package com.appiancorp.security.util;

import com.appian.css.theme.ConfigurableStyleType;
import com.appiancorp.ag.constant.Constants;
import com.appiancorp.cache.AppianCacheFactory;
import com.appiancorp.cache.Cache;
import com.appiancorp.navigation.url.UrlPathSegment;
import com.appiancorp.process.actorscript.ast.processmodel.ActorAnnotationValues;
import com.appiancorp.process.properties.TaskDetails;
import com.appiancorp.process.runtime.forms.visitors.LinkComponentVisitor;
import com.appiancorp.security.SecurityConfiguration;
import com.appiancorp.suite.cfg.ConfigurationFactory;
import com.appiancorp.suiteapi.collaboration.Document;
import com.appiancorp.uidesigner.conf.HoverPanelConstants;
import com.appiancorp.uidesigner.conf.LegacyButton;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Lists;
import com.google.common.collect.UnmodifiableIterator;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nullable;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.owasp.html.AppianStylingValidator;
import org.owasp.html.AttributePolicy;
import org.owasp.html.HtmlChangeListener;
import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;
import org.springframework.web.util.HtmlUtils;

/* loaded from: input_file:com/appiancorp/security/util/StringSecurityUtils.class */
public final class StringSecurityUtils {
    public static final String JSP_EXTENSION = ".jsp";
    private static final Logger LOG = Logger.getLogger(StringSecurityUtils.class);
    private static final Pattern VALID_HEX_COLOR = Pattern.compile("^#([a-f0-9]{6}|[a-f0-9]{3})$", 2);
    private static Cache jcsCache = AppianCacheFactory.getInstance().getCache("appian/cache/jcs-safeUriCache-config.ccf");
    private static final String[] INVALID_JSP_SUBSTRINGS = {"..", ":/", "/web-inf", "/logs", "/shared-logs"};
    public static final List<String> VALID_WEB_DIRECTORIES = Lists.newArrayList(new String[]{"/admin", "/analytics", "/applications", "/collaboration", "/components", "/contents", "/custom", "/environments", "/forms", "/forums", "/framework", "/knowledge", "/ntf", "/personalization", "/plugins", "/portal", "/portlet", "/process", "/rules", "/webservices"});

    @VisibleForTesting
    protected static final List<String> VALID_DECORATOR_ENDPOINTS = Lists.newArrayList(new String[]{"/page", "/group", "/user", "/forum", "/thread", "/folder", "/kc", "/community", "/task", "/proc", "/model"});

    @VisibleForTesting
    protected static final ImmutableList<String> VALID_URL_ENDINGS = ImmutableList.builder().add(".do").add(".bg").add(".print").add(".popup").add(".simplepopup").add(".frameset").add(".preview").build();
    protected static final ImmutableList<String> DEFAULT_ALLOWED_HTML_ELEMENTS = ImmutableList.builder().add(new String[]{Document.SORT_COLUMN_SIZE, "i", "font", "s", "u", "o", "sup", "sub", "ins", "del", "strong", "strike", "tt", "code", "big", "small", "br", "em", UrlPathSegment.PAGE_INDICATOR, "div", "h1", "h2", "h3", "h4", "h5", "h6", "ul", "ol", "li", "blockquote", Constants.ACTIVATE, "hr", "img", "table", "tbody", "tr", TaskDetails.FIELD_NAME_ON_CDT}).build();
    private static PolicyFactory DEFAULT_POLICY_FACTORY = createPolicyFactory((SecurityConfiguration) ConfigurationFactory.getConfiguration(SecurityConfiguration.class));
    private static final ImmutableList<String> RICH_TEXT_ALLOWED_HTML_ELEMENTS = ImmutableList.builder().add(new String[]{UrlPathSegment.PAGE_INDICATOR, "em", "strong", "u", "span", "h3", "h4", "h5", "img", Constants.ACTIVATE}).build();
    private static final PolicyFactory RICH_TEXT_POLICY_FACTORY = new HtmlPolicyBuilder().allowUrlProtocols(new String[]{"http", "https", "mailto", "ftp", "tel"}).allowElements((String[]) RICH_TEXT_ALLOWED_HTML_ELEMENTS.toArray(new String[0])).allowAttributes(new String[]{"data-size", "data-color"}).onElements(new String[]{"span"}).allowAttributes(new String[]{"data-icon", "src", "alt", "title"}).onElements(new String[]{"img"}).allowAttributes(new String[]{LinkComponentVisitor.HREF, "data-linkstyle", "type", "data-label", "data-openlinkin"}).onElements(new String[]{Constants.ACTIVATE}).toFactory();
    protected static final ImmutableList<String> EMAIL_BODY_ALLOWED_HTML_ELEMENTS = ImmutableList.builder().addAll(DEFAULT_ALLOWED_HTML_ELEMENTS).add("span").build();
    private static PolicyFactory EMAIL_BODY_DEFAULT_POLICY_FACTORY = createPolicyFactoryEmailBody((SecurityConfiguration) ConfigurationFactory.getConfiguration(SecurityConfiguration.class));
    private static final Pattern CLOSE_TAG = Pattern.compile("\\s*[^/][\\w-]*");

