package blackboard.platform.security.impl;

import blackboard.data.rubric.RubricEvaluationDef;
import blackboard.platform.extension.service.ExtensionRegistryFactory;
import blackboard.platform.log.LogServiceFactory;
import blackboard.platform.nautilus.BaseSourceId;
import blackboard.platform.rubric.common.RubricDefinition;
import blackboard.platform.security.XssFilter;
import blackboard.platform.security.XssFilterInterceptor;
import blackboard.platform.security.XssFilterSafeBaseUrlProvider;
import blackboard.platform.security.XssFilterSafeBaseUrlProviderFactory;
import blackboard.platform.user.MyPlacesUtil;
import blackboard.util.StringUtil;
import blackboard.util.UrlUtil;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/* loaded from: input_file:blackboard/platform/security/impl/RegexXssFilter.class */
public class RegexXssFilter implements XssFilter {
    private static final String OTHER_PREFIX = "other.";
    private static final String REPLACEMENT_SUFFIX = ".replacement";
    private static final Pattern COMMENT_TEMPLATE = Pattern.compile(Pattern.quote("@X@comment@X@"), 2);
    private static final Pattern COMMA_TEMPLATE = Pattern.compile(Pattern.quote("@X@comma@X@"), 2);
    private static final Pattern TAG_TEMPLATE = Pattern.compile(Pattern.quote("@X@tag@X@"), 2);
    private static final Pattern ATTRIBUTE_TEMPLATE = Pattern.compile(Pattern.quote("@X@attribute@X@"), 2);
    private static final Pattern STRING_TEMPLATE = Pattern.compile(Pattern.quote("@X@string@X@"), 2);
    private static final Pattern CHAR_TEMPLATE = Pattern.compile(Pattern.quote("@X@char@X@"), 2);
    private static final Pattern CHAR_HEX_TEMPLATE = Pattern.compile(Pattern.quote("@X@char.hex@X@"), 2);
    private static final Pattern CHAR_DECIMAL_TEMPLATE = Pattern.compile(Pattern.quote("@X@char.decimal@X@"), 2);
    private static final Pattern URL_TEMPLATE = Pattern.compile(Pattern.quote("@X@url@X@"), 2);
    private static final Pattern APPLET_ARCHIVE_TEMPLATE = Pattern.compile(Pattern.quote("@X@applet.archives@X@"), 2);
    private final Properties _properties;
    private boolean _availableXssFilterInterceptors;
    Collection<XssFilterInterceptor> _interceptorExts;
    private final Pattern _nullChar = loadPattern("null_char");
    private final String _commentsPattern = loadString(RubricEvaluationDef.COMMENTS);
    private final Pattern _numericCharacterReference = loadPattern("numeric_character_reference");
    private final Pattern _urlTrim = loadPattern("url_trim");
    private final Pattern _disabledAttributes = loadPattern("disabled_attributes", "disabled_attributes.template", ATTRIBUTE_TEMPLATE);
    private final String _disabledAttributeReplacement = loadString("disabled_attributes.replacement", "");
    private final Pattern _disabledTags = loadPattern("disabled_tags", "disabled_tags.template", TAG_TEMPLATE);
    private final String _disabledTagReplacement = loadString("disabled_tags.replacement", "");
    private final Pattern _hrefAttributes = loadPattern("href_attributes", "attribute_value.template", ATTRIBUTE_TEMPLATE);
    private final Pattern _urlAttributes = loadPattern("url_attributes", "attribute_value.template", ATTRIBUTE_TEMPLATE);
    private final Pattern _invalidUrl = loadPattern("invalid_url");
    private final Pattern _invalidSafeBaseUrl = loadPattern("invalid_safe_base_url");
    private final Pattern _invalidHref = loadPattern("invalid_href");
    private final String _urlReplacement = loadString("url.replacement", "");
    private Pattern _safeBaseUrlPattern = null;
    private final Collection<String> _safeBaseUrlProviderIds = new ArrayList();
    private final List<CustomPattern> _prohibitedPatterns = loadProhibitedStringsPatterns();
    private final List<CustomPattern> _customPatterns = new ArrayList();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:blackboard/platform/security/impl/RegexXssFilter$CustomPattern.class */
    public static final class CustomPattern implements Comparable<CustomPattern> {
        private final String _name;
        private final Pattern _pattern;
        private final String _replacement;

        private CustomPattern(String str, Pattern pattern, String str2) {
            if (str == null || pattern == null || str2 == null) {
                throw new IllegalArgumentException();
            }
            this._name = str;
            this._pattern = pattern;
            this._replacement = str2;
        }

