package org.broadleafcommerce.common.security.service;

import java.io.IOException;
import java.net.URL;
import java.net.URLConnection;
import java.net.URLStreamHandler;
import java.security.NoSuchAlgorithmException;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.broadleafcommerce.common.exception.ServiceException;
import org.broadleafcommerce.common.security.RandomGenerator;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
import org.springframework.stereotype.Service;
import org.springframework.web.context.request.RequestContextHolder;

@Service("blExploitProtectionService")
/* loaded from: input_file:org/broadleafcommerce/common/security/service/ExploitProtectionServiceImpl.class */
public class ExploitProtectionServiceImpl implements ExploitProtectionService {
    private static final String CSRFTOKEN = "csrfToken";
    private static final String CSRFTOKENPARAMETER = "csrfToken";
    private static final Log LOG = LogFactory.getLog(ExploitProtectionServiceImpl.class);
    private static final String DEFAULTANTISAMYPOLICYFILELOCATION = "classpath:antisamy-myspace-1.4.4.xml";
    protected String antiSamyPolicyFileLocation = DEFAULTANTISAMYPOLICYFILELOCATION;
    private Policy antiSamyPolicy = getAntiSamyPolicy(this.antiSamyPolicyFileLocation);
    private AntiSamy as = new AntiSamy();
    protected boolean xsrfProtectionEnabled = true;
    protected boolean xssProtectionEnabled = true;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/broadleafcommerce/common/security/service/ExploitProtectionServiceImpl$Handler.class */
    public static class Handler extends URLStreamHandler {
        private final ClassLoader classLoader;

        public Handler() {
            this.classLoader = getClass().getClassLoader();
        }

        public Handler(ClassLoader classLoader) {
            this.classLoader = classLoader;
        }

        @Override // java.net.URLStreamHandler
        protected URLConnection openConnection(URL url) throws IOException {
            return this.classLoader.getResource(url.getPath()).openConnection();
        }
    }

    private static Policy getAntiSamyPolicy(String str) {
        try {
            return Policy.getInstance(new URL((URL) null, str, new Handler(ExploitProtectionServiceImpl.class.getClassLoader())));
        } catch (Exception e) {
            throw new RuntimeException("Unable to create URL", e);
        }
    }

    @Override // org.broadleafcommerce.common.security.service.ExploitProtectionService
    public String cleanString(String str) throws ServiceException {
        if (!this.xssProtectionEnabled || StringUtils.isEmpty(str)) {
            return str;
        }
        try {
            return this.as.scan(str, this.antiSamyPolicy).getCleanHTML();
        } catch (Exception e) {
            LOG.error("Unable to clean the passed in entity values", e);
            throw new ServiceException("Unable to clean the passed in entity values", e);
        }
    }

    @Override // org.broadleafcommerce.common.security.service.ExploitProtectionService
    public String cleanStringWithResults(String str) throws ServiceException {
        if (!this.xssProtectionEnabled || StringUtils.isEmpty(str)) {
            return str;
        }
        try {
            CleanResults scan = this.as.scan(str, this.antiSamyPolicy);
            if (scan.getNumberOfErrors() > 0) {
                throw new CleanStringException(scan);
            }
            return scan.getCleanHTML();
        } catch (CleanStringException e) {
            throw e;
        } catch (Exception e2) {
            LOG.error("Unable to clean the passed in entity values", e2);
            throw new ServiceException("Unable to clean the passed in entity values", e2);
        }
    }

    @Override // org.broadleafcommerce.common.security.service.ExploitProtectionService
    public void compareToken(String str) throws ServiceException {
        if (this.xsrfProtectionEnabled) {
            if (!getCSRFToken().equals(str)) {
                throw new ServiceException("XSRF token mismatch (" + str + "). Session may be expired.");
            }
            LOG.debug("Validated CSRF token");
        }
    }

    @Override // org.broadleafcommerce.common.security.service.ExploitProtectionService
    public String getCSRFToken() throws ServiceException {
        HttpSession session = RequestContextHolder.getRequestAttributes().getRequest().getSession();
        String str = (String) session.getAttribute("csrfToken");
        if (StringUtils.isEmpty(str)) {
            try {
                str = RandomGenerator.generateRandomId("SHA1PRNG", 32);
                session.setAttribute("csrfToken", str);
            } catch (NoSuchAlgorithmException e) {
                LOG.error("Unable to generate random number", e);
                throw new ServiceException("Unable to generate random number", e);
            }
        }
        return str;
    }

    @Override // org.broadleafcommerce.common.security.service.ExploitProtectionService
    public String getAntiSamyPolicyFileLocation() {
        return this.antiSamyPolicyFileLocation;
    }

    @Override // org.broadleafcommerce.common.security.service.ExploitProtectionService
    public void setAntiSamyPolicyFileLocation(String str) {
        this.antiSamyPolicyFileLocation = str;
        this.antiSamyPolicy = getAntiSamyPolicy(str);
    }

    public boolean isXsrfProtectionEnabled() {
        return this.xsrfProtectionEnabled;
    }

    public void setXsrfProtectionEnabled(boolean z) {
        this.xsrfProtectionEnabled = z;
    }

    public boolean isXssProtectionEnabled() {
        return this.xssProtectionEnabled;
    }

    public void setXssProtectionEnabled(boolean z) {
        this.xssProtectionEnabled = z;
    }

    @Override // org.broadleafcommerce.common.security.service.ExploitProtectionService
    public String getCsrfTokenParameter() {
        return "csrfToken";
    }
}
