package palio.util;

import javax.servlet.http.HttpServletRequest;
import org.antlr.runtime.ANTLRStringStream;
import palio.Current;
import palio.Instance;
import palio.Logger;
import palio.PalioServer;
import palio.pelements.PSession;
import palio.util.attack.detection.SqlAttackRule;
import palio.util.attack.detection.XssAttackRule;
import pl.com.torn.jpalio.stream.SystemErrorSilenceDispatcher;
import pl.com.torn.jpalio.stream.SystemOutputSilenceDispatcher;
import torn.omea.utils.JavaUtils;

/* loaded from: input_file:palio/util/AttackDetection.class */
public final class AttackDetection {
    private static AttackDetection instance = null;
    private static final SystemErrorSilenceDispatcher SESAD = new SystemErrorSilenceDispatcher();
    private static final SystemOutputSilenceDispatcher SOSAD = new SystemOutputSilenceDispatcher();

    private AttackDetection() {
    }

    public static AttackDetection getInstance() {
        if (instance == null) {
            instance = new AttackDetection();
        }
        return instance;
    }

    private static boolean detectSqlInjectionPatternWithoutErrorInfo(String str) {
        SESAD.makeSilent();
        SOSAD.makeSilent();
        try {
            boolean detectSqlInjectionPattern = detectSqlInjectionPattern(str);
            SESAD.makeVerbose();
            SOSAD.makeVerbose();
            return detectSqlInjectionPattern;
        } catch (Throwable th) {
            SESAD.makeVerbose();
            SOSAD.makeVerbose();
            throw th;
        }
    }

    private static boolean detectSqlInjectionPattern(String str) {
        try {
            SqlAttackRule sqlAttackRule = new SqlAttackRule();
            sqlAttackRule.setCharStream(new ANTLRStringStream(str.toLowerCase()));
            return sqlAttackRule.nextToken().getType() == 4;
        } catch (RuntimeException e) {
            Logger.warn("Exception during detection of SQL injection for " + str, e);
            return false;
        }
    }

    public static boolean detectSqlInjection(String str, String str2, Current current) {
        if (JavaUtils.isEmpty(str)) {
            return false;
        }
        boolean detectSqlInjectionPatternWithoutErrorInfo = detectSqlInjectionPatternWithoutErrorInfo(str);
        if (detectSqlInjectionPatternWithoutErrorInfo) {
            logSqlAttack(str, str2, current != null ? current.getPageCode() : null, current != null ? current.getInstance() : null, current != null ? current.getRequest() : null, current != null ? current.getSession() : null);
        }
        return detectSqlInjectionPatternWithoutErrorInfo;
    }

    public static boolean detectSqlInjection(String str, String str2, Object obj, Instance instance2, HttpServletRequest httpServletRequest, PSession pSession) {
        if (JavaUtils.isEmpty(str)) {
            return false;
        }
        boolean detectSqlInjectionPatternWithoutErrorInfo = detectSqlInjectionPatternWithoutErrorInfo(str);
        if (detectSqlInjectionPatternWithoutErrorInfo) {
            logSqlAttack(str, str2, obj, instance2, httpServletRequest, pSession);
        }
        return detectSqlInjectionPatternWithoutErrorInfo;
    }

    private static boolean detectXssInjectionPattern(String str) {
        try {
            XssAttackRule xssAttackRule = new XssAttackRule();
            xssAttackRule.setCharStream(new ANTLRStringStream(str));
            return xssAttackRule.nextToken().getType() == 4;
        } catch (RuntimeException e) {
            Logger.warn("Exception during detection of XSS injection", e);
            return false;
        }
    }

    public static boolean detectXssInjection(String str, String str2, Current current) {
        if (JavaUtils.isEmpty(str)) {
            return false;
        }
        boolean detectXssInjectionPattern = detectXssInjectionPattern(str);
        if (detectXssInjectionPattern) {
            logXssAttack(str, str2, current != null ? current.getPageCode() : null, current != null ? current.getInstance() : null, current != null ? current.getRequest() : null, current != null ? current.getSession() : null);
        }
        return detectXssInjectionPattern;
    }

