package com.zeekrlife.auth.data.permission.util;

import cn.hutool.crypto.SecureUtil;
import com.zeekrlife.auth.data.permission.constant.SymbolConstant;
import com.zeekrlife.auth.data.permission.exception.AuthCenterSqlInjectionException;
import com.zeekrlife.auth.data.permission.exception.DataPermissionException;
import java.lang.reflect.Field;
import java.util.Set;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.ObjectUtils;

/* loaded from: input_file:com/zeekrlife/auth/data/permission/util/SqlInjectionUtil.class */
public class SqlInjectionUtil {
    private static final String TABLE_DICT_SIGN_SALT = "20200501";
    private static final String XSS_STR = "and |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";
    private static final String REGULAR_EXPRE_USER = "user[\\s]*\\([\\s]*\\)";
    private static final String SHOW_TABLES = "show\\s+tables";
    private static final Logger log = LoggerFactory.getLogger(SqlInjectionUtil.class);
    static final Pattern fieldPattern = Pattern.compile("^[a-zA-Z0-9_]+$");
    private static final Pattern FUN_SLEEP = Pattern.compile("sleep\\(.*\\)", 2);
    private static final Pattern SQL_ANNOTATION = Pattern.compile("/\\*[\\s\\S]*\\*/");
    private static final Pattern tableNamePattern = Pattern.compile("^[a-zA-Z][a-zA-Z0-9_]{0,63}$");

    private static void checkDictTableSign(String str, String str2, HttpServletRequest httpServletRequest) {
        String md5 = SecureUtil.md5(str + TABLE_DICT_SIGN_SALT + httpServletRequest.getHeader("X-Access-Token"));
        if (md5.equals(str2)) {
            log.info(" 表字典，SQL注入漏洞签名校验成功！sign=" + str2 + ",dictCode=" + str);
        } else {
            log.error("表字典，SQL注入漏洞签名校验失败 ：" + str2 + "!=" + md5 + ",dictCode=" + str);
            throw new DataPermissionException("无权限访问！");
        }
    }

    public static String getSqlInjectTableName(String str) {
        String trim = str.trim();
        if (tableNamePattern.matcher(trim).matches()) {
            filterContent(trim);
            return trim;
        }
        String str2 = "表名不合法，存在SQL注入风险!--->" + trim;
        log.error(str2);
        throw new AuthCenterSqlInjectionException(str2);
    }

    public static String getSqlInjectField(String str) {
        if (!ObjectUtils.isEmpty(str)) {
            return null;
        }
        String trim = str.trim();
        if (trim.contains(SymbolConstant.COMMA)) {
            return getSqlInjectField(trim.split(SymbolConstant.COMMA));
        }
        if (fieldPattern.matcher(trim).matches()) {
            filterContent(trim);
            return trim;
        }
        String str2 = "字段不合法，存在SQL注入风险!--->" + trim;
        log.error(str2);
        throw new AuthCenterSqlInjectionException(str2);
    }

    public static String getSqlInjectField(String... strArr) {
        for (String str : strArr) {
            getSqlInjectField(str);
        }
        return String.join(SymbolConstant.COMMA, strArr);
    }

    public static void filterContent(String str, String str2) {
        if (str == null || "".equals(str)) {
            return;
        }
        checkSqlAnnotation(str);
        String lowerCase = str.toLowerCase();
        String[] split = XSS_STR.split("\\|");
        for (int i = 0; i < split.length; i++) {
            if (lowerCase.contains(split[i])) {
                log.error("请注意，存在SQL注入关键词---> {}", split[i]);
                log.error("请注意，值可能存在SQL注入风险!---> {}", lowerCase);
                throw new AuthCenterSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + lowerCase);
            }
        }
        if (str2 != null) {
            String[] split2 = str2.split("\\|");
            for (int i2 = 0; i2 < split2.length; i2++) {
                if (lowerCase.indexOf(split2[i2]) > -1) {
                    log.error("请注意，存在SQL注入关键词---> {}", split2[i2]);
                    log.error("请注意，值可能存在SQL注入风险!---> {}", lowerCase);
                    throw new AuthCenterSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + lowerCase);
                }
            }
        }
        if (Pattern.matches(SHOW_TABLES, lowerCase) || Pattern.matches(REGULAR_EXPRE_USER, lowerCase)) {
            throw new AuthCenterSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + lowerCase);
        }
    }

    public static void filterContent(String... strArr) {
        filterContent(strArr, (String) null);
    }

