package com.appiancorp.embedded.http;

import com.appiancorp.security.cors.CorsUtil;
import com.google.common.base.Strings;
import java.io.IOException;
import java.util.regex.Pattern;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;

/* loaded from: input_file:com/appiancorp/embedded/http/RedirectServlet.class */
public class RedirectServlet extends HttpServlet {
    private static final String FORBIDDEN_MESSAGE = "Sorry, your request could not be processed.";
    private static final String INVALID_METHOD_MESSAGE_TEMPLATE = "HTTP method %s is not supported by this URL.";
    private static final Logger LOG = Logger.getLogger(RedirectServlet.class);
    private static final Pattern RESPONSE_SPLITTING_ATTACK = Pattern.compile("\\r|\\n");

    protected void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        if (!CorsUtil.isAllowedOrigin(httpServletRequest, true)) {
            LOG.warn("Embedded Redirect Servlet invoked from an origin not in the list of allowed origins.");
            httpServletResponse.sendError(403, FORBIDDEN_MESSAGE);
            return;
        }
        if (!"GET".equals(httpServletRequest.getMethod())) {
            LOG.warn("Embedded Redirect Servlet invoked with an HTTP method other than GET.");
            httpServletResponse.sendError(405, String.format(INVALID_METHOD_MESSAGE_TEMPLATE, httpServletRequest.getMethod()));
            return;
        }
        String parameter = httpServletRequest.getParameter("redirectTarget");
        if (Strings.isNullOrEmpty(parameter)) {
            LOG.warn("Embedded Redirect Servlet invoked without a \"redirectTarget\" query parameter.");
            httpServletResponse.sendError(403, FORBIDDEN_MESSAGE);
        } else if (RESPONSE_SPLITTING_ATTACK.matcher(parameter).find()) {
            LOG.warn("Embedded Redirect Servlet detected an HTTP Response Splitting attack.");
            httpServletResponse.sendError(403, FORBIDDEN_MESSAGE);
        } else if (CorsUtil.isAllowedRedirectTarget(parameter)) {
            httpServletResponse.sendRedirect(parameter);
        } else {
            LOG.warn("Embedded Redirect Servlet invoked with a \"redirectTarget\" which is not in the list of allowed origins.");
            httpServletResponse.sendError(403, FORBIDDEN_MESSAGE);
        }
    }
}
