package com.opensymphony.webwork.util;

import com.opensymphony.xwork.util.OgnlUtil;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import ognl.Node;
import ognl.OgnlException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:com/opensymphony/webwork/util/SafeExpressionUtil.class */
public class SafeExpressionUtil {
    private static final Set SAFE_EXPRESSIONS_CACHE = Collections.newSetFromMap(new ConcurrentHashMap());
    private static final Log log = LogFactory.getLog(SafeExpressionUtil.class);
    private static final Set UNSAFE_NODE_TYPES;
    private static final Set UNSAFE_PROPERTY_NAMES;
    private static final Set UNSAFE_METHOD_NAMES;
    private static final Set UNSAFE_VARIABLE_NAMES;

    public static boolean isSafeExpression(String str) {
        if (!SAFE_EXPRESSIONS_CACHE.contains(str)) {
            try {
                Object compile = OgnlUtil.compile(str);
                if (compile instanceof Node) {
                    if (containsUnsafeExpression((Node) compile)) {
                        log.warn("Unsafe clause found in [" + str + "]");
                    } else {
                        SAFE_EXPRESSIONS_CACHE.add(str);
                    }
                }
            } catch (OgnlException e) {
                log.debug("Cannot verify safety of OGNL expression", e);
            }
        }
        return SAFE_EXPRESSIONS_CACHE.contains(str);
    }

    private static boolean containsUnsafeExpression(Node node) {
        String name = node.getClass().getName();
        if (UNSAFE_NODE_TYPES.contains(name)) {
            return true;
        }
        if ("ognl.ASTProperty".equals(name) && UNSAFE_PROPERTY_NAMES.contains(node.toString())) {
            return true;
        }
        if ("ognl.ASTMethod".equals(name) && UNSAFE_METHOD_NAMES.contains(node.toString())) {
            return true;
        }
        if ("ognl.ASTVarRef".equals(name) && UNSAFE_VARIABLE_NAMES.contains(node.toString())) {
            return true;
        }
        for (int i = 0; i < node.jjtGetNumChildren(); i++) {
            Node jjtGetChild = node.jjtGetChild(i);
            if (jjtGetChild != null && containsUnsafeExpression(jjtGetChild)) {
                return true;
            }
        }
        return false;
    }

    static {
        HashSet hashSet = new HashSet();
        hashSet.add("ognl.ASTStaticMethod");
        hashSet.add("ognl.ASTStaticField");
        hashSet.add("ognl.ASTCtor");
        hashSet.add("ognl.ASTAssign");
        UNSAFE_NODE_TYPES = Collections.unmodifiableSet(hashSet);
        HashSet hashSet2 = new HashSet();
        hashSet2.add("class");
        hashSet2.add("classLoader");
        UNSAFE_PROPERTY_NAMES = Collections.unmodifiableSet(hashSet2);
        HashSet hashSet3 = new HashSet();
        hashSet3.add("getClass()");
        hashSet3.add("getClassLoader()");
        UNSAFE_METHOD_NAMES = Collections.unmodifiableSet(hashSet3);
        HashSet hashSet4 = new HashSet();
        hashSet4.add("#_memberAccess");
        hashSet4.add("#context");
        hashSet4.add("#request");
        hashSet4.add("#parameters");
        hashSet4.add("#session");
        hashSet4.add("#application");
        UNSAFE_VARIABLE_NAMES = Collections.unmodifiableSet(hashSet4);
    }
}