        @Override // java.lang.Comparable
        public int compareTo(CustomPattern customPattern) {
            return this._name.compareTo(customPattern._name);
        }

        public int hashCode() {
            return (31 * 1) + (this._name == null ? 0 : this._name.hashCode());
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            CustomPattern customPattern = (CustomPattern) obj;
            return this._name == null ? customPattern._name == null : this._name.equals(customPattern._name);
        }
    }

    @Override // blackboard.platform.security.XssFilter
    public String sanitize(String str) {
        if (str == null || str.length() == 0) {
            return str;
        }
        String cleanup = cleanup(str);
        if (this._disabledTags != null) {
            cleanup = !this._availableXssFilterInterceptors ? this._disabledTags.matcher(cleanup).replaceAll(this._disabledTagReplacement) : processAllowedUnsafeHtml(cleanup, this._disabledTags, this._disabledTagReplacement);
        }
        if (this._disabledAttributes != null) {
            cleanup = !this._availableXssFilterInterceptors ? this._disabledAttributes.matcher(cleanup).replaceAll(this._disabledAttributeReplacement) : processAllowedUnsafeHtml(cleanup, this._disabledAttributes, this._disabledAttributeReplacement);
        }
        if (this._urlAttributes != null && this._invalidUrl != null && this._invalidSafeBaseUrl != null) {
            cleanup = filterUrl(cleanup, this._urlAttributes, this._invalidSafeBaseUrl, this._invalidUrl);
        }
        if (this._hrefAttributes != null && this._invalidHref != null) {
            cleanup = filterUrl(cleanup, this._hrefAttributes, null, this._invalidHref);
        }
        if (this._customPatterns != null) {
            for (CustomPattern customPattern : this._customPatterns) {
                cleanup = !this._availableXssFilterInterceptors ? customPattern._pattern.matcher(cleanup).replaceAll(customPattern._replacement) : processAllowedUnsafeHtml(cleanup, customPattern._pattern, customPattern._replacement);
            }
        }
        return cleanup;
    }

    private String processAllowedUnsafeHtml(String str, Pattern pattern, String str2) {
        Matcher matcher = pattern.matcher(str);
        if (!matcher.find()) {
            return str;
        }
        matcher.reset();
        StringBuffer stringBuffer = new StringBuffer();
        while (matcher.find()) {
            int start = matcher.start();
            if (start > 1) {
                start--;
            }
            String substring = str.substring(start);
            if (!(substring.startsWith("/") ? isUnsafeHtmlAllowed(str.substring(0, matcher.end())) : isUnsafeHtmlAllowed(substring))) {
                matcher.appendReplacement(stringBuffer, str2);
            }
        }
        matcher.appendTail(stringBuffer);
        return stringBuffer.toString();
    }

    private boolean isUnsafeHtmlAllowed(String str) {
        Iterator<XssFilterInterceptor> it = this._interceptorExts.iterator();
        while (it.hasNext()) {
            if (it.next().isUnsafeHtmlAllowed(str)) {
                return true;
            }
        }
        return false;
    }

    @Override // blackboard.platform.security.XssFilter
    public void reloadConfiguration() {
        initCustomPatterns();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RegexXssFilter(Properties properties) {
        this._properties = properties;
        initCustomPatterns();
    }

    private void initCustomPatterns() {
        List<CustomPattern> loadOtherPatterns = loadOtherPatterns();
        this._customPatterns.clear();
        if (null != this._prohibitedPatterns) {
            this._customPatterns.addAll(this._prohibitedPatterns);
        }
        if (null != loadOtherPatterns) {
            this._customPatterns.addAll(loadOtherPatterns);
        }
        this._availableXssFilterInterceptors = setupXssInterceptors();
    }

    private String cleanup(String str) {
        String str2 = str;
        if (this._nullChar != null) {
            str2 = this._nullChar.matcher(str2).replaceAll("");
        }
        if (this._numericCharacterReference != null) {
            Matcher matcher = this._numericCharacterReference.matcher(str2);
            StringBuffer stringBuffer = new StringBuffer();
            while (matcher.find()) {
                String group = matcher.group(2);
                if (StringUtil.isEmpty(group)) {
                    matcher.appendReplacement(stringBuffer, "");
                } else if (group.length() < 4) {
                    String group2 = matcher.group(1);
                    int parseInt = Integer.parseInt(matcher.group(2), (group2 == null || !"x".equalsIgnoreCase(group2)) ? 10 : 16);
                    if (parseInt < 32 || parseInt == 127) {
                        matcher.appendReplacement(stringBuffer, "");
                    } else if ((parseInt > 64 && parseInt < 91) || ((parseInt > 96 && parseInt < 123) || parseInt == 40 || parseInt == 41 || parseInt == 45 || parseInt == 58)) {
                        matcher.appendReplacement(stringBuffer, String.valueOf((char) parseInt));
                    }
                }
            }
            matcher.appendTail(stringBuffer);
            str2 = stringBuffer.toString();
        }
        return str2;
    }

