package org.jeecg.modules.jmreport.common.util;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import org.jeecg.modules.jmreport.common.expetion.JimuReportException;
import org.jeecg.modules.jmreport.config.JmReportBaseConfig;
import org.jeecg.modules.jmreport.config.oss.dto.Firewall;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jeecg/modules/jmreport/common/util/SqlInjectionUtil.class */
public class SqlInjectionUtil {
    private static String d;
    private static JmReportBaseConfig e;
    private static final String f = "exec |extractvalue|updatexml|insert |alter |delete |grant |update |drop |truncate |declare |--";
    private static final String g = "exec |extractvalue|updatexml|insert |alter |delete |grant |update |drop |truncate |declare |--|peformance_schema|information_schema|geohash|gtid_subset|gtid_subtract|master ";
    private static final String h = "peformance_schema|information_schema|geohash|gtid_subset|gtid_subtract|count |chr |mid |master |char |;|+";
    private static final String[] j;
    private static final Pattern k;
    private static final String l = "--";
    public static Map<String, String> a;
    private static final String m = "请注意，存在SQL注入关键词---> {}";
    private static final String n = "请注意，值可能存在SQL注入风险!--->";
    private static final String o = "请注意，值可能存在SQL注入风险!---> {}";
    private static Pattern p;
    static final Pattern b;
    private static final Logger c = LoggerFactory.getLogger(SqlInjectionUtil.class);
    private static List<String> i = new ArrayList();

    public static void specialFilterContentForOnlineReport(String str, String str2) {
        String str3 = g;
        if (org.jeecg.modules.jmreport.common.constant.d.gq.equals(getCheckLv())) {
            str3 = f;
        }
        if (str2.contains("exec ") && org.jeecg.modules.jmreport.dyndb.util.b.c(e.b(str))) {
            if (str2.endsWith(org.jeecg.modules.jmreport.common.constant.c.t)) {
                str2 = str2.substring(0, str2.length() - 1);
            }
            if (!org.jeecg.modules.jmreport.desreport.util.l.t.matcher(str2).matches()) {
                c.error("SQL Server 不允许非存储过程的 exec 语句: {}", str2);
                throw new JimuReportException(1001, n + str2);
            }
            str3 = g.replace("exec |", org.jeecg.modules.jmreport.common.constant.d.fC);
        }
        a(str2, str3);
    }

    public static void specialFilterContentForOnlineReport(String str) {
        String str2 = g;
        if (org.jeecg.modules.jmreport.common.constant.d.gq.equals(getCheckLv())) {
            str2 = f;
        }
        a(str, str2);
    }

    public static void a(String... strArr) {
        for (String str : strArr) {
            if (!OkConvertUtils.isEmpty(str)) {
                String str2 = h;
                if ("simple".equals(getCheckLv())) {
                    str2 = f;
                }
                a(str, str2);
            }
        }
    }

    public static void a(String str, String str2) {
        String[] split = str2.split(org.jeecg.modules.jmreport.common.constant.d.az);
        if (str == null || org.jeecg.modules.jmreport.common.constant.d.fC.equals(str) || org.jeecg.modules.jmreport.common.constant.d.gr.equals(getCheckLv())) {
            return;
        }
        a(str);
        String lowerCase = str.toLowerCase();
        if (d(lowerCase)) {
            return;
        }
        String replaceAll = lowerCase.replaceAll("/\\*.*\\*/", org.jeecg.modules.jmreport.common.constant.d.fC);
        for (int i2 = 0; i2 < split.length; i2++) {
            if (b(replaceAll, split[i2])) {
                c.error(m, split[i2]);
                c.error(o, replaceAll);
                throw new JimuReportException(1001, n + replaceAll);
            }
        }
        for (String str3 : j) {
            if (Pattern.matches(".*" + str3 + ".*", replaceAll)) {
                c.error(m, str3);
                c.error(o, replaceAll);
                throw new RuntimeException(n + replaceAll);
            }
        }
    }

    private static boolean d(String str) {
        return Arrays.stream(org.jeecg.modules.jmreport.dyndb.util.b.getAllSql()).anyMatch(str2 -> {
            return str2.toLowerCase().equals(str);
        });
    }

    public static void a(String str) {
        if (str.contains(l)) {
            c.error("请注意，SQL中不允许含注释，有安全风险！");
            throw new JimuReportException("请注意，SQL中不允许含注释，有安全风险！");
        }
        if (k.matcher(str).find()) {
            c.error("请注意，SQL中不允许含注释，有安全风险！");
            throw new JimuReportException("请注意，SQL中不允许含注释，有安全风险！");
        }
    }

    public static String b(String str) {
        String trim = str.trim();
        if (p.matcher(trim).matches()) {
            specialFilterContentForOnlineReport(trim);
            return trim;
        }
        String str2 = "表名不合法，存在SQL注入风险!--->" + trim;
        c.error(str2);
        throw new JimuReportException(str2);
    }

    public static String c(String str) {
        String trim = str.trim();
        if (trim.contains(org.jeecg.modules.jmreport.common.constant.d.cc)) {
            return b(trim.split(org.jeecg.modules.jmreport.common.constant.d.cc));
        }
        if (b.matcher(trim).matches()) {
            specialFilterContentForOnlineReport(trim);
            return trim;
        }
        String str2 = "字段不合法，存在SQL注入风险!--->" + trim;
        c.error(str2);
        throw new JimuReportException(str2);
    }