    public static boolean detectXssInjection(String str, String str2, Object obj, Instance instance2, HttpServletRequest httpServletRequest, PSession pSession) {
        if (JavaUtils.isEmpty(str)) {
            return false;
        }
        boolean detectXssInjectionPattern = detectXssInjectionPattern(str);
        if (detectXssInjectionPattern) {
            logXssAttack(str, str2, obj, instance2, httpServletRequest, pSession);
        }
        return detectXssInjectionPattern;
    }

    private static void logSqlAttack(String str, String str2, Object obj, Instance instance2, HttpServletRequest httpServletRequest, PSession pSession) {
        StringBuilder sb = new StringBuilder(256);
        sb.append("Detected possible SQL injection attack. See attacks.log for further details.");
        if (instance2 != null) {
            Instance.userInformation.get(instance2.getName()).addWarning(sb.toString());
        } else {
            PalioServer.userMessages.addWarning(sb.toString());
        }
        sb.setLength(0);
        sb.append("Possible SQL injection: ");
        append(sb, false, "parameter", str);
        append(sb, true, "page", obj != null ? obj.toString() : null);
        append(sb, true, "ip", httpServletRequest != null ? httpServletRequest.getRemoteAddr() : null);
        append(sb, true, "user", pSession != null ? pSession.getUserName() : null);
        append(sb, true, "session", pSession != null ? pSession.getID().toString() : null);
        append(sb, true, "query", str2);
        Logger.getLogger(instance2, "attacks").warn(sb.toString());
    }

    private static void logXssAttack(String str, String str2, Object obj, Instance instance2, HttpServletRequest httpServletRequest, PSession pSession) {
        StringBuilder sb = new StringBuilder(256);
        sb.append("Detected possible XSS injection attack. See attacks.log for further details.");
        if (instance2 != null) {
            Instance.userInformation.get(instance2.getName()).addWarning(sb.toString());
        } else {
            PalioServer.userMessages.addWarning(sb.toString());
        }
        sb.setLength(0);
        sb.append("Possible XSS injection: ");
        append(sb, false, "parameterValue", str);
        append(sb, true, "parameterName", str2);
        append(sb, true, "page", obj != null ? obj.toString() : null);
        append(sb, true, "ip", httpServletRequest != null ? httpServletRequest.getRemoteAddr() : null);
        append(sb, true, "user", pSession != null ? pSession.getUserName() : null);
        append(sb, true, "session", pSession != null ? pSession.getID().toString() : null);
        Logger.getLogger(instance2, "attacks").warn(sb.toString());
    }

    private static void append(StringBuilder sb, boolean z, String str, String str2) {
        if (JavaUtils.isEmpty(str2)) {
            return;
        }
        if (z) {
            sb.append(", ");
        }
        sb.append(str).append(" = (").append(str2).append(")");
    }

    public static void main(String[] strArr) {
        testSQL("user", "user' or 1=1 union select * from users where username like '%'; drop table P_OBJECTS");
        testSQL("user' and 1=1 union select * from users where username like '%'; drop table P_OBJECTS");
        testSQL("user' union select * from users where username like '%'; drop table P_OBJECTS");
        testSQL("' or");
        testXSS("user", "user<b>bzzz</b>");
    }

    private static void testSQL(String... strArr) {
        for (String str : strArr) {
            System.out.println("Detection of SQL injection for input: " + str + " (" + (detectSqlInjection(str, "select * from users", null) ? "Possible attack detected !!!" : "No attack") + ")");
        }
    }

    private static void testXSS(String... strArr) {
        for (String str : strArr) {
            System.out.println("Detection of XSS injection for input: " + str + " (" + (detectXssInjection(str, null, null) ? "Possible attack detected !!!" : "No attack") + ")");
        }
    }
}
