findActionStackTraceElement;
            boolean z = false;
            StackTraceElement[] stackTrace = getStackTrace();
            int i = 0;
            while (true) {
                if (i >= stackTrace.length) {
                    break;
                }
                if (!isActionSupport_execute(stackTrace[i]) || (findActionStackTraceElement = findActionStackTraceElement(stackTrace, i)) == null) {
                    i++;
                } else {
                    String className = findActionStackTraceElement.getClassName();
                    try {
                        Class<?> cls = Class.forName(findActionStackTraceElement.getClassName());
                        Method method = getMethod(cls, findActionStackTraceElement.getMethodName());
                        if (method != null) {
                            z = method.isAnnotationPresent(RequiresXsrfCheck.class);
                            String str = className + "." + findActionStackTraceElement.getMethodName();
                            XsrfVulnerabilityDetectionSQLInterceptor.log.info("ACTION: " + str + " PROTECTED: " + z);
                            boolean isActionInWhiteList = isActionInWhiteList(cls);
                            if (z) {
                                if (!isActionInWhiteList) {
                                    throw new RuntimeException("ACTION: " + str + " has XSRF annotated but its not in the whitelist");
                                }
                            } else if (isActionInWhiteList) {
                                throw new RuntimeException("XSRF white list failure");
                            }
                        }
                    } catch (ClassNotFoundException e) {
                    }
                }
            }
            return z;
        }

        private StackTraceElement findActionStackTraceElement(StackTraceElement[] stackTraceElementArr, int i) {
            StackTraceElement stackTraceElement = null;
            if (isActionSupport_invokeCommand(stackTraceElementArr[i - 1])) {
                int i2 = i;
                while (true) {
                    if (i2 < 0) {
                        break;
                    }
                    StackTraceElement stackTraceElement2 = stackTraceElementArr[i2];
                    if (isActionDoMethod(stackTraceElement2)) {
                        stackTraceElement = stackTraceElement2;
                        break;
                    }
                    i2--;
                }
            }
            return stackTraceElement;
        }

        private boolean isActionSupport_invokeCommand(StackTraceElement stackTraceElement) {
            return ActionSupport.class.getName().equals(stackTraceElement.getClassName()) && "invokeCommand".equals(stackTraceElement.getMethodName());
        }

        private boolean isActionSupport_execute(StackTraceElement stackTraceElement) {
            return ActionSupport.class.getName().equals(stackTraceElement.getClassName()) && AdminPermission.EXECUTE.equals(stackTraceElement.getMethodName());
        }

        private boolean isActionDoMethod(StackTraceElement stackTraceElement) {
            return ActionSupport.class.isAssignableFrom(getClassOfElement(stackTraceElement)) && stackTraceElement.getMethodName().startsWith(IWMLConstants.DO);
        }

        private Class getClassOfElement(StackTraceElement stackTraceElement) {
            try {
                return Class.forName(stackTraceElement.getClassName());
            } catch (ClassNotFoundException e) {
                return e.getClass();
            }
        }

        private boolean isActionInWhiteList(Class<?> cls) {
            boolean contains = XsrfVulnerabilityDetectionSQLInterceptor.actionWhiteList.contains(cls.getName());
            if (!contains) {
                contains = XsrfVulnerabilityDetectionSQLInterceptor.actionWhiteList.contains(cls.getSimpleName());
            }
            return contains;
        }

        private Method getMethod(Class<?> cls, String str) {
            try {
                return cls.getDeclaredMethod(str, new Class[0]);
            } catch (NoSuchMethodException e) {
                if (cls.equals(JiraWebActionSupport.class) || cls.equals(Object.class)) {
                    return null;
                }
                return getMethod(cls.getSuperclass(), str);
            }
        }
    }

    @Override // org.ofbiz.core.entity.jdbc.interceptors.connection.SQLConnectionInterceptor
    public void onConnectionTaken(Connection connection, ConnectionPoolState connectionPoolState) {
    }

    @Override // org.ofbiz.core.entity.jdbc.interceptors.connection.SQLConnectionInterceptor
    public void onConnectionReplaced(Connection connection, ConnectionPoolState connectionPoolState) {
    }

    @Override // org.ofbiz.core.entity.jdbc.interceptors.SQLInterceptor
    public void beforeExecution(String str, List<String> list, Statement statement) {
    }

    @Override // org.ofbiz.core.entity.jdbc.interceptors.SQLInterceptor
    public void afterSuccessfulExecution(String str, List<String> list, Statement statement, ResultSet resultSet, int i) {
        afterExecutionImpl(str);
    }

    @Override // org.ofbiz.core.entity.jdbc.interceptors.SQLInterceptor
    public void onException(String str, List<String> list, Statement statement, SQLException sQLException) {
        afterExecutionImpl(str);
    }

    private void afterExecutionImpl(String str) {
        HttpServletRequest request;
        if (JiraSystemProperties.getInstance().isXsrfDiagnostics()) {
            String str2 = MDC.get(Log4jKit.MDC_JIRA_REQUEST_URL);
            if (JiraSQLInterceptorFactory.isMutatingSQL(str) && (request = ActionContext.getRequest()) != null && request.getAttribute(XSRF_VULNERABILITY_DETECTION_SQLINTERCEPTOR_DONE) == null) {
                request.setAttribute(XSRF_VULNERABILITY_DETECTION_SQLINTERCEPTOR_DONE, "true");
                CallStack callStack = new CallStack();
                if (!callStack.hasMethodsWeAreInterestedIn() || callStack.isProtectedAction()) {
                    return;
                }
                log.error("XSRF VULNERABILITY DETECTED");
                log.error("requestURL: " + str2);
                log.error("sql: " + str);
                log.error("CallStack:", callStack);
            }
        }
    }

    static {
        if (JiraSystemProperties.isXsrfDetectionCheckRequired()) {
            log.setLevel(Level.INFO);
        }
        LineIterator lineIterator = IOUtils.lineIterator(new InputStreamReader(XsrfVulnerabilityDetectionSQLInterceptor.class.getResourceAsStream("/security/xsrf/xsrf-white-list.txt")));
        while (lineIterator.hasNext()) {
            String trim = ((String) lineIterator.next()).trim();
            if (trim.length() > 0 && !trim.startsWith("#")) {
                actionWhiteList.add(trim);
            }
        }
    }
}