    /* renamed from: com.appiancorp.security.util.StringSecurityUtils$2, reason: invalid class name */
    /* loaded from: input_file:com/appiancorp/security/util/StringSecurityUtils$2.class */
    static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$com$appian$css$theme$ConfigurableStyleType = new int[ConfigurableStyleType.values().length];

        static {
            try {
                $SwitchMap$com$appian$css$theme$ConfigurableStyleType[ConfigurableStyleType.COLOR.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$appian$css$theme$ConfigurableStyleType[ConfigurableStyleType.FONT_FAMILY.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$appian$css$theme$ConfigurableStyleType[ConfigurableStyleType.PIXELS.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    @VisibleForTesting
    static void updatePolicyFactoryConfiguration(SecurityConfiguration securityConfiguration) {
        DEFAULT_POLICY_FACTORY = createPolicyFactory(securityConfiguration);
    }

    private static PolicyFactory createPolicyFactory(SecurityConfiguration securityConfiguration) {
        ArrayList newArrayList = Lists.newArrayList(new String[]{"http", "https", "mailto", "tel", "ftp", "ftps", "sftp"});
        List<String> allowedProtocols = securityConfiguration.getAllowedProtocols();
        if (allowedProtocols != null) {
            newArrayList.addAll(allowedProtocols);
        }
        return new HtmlPolicyBuilder().allowElements((String[]) DEFAULT_ALLOWED_HTML_ELEMENTS.toArray(new String[0])).allowUrlProtocols((String[]) newArrayList.toArray(new String[0])).allowStyling().allowUrlsInStyles(AttributePolicy.IDENTITY_ATTRIBUTE_POLICY).allowAttributes(new String[]{ActorAnnotationValues.LABEL_COLOR, "face", "size"}).onElements(new String[]{"font"}).allowAttributes(new String[]{LinkComponentVisitor.HREF, "name", "target"}).onElements(new String[]{Constants.ACTIVATE}).allowAttributes(new String[]{"src", "name", "alt", HoverPanelConstants.HEIGHT, HoverPanelConstants.WIDTH, "align", "hspace", "vspace", "border"}).onElements(new String[]{"img"}).allowAttributes(new String[]{"cellspacing", "cellpadding", "border", HoverPanelConstants.WIDTH}).onElements(new String[]{"table"}).allowAttributes(new String[]{"valign", HoverPanelConstants.WIDTH}).onElements(new String[]{TaskDetails.FIELD_NAME_ON_CDT}).allowAttributes(new String[]{"title", LegacyButton.FIELD_STYLE}).globally().toFactory();
    }

    private static PolicyFactory createPolicyFactoryEmailBody(SecurityConfiguration securityConfiguration) {
        ArrayList newArrayList = Lists.newArrayList(new String[]{"http", "https", "mailto", "tel", "ftp", "ftps", "sftp"});
        List<String> allowedProtocols = securityConfiguration.getAllowedProtocols();
        if (allowedProtocols != null) {
            newArrayList.addAll(allowedProtocols);
        }
        return new HtmlPolicyBuilder().allowElements((String[]) EMAIL_BODY_ALLOWED_HTML_ELEMENTS.toArray(new String[0])).allowUrlProtocols((String[]) newArrayList.toArray(new String[0])).allowStyling().allowUrlsInStyles(AttributePolicy.IDENTITY_ATTRIBUTE_POLICY).allowAttributes(new String[]{ActorAnnotationValues.LABEL_COLOR, "face", "size"}).onElements(new String[]{"font"}).allowAttributes(new String[]{LinkComponentVisitor.HREF, "name", "target"}).onElements(new String[]{Constants.ACTIVATE}).allowAttributes(new String[]{"src", "name", "alt", HoverPanelConstants.HEIGHT, HoverPanelConstants.WIDTH, "align", "hspace", "vspace", "border"}).onElements(new String[]{"img"}).allowAttributes(new String[]{"cellspacing", "cellpadding", "border", HoverPanelConstants.WIDTH}).onElements(new String[]{"table"}).allowAttributes(new String[]{"valign", HoverPanelConstants.WIDTH}).onElements(new String[]{TaskDetails.FIELD_NAME_ON_CDT}).allowAttributes(new String[]{"title", LegacyButton.FIELD_STYLE}).globally().toFactory();
    }