    public static String b(String... strArr) {
        for (String str : strArr) {
            c(str);
        }
        return String.join(org.jeecg.modules.jmreport.common.constant.d.cc, strArr);
    }

    private static boolean b(String str, String str2) {
        if (str.startsWith(str2.trim())) {
            return true;
        }
        if (!str.contains(str2)) {
            return false;
        }
        String str3 = " " + str2;
        if (i.contains(str2)) {
            str3 = str2;
        }
        if (str.contains(str3)) {
            return true;
        }
        for (String str4 : (List) e.a("\\s+\\S+" + str2, str, 0, new ArrayList())) {
            c.info("isExistSqlInjectKeyword —- 匹配到的SQL注入关键词：{}", str4);
            if (str4.contains("%") || str4.contains("+") || str4.contains("#") || str4.contains("/") || str4.contains(org.jeecg.modules.jmreport.common.constant.d.ed)) {
                return true;
            }
        }
        return false;
    }

    public static void a(String str, String... strArr) {
        String e2 = e(str);
        String str2 = a.get(e2);
        boolean z = true;
        if (str2 != null) {
            if (org.jeecg.modules.jmreport.common.constant.d.ck.equals(str2)) {
                z = false;
                c.warn("sql黑名单校验，表【" + str + "】禁止查询");
            } else if (a(e2, str2, strArr)) {
                z = false;
            }
        }
        if (!z) {
            throw new JimuReportException(1001, "请注意，值可能存在SQL注入风险!--->sql黑名单校验，表【" + str + "】禁止查询");
        }
    }

    public static boolean a(String str, String str2, String[] strArr) {
        for (String str3 : str2.split(org.jeecg.modules.jmreport.common.constant.d.cc)) {
            for (String str4 : strArr) {
                if (str3.equals(str4)) {
                    c.warn("sql黑名单校验，表【" + str + "】中字段【" + str4 + "】禁止查询");
                    return true;
                }
            }
        }
        return false;
    }

    private static String e(String str) {
        String trim = str.split("\\s+(?i)where\\s+")[0].trim();
        if (trim.contains(org.jeecg.modules.jmreport.common.constant.d.ds)) {
            trim = trim.substring(trim.indexOf(org.jeecg.modules.jmreport.common.constant.d.ds) + 1, trim.length()).trim();
        }
        if (trim.contains(" ")) {
            trim = trim.substring(0, trim.indexOf(" ")).trim();
        }
        return trim.replaceAll("\\s+|\\(|\\)|`", org.jeecg.modules.jmreport.common.constant.d.fC);
    }

    private static String getCheckLv() {
        if (OkConvertUtils.isNotEmpty(d)) {
            return d;
        }
        try {
            if (null == e) {
                e = (JmReportBaseConfig) JimuSpringContextUtils.getBean(JmReportBaseConfig.class);
            }
            Firewall firewall = e.getFirewall();
            if (firewall == null || OkConvertUtils.isEmpty(firewall.getSqlInjectionLevel())) {
                d = org.jeecg.modules.jmreport.common.constant.d.gp;
            } else {
                d = firewall.getSqlInjectionLevel();
            }
        } catch (Exception e2) {
            d = org.jeecg.modules.jmreport.common.constant.d.gp;
        }
        return d;
    }

    static {
        i.add(org.jeecg.modules.jmreport.common.constant.c.t);
        i.add("+");
        i.add(l);
        j = new String[]{"chr\\s*\\(", "mid\\s*\\(", " char\\s*\\(", "sleep\\s*\\(", "user\\s*\\(", "show\\s+tables", "user[\\s]*\\([\\s]*\\)", "show\\s+databases", "sleep\\(\\d*\\)", "sleep\\(.*\\)"};
        k = Pattern.compile("/\\*[\\s\\S]*\\*/");
        a = new HashMap();
        a.put(org.jeecg.modules.jmreport.common.constant.d.fu, org.jeecg.modules.jmreport.common.constant.d.ck);
        a.put("jimu_report_category", org.jeecg.modules.jmreport.common.constant.d.ck);
        a.put(org.jeecg.modules.jmreport.common.constant.d.fy, org.jeecg.modules.jmreport.common.constant.d.ck);
        a.put("jimu_report_db", org.jeecg.modules.jmreport.common.constant.d.ck);
        a.put("jimu_report_db_field", org.jeecg.modules.jmreport.common.constant.d.ck);
        a.put(org.jeecg.modules.jmreport.common.constant.d.fx, org.jeecg.modules.jmreport.common.constant.d.ck);
        a.put("jimu_report_export_log", org.jeecg.modules.jmreport.common.constant.d.ck);
        a.put(org.jeecg.modules.jmreport.common.constant.d.fB, org.jeecg.modules.jmreport.common.constant.d.ck);
        a.put("jimu_report_map", org.jeecg.modules.jmreport.common.constant.d.ck);
        a.put("jimu_report_share", org.jeecg.modules.jmreport.common.constant.d.ck);
        p = Pattern.compile("^[a-zA-Z][a-zA-Z0-9_]{0,63}$");
        b = Pattern.compile("^[a-zA-Z0-9_]+$");
    }
}