    private String filterUrl(String str, Pattern pattern, Pattern pattern2, Pattern pattern3) {
        Matcher matcher = pattern.matcher(str);
        StringBuffer stringBuffer = new StringBuffer();
        while (matcher.find()) {
            String group = matcher.group();
            if (group != null) {
                String replaceAll = this._urlTrim.matcher(group).replaceAll("$2");
                if (replaceAll.length() != 0) {
                    Pattern compile = Pattern.compile("%[0-9a-fA-F]{2}");
                    while (compile.matcher(replaceAll).find()) {
                        try {
                            replaceAll = UrlUtil.decodeUrl(replaceAll);
                        } catch (IllegalArgumentException e) {
                        }
                    }
                    if (!isUnsafeHtmlAllowed(replaceAll)) {
                        Pattern pattern4 = pattern3;
                        if (pattern2 != null && hasSafeBaseUrl(replaceAll)) {
                            pattern4 = pattern2;
                        }
                        if (pattern4.matcher(replaceAll).find()) {
                            matcher.appendReplacement(stringBuffer, "=\"" + URL_TEMPLATE.matcher(this._urlReplacement).replaceAll(Matcher.quoteReplacement(pattern4.matcher(replaceAll).replaceAll(""))) + "\"");
                        }
                    }
                }
            }
        }
        matcher.appendTail(stringBuffer);
        return stringBuffer.toString();
    }

    private boolean hasSafeBaseUrl(String str) {
        Collection<String> providerIds = XssFilterSafeBaseUrlProviderFactory.getProviderIds();
        if (!this._safeBaseUrlProviderIds.equals(providerIds)) {
            this._safeBaseUrlProviderIds.clear();
            this._safeBaseUrlProviderIds.addAll(providerIds);
            this._safeBaseUrlPattern = null;
            if (providerIds != null && !providerIds.isEmpty()) {
                StringBuilder sb = new StringBuilder();
                Collection<XssFilterSafeBaseUrlProvider> urlProviders = XssFilterSafeBaseUrlProviderFactory.getUrlProviders();
                HashSet<String> hashSet = new HashSet();
                Iterator<XssFilterSafeBaseUrlProvider> it = urlProviders.iterator();
                while (it.hasNext()) {
                    hashSet.addAll(it.next().getSafeBaseUrls());
                }
                boolean z = true;
                for (String str2 : hashSet) {
                    if (!z) {
                        sb.append(BaseSourceId.SEPARATOR);
                    }
                    sb.append(Pattern.quote(str2));
                    z = false;
                }
                if (StringUtil.notEmpty(sb.toString())) {
                    this._safeBaseUrlPattern = Pattern.compile("://([^/]*?" + ((CharSequence) sb) + ")($|/)", 2);
                }
            }
        }
        if (this._safeBaseUrlPattern == null) {
            return false;
        }
        return this._safeBaseUrlPattern.matcher(str).find();
    }

    private List<CustomPattern> loadProhibitedStringsPatterns() {
        List<String> loadList;
        ArrayList arrayList = new ArrayList();
        String loadString = loadString("prohibited_strings.template");
        List<String> loadList2 = loadList("prohibited_strings");
        if (loadString != null && loadList2 != null) {
            HashMap hashMap = new HashMap();
            String loadString2 = loadString("reserved_char.template");
            if (loadString2 != null && (loadList = loadList("reserved_chars")) != null) {
                for (String str : loadList) {
                    if (str.length() > 1) {
                        throw new RuntimeException("Invalid string " + str + " found in property reserved_chars.");
                    }
                    Character valueOf = Character.valueOf(str.charAt(0));
                    hashMap.put(valueOf, CHAR_DECIMAL_TEMPLATE.matcher(CHAR_HEX_TEMPLATE.matcher(CHAR_TEMPLATE.matcher(loadString2).replaceAll(Matcher.quoteReplacement(Pattern.quote(String.valueOf(valueOf))))).replaceAll(Matcher.quoteReplacement(addEmbeddedComment(Integer.toHexString(valueOf.charValue()))))).replaceAll(Matcher.quoteReplacement(addEmbeddedComment(String.valueOf((int) valueOf.charValue())))));
                }
            }
            List<String> loadList3 = loadList("prohibited_strings.replacement");
            if (loadList3 != null && loadList3.size() != loadList2.size()) {
                LogServiceFactory.getInstance().logError("", new IllegalArgumentException("The property 'prohibited_strings.replacement' if present must contain the same number of comma-delimited elements as the property 'prohibited_strings'. The replacement will default to the empty string."));
                loadList3 = null;
            }
            Matcher matcher = CHAR_TEMPLATE.matcher(loadString("char.template", "@X@char@X@"));
            for (String str2 : loadList2) {
                StringBuilder sb = new StringBuilder();
                for (char c : str2.toCharArray()) {
                    if (hashMap.containsKey(Character.valueOf(c))) {
                        sb.append((String) hashMap.get(Character.valueOf(c)));
                    } else {
                        sb.append(matcher.replaceAll(Matcher.quoteReplacement(Pattern.quote(String.valueOf(c)))));
                    }
                }
                arrayList.add(new CustomPattern("prohibited_strings." + str2, Pattern.compile(COMMENT_TEMPLATE.matcher(STRING_TEMPLATE.matcher(loadString).replaceAll(Matcher.quoteReplacement(sb.toString()))).replaceAll(Matcher.quoteReplacement(this._commentsPattern)), 2), loadList3 != null ? loadList3.remove(0) : ""));
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return arrayList;
    }

