package com.liferay.portal.security.xml;

import com.liferay.portal.kernel.exception.SystemException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.security.xml.SecureXMLFactoryProvider;
import com.liferay.portal.util.PropsValues;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.stream.XMLInputFactory;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.TransformerFactoryConfigurationError;
import org.apache.xerces.parsers.SAXParser;
import org.xml.sax.XMLReader;

/* loaded from: input_file:com/liferay/portal/security/xml/SecureXMLFactoryProviderImpl.class */
public class SecureXMLFactoryProviderImpl implements SecureXMLFactoryProvider {
    private static final String _FEATURES_DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
    private static final String _FEATURES_EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities";
    private static final String _FEATURES_EXTERNAL_PARAMETER_ENTITIES = "http://xml.org/sax/features/external-parameter-entities";
    private static final Log _log = LogFactoryUtil.getLog((Class<?>) SecureXMLFactoryProviderImpl.class);

    @Override // com.liferay.portal.kernel.security.xml.SecureXMLFactoryProvider
    public DocumentBuilderFactory newDocumentBuilderFactory() {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        if (!PropsValues.XML_SECURITY_ENABLED) {
            return newInstance;
        }
        try {
            newInstance.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
        } catch (Exception e) {
            _log.error("Unable to initialize safe document builder factory to protect from XML Bomb attacks", e);
        }
        try {
            newInstance.setFeature(_FEATURES_DISALLOW_DOCTYPE_DECL, true);
        } catch (Exception e2) {
            _log.error("Unable to initialize safe document builder factory to protect from XML Bomb attacks", e2);
        }
        try {
            newInstance.setExpandEntityReferences(false);
            newInstance.setFeature(_FEATURES_EXTERNAL_GENERAL_ENTITIES, false);
            newInstance.setFeature(_FEATURES_EXTERNAL_PARAMETER_ENTITIES, false);
        } catch (Exception e3) {
            _log.error("Unable to initialize safe document builder factory to protect from XXE attacks", e3);
        }
        return newInstance;
    }

    @Override // com.liferay.portal.kernel.security.xml.SecureXMLFactoryProvider
    public TransformerFactory newTransformerFactory() throws TransformerFactoryConfigurationError {
        TransformerFactory newInstance = TransformerFactory.newInstance("com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl", SecureXMLFactoryProviderImpl.class.getClassLoader());
        if (!PropsValues.XML_SECURITY_ENABLED) {
            return newInstance;
        }
        newInstance.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
        newInstance.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
        return newInstance;
    }

    @Override // com.liferay.portal.kernel.security.xml.SecureXMLFactoryProvider
    public XMLInputFactory newXMLInputFactory() {
        XMLInputFactory newInstance = XMLInputFactory.newInstance();
        if (!PropsValues.XML_SECURITY_ENABLED) {
            return newInstance;
        }
        newInstance.setProperty("javax.xml.stream.isReplacingEntityReferences", Boolean.FALSE);
        newInstance.setProperty("javax.xml.stream.isSupportingExternalEntities", Boolean.FALSE);
        newInstance.setProperty("javax.xml.stream.supportDTD", Boolean.FALSE);
        return newInstance;
    }

    @Override // com.liferay.portal.kernel.security.xml.SecureXMLFactoryProvider
    public XMLReader newXMLReader() {
        ClassLoader classLoader = getClass().getClassLoader();
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        try {
            if (classLoader != contextClassLoader) {
                try {
                    currentThread.setContextClassLoader(classLoader);
                } catch (RuntimeException e) {
                    throw new SystemException(e);
                }
            }
            SAXParser sAXParser = new SAXParser();
            if (classLoader != contextClassLoader) {
                currentThread.setContextClassLoader(contextClassLoader);
            }
            if (!PropsValues.XML_SECURITY_ENABLED) {
                return sAXParser;
            }
            StripDoctypeXMLReader stripDoctypeXMLReader = new StripDoctypeXMLReader(sAXParser);
            try {
                stripDoctypeXMLReader.setFeature(_FEATURES_DISALLOW_DOCTYPE_DECL, true);
            } catch (Exception e2) {
                _log.error("Unable to initialize safe SAX parser to protect from XML Bomb attacks", e2);
            }
            try {
                stripDoctypeXMLReader.setFeature(_FEATURES_EXTERNAL_GENERAL_ENTITIES, false);
                stripDoctypeXMLReader.setFeature(_FEATURES_EXTERNAL_PARAMETER_ENTITIES, false);
            } catch (Exception e3) {
                _log.error("Unable to initialize safe SAX parser to protect from XXE attacks", e3);
            }
            return stripDoctypeXMLReader;
        } catch (Throwable th) {
            if (classLoader != contextClassLoader) {
                currentThread.setContextClassLoader(contextClassLoader);
            }
            throw th;
        }
    }
}
