package com.liferay.source.formatter.checks;

import com.liferay.portal.kernel.util.StringBundler;

/* loaded from: input_file:com/liferay/source/formatter/checks/JavaXMLSecurityCheck.class */
public class JavaXMLSecurityCheck extends BaseFileCheck {
    private static final String _SECURE_XML_EXCLUDES = "secure.xml.excludes";

    @Override // com.liferay.source.formatter.checks.BaseSourceCheck, com.liferay.source.formatter.checks.SourceCheck
    public boolean isPortalCheck() {
        return true;
    }

    @Override // com.liferay.source.formatter.checks.BaseFileCheck
    protected String doProcess(String str, String str2, String str3) {
        if (isExcludedPath(_SECURE_XML_EXCLUDES, str2) || str.contains("/test/") || str.contains("/testIntegration/")) {
            return str3;
        }
        _checkXMLSecurity(str, str2, str3);
        return str3;
    }

    private void _checkXMLSecurity(String str, String str2, String str3) {
        boolean isExcludedPath = isExcludedPath("run.outside.portal.excludes", str2);
        for (String str4 : new String[]{"DocumentBuilderFactory.newInstance", "new javax.xml.parsers.SAXParser", "new org.apache.xerces.parsers.SAXParser", "new org.dom4j.io.SAXReader", "new SAXParser", "new SAXReader", "SAXParserFactory.newInstance", "saxParserFactory.newInstance", "SAXParserFactory.newSAXParser", "saxParserFactory.newSAXParser", "XMLInputFactory.newFactory", "xmlInputFactory.newFactory", "XMLInputFactory.newInstance", "xmlInputFactory.newInstance"}) {
            if (str3.contains(str4)) {
                StringBundler stringBundler = new StringBundler(3);
                if (isExcludedPath) {
                    stringBundler.append("Possible XXE or Quadratic Blowup security ");
                    stringBundler.append("vulnerability using ");
                } else {
                    stringBundler.append("Use SecureXMLFactoryProviderUtil.");
                    stringBundler.append("newDocumentBuilderFactory instead of ");
                }
                stringBundler.append(str4);
                addMessage(str, stringBundler.toString());
            }
        }
    }
}