    public static void filterContent(String[] strArr, String str) {
        String str2;
        String[] split = XSS_STR.split("\\|");
        int length = strArr.length;
        for (int i = 0; i < length && (str2 = strArr[i]) != null && !"".equals(str2); i++) {
            checkSqlAnnotation(str2);
            String lowerCase = str2.toLowerCase();
            for (int i2 = 0; i2 < split.length; i2++) {
                if (lowerCase.indexOf(split[i2]) > -1) {
                    log.error("请注意，存在SQL注入关键词---> {}", split[i2]);
                    log.error("请注意，值可能存在SQL注入风险!---> {}", lowerCase);
                    throw new AuthCenterSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + lowerCase);
                }
            }
            if (str != null) {
                String[] split2 = str.split("\\|");
                for (int i3 = 0; i3 < split2.length; i3++) {
                    if (lowerCase.indexOf(split2[i3]) > -1) {
                        log.error("请注意，存在SQL注入关键词---> {}", split2[i3]);
                        log.error("请注意，值可能存在SQL注入风险!---> {}", lowerCase);
                        throw new AuthCenterSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + lowerCase);
                    }
                }
            }
            if (Pattern.matches(SHOW_TABLES, lowerCase) || Pattern.matches(REGULAR_EXPRE_USER, lowerCase)) {
                throw new AuthCenterSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + lowerCase);
            }
        }
    }

    public static void specialFilterContentForDictSql(String str) {
        String[] split = " exec |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()".split("\\|");
        if (str == null || "".equals(str)) {
            return;
        }
        checkSqlAnnotation(str);
        String lowerCase = str.toLowerCase();
        for (int i = 0; i < split.length; i++) {
            if (lowerCase.indexOf(split[i]) > -1 || lowerCase.startsWith(split[i].trim())) {
                log.error("请注意，存在SQL注入关键词---> {}", split[i]);
                log.error("请注意，值可能存在SQL注入风险!---> {}", lowerCase);
                throw new AuthCenterSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + lowerCase);
            }
        }
        if (Pattern.matches(SHOW_TABLES, lowerCase) || Pattern.matches(REGULAR_EXPRE_USER, lowerCase)) {
            throw new AuthCenterSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + lowerCase);
        }
    }

    public static void specialFilterContentForOnlineReport(String str) {
        String[] split = " exec |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()".split("\\|");
        if (str == null || "".equals(str)) {
            return;
        }
        checkSqlAnnotation(str);
        String lowerCase = str.toLowerCase();
        for (int i = 0; i < split.length; i++) {
            if (lowerCase.indexOf(split[i]) > -1 || lowerCase.startsWith(split[i].trim())) {
                log.error("请注意，存在SQL注入关键词---> {}", split[i]);
                log.error("请注意，值可能存在SQL注入风险!---> {}", lowerCase);
                throw new AuthCenterSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + lowerCase);
            }
        }
        if (Pattern.matches(SHOW_TABLES, lowerCase) || Pattern.matches(REGULAR_EXPRE_USER, lowerCase)) {
            throw new AuthCenterSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + lowerCase);
        }
    }

    public static boolean isClassField(String str, Class cls) {
        for (Field field : cls.getDeclaredFields()) {
            String name = field.getName();
            String camelToUnderline = oConvertUtils.camelToUnderline(name);
            if (name.equalsIgnoreCase(str) || camelToUnderline.equalsIgnoreCase(str)) {
                return true;
            }
        }
        return false;
    }

    public static boolean isClassField(Set<String> set, Class cls) {
        Field[] declaredFields = cls.getDeclaredFields();
        for (String str : set) {
            boolean z = false;
            for (Field field : declaredFields) {
                String name = field.getName();
                String camelToUnderline = oConvertUtils.camelToUnderline(name);
                if (name.equalsIgnoreCase(str) || camelToUnderline.equalsIgnoreCase(str)) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                return false;
            }
        }
        return true;
    }

    public static void checkSqlAnnotation(String str) {
        if (SQL_ANNOTATION.matcher(str).find()) {
            log.error("请注意，值可能存在SQL注入风险---> \\*.*\\");
            throw new AuthCenterSqlInjectionException("请注意，值可能存在SQL注入风险---> \\*.*\\");
        }
        if (FUN_SLEEP.matcher(str).find()) {
            log.error("请注意，值可能存在SQL注入风险---> sleep");
            throw new AuthCenterSqlInjectionException("请注意，值可能存在SQL注入风险---> sleep");
        }
    }
}