    private StringSecurityUtils() {
    }

    public static String encodeHtml(String str) {
        if (str != null) {
            str = StringEscapeUtils.escapeHtml(str).replaceAll("'", "&#039;");
        }
        return str;
    }

    public static String decodeHtml(String str) {
        if (str != null) {
            str = StringEscapeUtils.unescapeHtml(str).replaceAll("&#039;", "'");
        }
        return str;
    }

    public static String escapeJavaScript(String str) {
        if (str != null) {
            str = StringEscapeUtils.escapeJavaScript(str);
        }
        return str;
    }

    public static String cleanHtml(String str) throws IllegalArgumentException {
        return cleanHtml(str, DEFAULT_POLICY_FACTORY, DEFAULT_ALLOWED_HTML_ELEMENTS);
    }

    public static String stripHtml(String str, boolean z) throws IllegalArgumentException {
        String cleanHtml = cleanHtml(str, DEFAULT_POLICY_FACTORY, Collections.emptyList());
        return z ? HtmlUtils.htmlUnescape(cleanHtml) : cleanHtml;
    }

    public static String cleanRichTextHtml(String str) throws IllegalArgumentException {
        return cleanHtml(str, RICH_TEXT_POLICY_FACTORY, RICH_TEXT_ALLOWED_HTML_ELEMENTS);
    }

    public static String cleanEmailBodyHtml(String str) throws IllegalArgumentException {
        return cleanHtml(str, EMAIL_BODY_DEFAULT_POLICY_FACTORY, EMAIL_BODY_ALLOWED_HTML_ELEMENTS);
    }

    public static String cleanHtml(String str, PolicyFactory policyFactory, List<String> list) throws IllegalArgumentException {
        if (str == null) {
            return null;
        }
        if (policyFactory == null) {
            throw new IllegalArgumentException("A PolicyFactory was supplied");
        }
        if (list == null) {
            throw new IllegalArgumentException("The list of allowedHtmlElements was not supplied");
        }
        return policyFactory.sanitize(encodeNonHtmlTags(str, list), new HtmlChangeListener() { // from class: com.appiancorp.security.util.StringSecurityUtils.1
            public void discardedTag(@Nullable Object obj, String str2) {
                if (StringSecurityUtils.LOG.isEnabledFor(Level.WARN)) {
                    StringSecurityUtils.LOG.warn("Discarded the HTML element \"" + str2 + "\" during sanitization");
                }
            }

            public void discardedAttributes(@Nullable Object obj, String str2, String... strArr) {
                if (StringSecurityUtils.LOG.isEnabledFor(Level.WARN)) {
                    StringSecurityUtils.LOG.warn("Discarded the following HTML element attributes [" + String.join(", ", strArr) + "] on the HTML element \"" + str2 + "\" during sanitization");
                }
            }
        }, (Object) null);
    }

    public static boolean testHref(String str) {
        if (str == null) {
            return false;
        }
        if ("".equals(str)) {
            return true;
        }
        if (str.endsWith(":")) {
            return false;
        }
        if (jcsCache.containsKey(str)) {
            return ((Boolean) jcsCache.get(str)).booleanValue();
        }
        if (str.indexOf(34, 0) > -1 || str.indexOf(39, 0) > -1) {
            LOG.warn("The location: " + str + " was not accepted because it contains a quote.");
            jcsCache.put(str, false);
            return false;
        }
        if (((SecurityConfiguration) ConfigurationFactory.getConfiguration(SecurityConfiguration.class)).skipHrefValidation()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("The location: " + str + " was accepted because href validation was disabled");
            }
            jcsCache.put(str, true);
            return true;
        }
        if (!cleanHtml("<a href=\"" + str + "\">test</a>").matches("test")) {
            jcsCache.put(str, true);
            return true;
        }
        LOG.warn("The location: " + str + " was not accepted because it was considered insecure.");
        jcsCache.put(str, false);
        return false;
    }