    private String addEmbeddedComment(String str) {
        StringBuilder sb = new StringBuilder();
        for (char c : str.toCharArray()) {
            sb.append(c);
            sb.append("@X@comment@X@");
        }
        return sb.toString();
    }

    private List<CustomPattern> loadOtherPatterns() {
        String appletArchiveReplacement = getAppletArchiveReplacement();
        ArrayList arrayList = new ArrayList();
        for (String str : this._properties.keySet()) {
            String lowerCase = str.toLowerCase();
            if (lowerCase.startsWith(OTHER_PREFIX) && !lowerCase.endsWith(REPLACEMENT_SUFFIX)) {
                arrayList.add(new CustomPattern(str, Pattern.compile(APPLET_ARCHIVE_TEMPLATE.matcher(loadString(str)).replaceAll(appletArchiveReplacement), 2), loadString(str + REPLACEMENT_SUFFIX, "")));
            }
        }
        Collections.sort(arrayList);
        if (arrayList.isEmpty()) {
            return null;
        }
        return arrayList;
    }

    private String getAppletArchiveReplacement() {
        Collection<XssFilterInterceptor> extensions = ExtensionRegistryFactory.getInstance().getExtensions(XssFilterInterceptor.EXTENSION_POINT);
        ArrayList arrayList = new ArrayList();
        for (XssFilterInterceptor xssFilterInterceptor : extensions) {
            try {
                arrayList.add("(" + StringUtil.replace(xssFilterInterceptor.getArchiveUrlPattern(), "\\", "\\\\") + RubricDefinition.COPY_SUFFIX_END_DELIMITER);
            } catch (Exception e) {
                LogServiceFactory.getInstance().logError("Failed to get pattern from extension " + xssFilterInterceptor.getClass().getCanonicalName() + " - ignoring");
            }
        }
        return StringUtil.join(arrayList, BaseSourceId.SEPARATOR);
    }

    private boolean setupXssInterceptors() {
        this._interceptorExts = ExtensionRegistryFactory.getInstance().getExtensions(XssFilterInterceptor.EXTENSION_POINT);
        return this._interceptorExts.size() > 0;
    }

    private Pattern loadPattern(String str, String str2, Pattern pattern) {
        List<String> loadList;
        String loadString = loadString(str2);
        if (loadString == null || (loadList = loadList(str)) == null) {
            return null;
        }
        StringBuilder sb = new StringBuilder();
        Matcher matcher = pattern.matcher(loadString);
        Iterator<String> it = loadList.iterator();
        while (it.hasNext()) {
            sb.append(matcher.replaceAll(Matcher.quoteReplacement(it.next()))).append(BaseSourceId.SEPARATOR);
        }
        sb.deleteCharAt(sb.length() - 1);
        return Pattern.compile(sb.toString(), 2);
    }

    private Pattern loadPattern(String str) {
        String loadString = loadString(str);
        if (loadString != null) {
            return Pattern.compile(loadString, 2);
        }
        return null;
    }

    private String loadString(String str) {
        String property = this._properties.getProperty(str);
        if (property != null) {
            String trim = property.trim();
            property = trim;
            if (trim.length() == 0) {
                property = null;
            }
        }
        return property;
    }

    private String loadString(String str, String str2) {
        String loadString = loadString(str);
        if (loadString == null) {
            loadString = str2;
        }
        return loadString.trim();
    }

    private List<String> loadList(String str) {
        String[] split;
        String loadString = loadString(str);
        if (loadString == null || (split = loadString.trim().split(MyPlacesUtil.DELIMITER)) == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < split.length; i++) {
            if (split[i] != null) {
                String trim = split[i].trim();
                split[i] = trim;
                if (trim.length() > 0) {
                    arrayList.add(COMMA_TEMPLATE.matcher(split[i]).replaceAll(MyPlacesUtil.DELIMITER));
                }
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return arrayList;
    }
}
