package com.ibm.wbimonitor.rest.security.accesscontrol;

import com.ibm.websphere.logging.WsLevel;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.core.ContextManagerFactory;
import java.io.BufferedReader;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import java.util.Vector;
import java.util.logging.Logger;
import java.util.regex.Pattern;

/* loaded from: input_file:library_jars/com.ibm.wbimonitor.repository.jar:com/ibm/wbimonitor/rest/security/accesscontrol/SQLInjectionChecker.class */
public class SQLInjectionChecker {
    private static final Logger logger = Logger.getLogger("com.ibm.wbimonitor.rest.security.accesscontrol.SQLInjectionChecker");
    private static final String CLASSNAME = SQLInjectionChecker.class.getName();
    public static final String COPYRIGHT = "Copyright IBM Corporation 2006, 2010.";
    private static SQLInjectionChecker sqlInjectionChecker;
    private Vector<Pattern> patterns;
    private boolean failureParsingKeyWordFile;

    public static void main(String[] strArr) {
        System.out.println("Does the string contain SQL keywords? " + (getInstance().containsSQLKeywords("rest/bpm/monitor/models/OrderItem' or ") ? "YES" : "no"));
    }

    private SQLInjectionChecker() {
        this.patterns = null;
        this.failureParsingKeyWordFile = false;
        this.patterns = new Vector<>();
        try {
            init();
        } catch (FileNotFoundException e) {
            this.failureParsingKeyWordFile = true;
        } catch (IOException e2) {
            this.failureParsingKeyWordFile = true;
        } catch (PrivilegedActionException e3) {
            this.failureParsingKeyWordFile = true;
        }
    }

    public static SQLInjectionChecker getInstance() {
        if (sqlInjectionChecker == null) {
            sqlInjectionChecker = new SQLInjectionChecker();
        }
        return sqlInjectionChecker;
    }

    public boolean containsSQLKeywords(String str) {
        logFine(CLASSNAME, "containsSQLKeywords(sql)", "Entry: sql=" + str);
        return sqlInjectionCheck(str) != null;
    }

    public String sqlInjectionCheck(String str) {
        logFine(CLASSNAME, "sqlInjectionCheck(sql)", "Entry: sql=" + str);
        if (str == null) {
            logFine(CLASSNAME, "sqlInjectionCheck(sql)", "Exit: Passed-in string is null. No SQL injection check is done");
            return null;
        }
        String property = System.getProperty("monitor.rest.security.skip_sql_injection_check");
        if (property != null && (property.equalsIgnoreCase("yes") || property.equalsIgnoreCase("true") || property.equalsIgnoreCase("on"))) {
            logFine(CLASSNAME, "sqlInjectionCheck(sql)", "Skipping SQL Injection check is ON");
            logFine(CLASSNAME, "sqlInjectionCheck(sql)", "Exit: no SQL injection check is done");
            return null;
        }
        if (str.contains("||")) {
            String message = Messages.getMessage("CWMDS6556E");
            logError(CLASSNAME, "sqlInjectionCheck(sql)", message);
            logFine(CLASSNAME, "sqlInjectionCheck(sql)", "Exit");
            return message;
        }
        if (this.failureParsingKeyWordFile) {
            String message2 = Messages.getMessage("CWMDS6555E");
            logError(CLASSNAME, "sqlInjectionCheck(sql)", message2);
            logFine(CLASSNAME, "sqlInjectionCheck(sql)", "Exit: Failed SQL injection check");
            return message2;
        }
        int size = this.patterns.size();
        for (int i = 0; i < size; i++) {
            Pattern pattern = this.patterns.get(i);
            if (pattern.matcher(str).find()) {
                String message3 = Messages.getMessage("CWMDS6554E", new Object[]{pattern.toString()});
                logError(CLASSNAME, "sqlInjectionCheck(sql)", message3);
                return message3;
            }
        }
        logFine(CLASSNAME, "sqlInjectionCheck(sql)", "Exiting: Passed SQL injection check");
        return null;
    }

    private void init() throws FileNotFoundException, IOException, PrivilegedActionException {
        loadSQLKeyWordsFromFile();
    }

    private void loadSQLKeyWordsFromFile() throws FileNotFoundException, IOException, PrivilegedActionException {
        logFine(CLASSNAME, "loadSQLKeyWordsFromFile()", "Entry");
        try {
            final Class<?> cls = getClass();
            try {
                InputStream inputStream = (InputStream) ContextManagerFactory.getInstance().runAsSystem(new PrivilegedExceptionAction() { // from class: com.ibm.wbimonitor.rest.security.accesscontrol.SQLInjectionChecker.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        return cls.getResourceAsStream("SQLInjectionCheckerPatterns.properties");
                    }
                });
                if (inputStream == null) {
                    throw new FileNotFoundException();
                }
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
                boolean z = false;
                while (true) {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null || readLine.indexOf("@END") != -1) {
                        break;
                    }
                    if (z) {
                        int indexOf = readLine.indexOf("\"");
                        int lastIndexOf = readLine.lastIndexOf("\"");
                        if (indexOf != -1 && lastIndexOf != -1 && indexOf != lastIndexOf) {
                            String substring = readLine.substring(indexOf + 1, lastIndexOf);
                            this.patterns.add(Pattern.compile(substring));
                            this.patterns.add(Pattern.compile(substring.toLowerCase()));
                        }
                    } else if (readLine.indexOf("@START") != -1) {
                        z = true;
                    }
                }
                if (logger.isLoggable(WsLevel.FINE)) {
                    if (this.patterns == null || this.patterns.size() == 0) {
                        logger.logp(WsLevel.FINE, CLASSNAME, "loadSQLKeyWordsFromFile()", "Patterns has no items.");
                    } else {
                        Iterator<Pattern> it = this.patterns.iterator();
                        while (it.hasNext()) {
                            logger.logp(WsLevel.FINE, CLASSNAME, "loadSQLKeyWordsFromFile()", "Patterns item: " + it.next().toString());
                        }
                    }
                }
                logFine(CLASSNAME, "loadSQLKeyWordsFromFile()", "Exit");
            } catch (PrivilegedActionException e) {
                FFDCFilter.processException(e, CLASSNAME, "148");
                throw e;
            }
        } catch (FileNotFoundException e2) {
            throw e2;
        } catch (IOException e3) {
            throw e3;
        }
    }

    private void logFine(String str, String str2, String str3) {
        if (logger.isLoggable(WsLevel.FINE)) {
            logger.logp(WsLevel.FINE, str, str2, str3);
        }
    }

    private void logError(String str, String str2, String str3) {
        if (logger.isLoggable(WsLevel.SEVERE)) {
            logger.logp(WsLevel.SEVERE, str, str2, str3);
        }
    }
}