    @VisibleForTesting
    static String encodeNonHtmlTags(String str, List<String> list) {
        if (str == null || str.length() == 0) {
            return "";
        }
        String[] splitPreserveAllTokens = StringUtils.splitPreserveAllTokens(str, "<");
        StringBuilder sb = new StringBuilder(splitPreserveAllTokens[0]);
        for (int i = 1; i < splitPreserveAllTokens.length; i++) {
            Matcher matcher = CLOSE_TAG.matcher(splitPreserveAllTokens[i]);
            if (matcher.find()) {
                String trim = matcher.group().toLowerCase().trim();
                if (list.contains(trim)) {
                    sb.append("<");
                } else {
                    if (LOG.isEnabledFor(Level.WARN)) {
                        LOG.warn("In the string: " + str + " the tag: <" + trim + " was encoded since it's not defined in the current security policy.");
                    }
                    sb.append("&lt;");
                }
                sb.append(splitPreserveAllTokens[i]);
            } else {
                if (LOG.isEnabledFor(Level.WARN)) {
                    LOG.warn("In the string: " + str + " the open angle bracket number " + i + " was encoded because no text was found after it, so it's will be treated as plain text.");
                }
                sb.append("&lt;");
            }
        }
        return sb.toString();
    }

    public static boolean isFileUrlInValidWebDirectory(String str) {
        Iterator<String> it = VALID_WEB_DIRECTORIES.iterator();
        while (it.hasNext()) {
            if (str.startsWith(it.next())) {
                return true;
            }
        }
        return false;
    }

    public static boolean isUriPossiblyMaliciousForEmbedding(String str) {
        if (isProtocolHttp(str)) {
            return true;
        }
        return isUriPossiblyMaliciousForForwarding(str);
    }

    public static boolean isUriPossiblyMaliciousForForwarding(String str) {
        if (str.indexOf("..") > -1) {
            return true;
        }
        if (str.indexOf(":/") > -1) {
            return !isSecureHref(str);
        }
        String removeQueryParameters = removeQueryParameters(str);
        return (isValidDecoratorUri(removeQueryParameters) || isValidJspUri(removeQueryParameters)) ? false : true;
    }

    public static boolean isSecureHref(String str) {
        try {
            return "https".equals(new URI(str).getScheme());
        } catch (URISyntaxException e) {
            return false;
        }
    }

    private static boolean isProtocolHttp(String str) {
        try {
            return "http".equals(new URI(str).getScheme());
        } catch (URISyntaxException e) {
            return false;
        }
    }

    public static boolean isUriPossiblyMaliciousForCSS(String str) {
        if (str.indexOf("..") > -1) {
            return true;
        }
        return (str.indexOf(":/") <= -1 || isSecureHref(str) || isProtocolHttp(str)) ? false : true;
    }

    protected static boolean isValidDecoratorUri(String str) {
        return isValidDecoratorEndpoint(str) || hasValidExtension(str);
    }

    protected static boolean isValidDecoratorEndpoint(String str) {
        Iterator<String> it = VALID_DECORATOR_ENDPOINTS.iterator();
        while (it.hasNext()) {
            if (str.startsWith(it.next())) {
                return true;
            }
        }
        return false;
    }

    public static boolean isValidCssProperty(ConfigurableStyleType configurableStyleType, String str) {
        String trim = str.trim();
        switch (AnonymousClass2.$SwitchMap$com$appian$css$theme$ConfigurableStyleType[configurableStyleType.ordinal()]) {
            case 1:
                if (VALID_HEX_COLOR.matcher(trim).matches()) {
                    return true;
                }
                return AppianStylingValidator.validateCssProperty("color:" + trim);
            case 2:
                return AppianStylingValidator.validateCssProperty("font-family:" + trim);
            case 3:
                return AppianStylingValidator.validateCssProperty("height:" + trim);
            default:
                return false;
        }
    }

    public static boolean isValidForJspInclude(String str) {
        if (str == null) {
            return true;
        }
        String lowerCase = str.toLowerCase();
        for (String str2 : INVALID_JSP_SUBSTRINGS) {
            if (lowerCase.contains(str2)) {
                return false;
            }
        }
        return true;
    }

    @VisibleForTesting
    protected static String removeQueryParameters(String str) {
        return str.split("\\?")[0];
    }

    protected static boolean isValidJspUri(String str) {
        return isJspFile(str) && isFileUrlInValidWebDirectory(str);
    }

    private static boolean hasValidExtension(String str) {
        UnmodifiableIterator it = VALID_URL_ENDINGS.iterator();
        while (it.hasNext()) {
            if (str.endsWith((String) it.next())) {
                return true;
            }
        }
        return false;
    }

    private static boolean isJspFile(String str) {
        return str.endsWith(JSP_EXTENSION);
    }
}
