package com.eviware.soapui.security.scan;

import com.eviware.soapui.SoapUI;
import com.eviware.soapui.config.CrossSiteScriptingScanConfig;
import com.eviware.soapui.config.SecurityScanConfig;
import com.eviware.soapui.impl.wsdl.teststeps.RestRequestStepResult;
import com.eviware.soapui.impl.wsdl.teststeps.RestTestRequestStep;
import com.eviware.soapui.impl.wsdl.teststeps.WsdlTestRequestStepResult;
import com.eviware.soapui.model.ModelItem;
import com.eviware.soapui.model.iface.MessageExchange;
import com.eviware.soapui.model.security.ScanRequestReportData;
import com.eviware.soapui.model.testsuite.TestCaseRunner;
import com.eviware.soapui.model.testsuite.TestStep;
import com.eviware.soapui.security.SecurityTestRunContext;
import com.eviware.soapui.security.SecurityTestRunner;
import com.eviware.soapui.security.assertion.CrossSiteScriptAssertion;
import com.eviware.soapui.security.result.SecurityScanRequestResult;
import com.eviware.soapui.support.StringUtils;
import com.eviware.soapui.support.UISupport;
import com.eviware.soapui.support.types.StringToStringMap;
import com.eviware.x.form.support.ADialogBuilder;
import com.eviware.x.form.support.AField;
import com.eviware.x.form.support.AForm;
import com.eviware.x.impl.swing.JFormDialog;
import com.eviware.x.impl.swing.JStringListFormField;
import java.awt.Dimension;
import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.util.ArrayList;
import java.util.List;
import javax.swing.JComponent;
import javax.swing.JLabel;
import javax.swing.JPanel;
import org.apache.xmlbeans.XmlException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/eviware/soapui/security/scan/CrossSiteScriptingScan.class */
public class CrossSiteScriptingScan extends AbstractSecurityScanWithProperties {
    private static final Logger log = LoggerFactory.getLogger(CrossSiteScriptingScan.class);
    public static final String TYPE = "CrossSiteScriptingScan";
    public static final String NAME = "Cross Site Scripting";
    public static final String PARAMETER_EXPOSURE_SCAN_CONFIG = "CrossSiteScriptingScanConfig";
    public static final String TEST_CASE_RUNNER = "testCaseRunner";
    public static final String TEST_STEP = "testStep";
    private static final String CWE_ID = "CWE-79";
    private CrossSiteScriptingScanConfig cssConfig;
    private List<String> defaultParameterExposureStrings;
    private JFormDialog dialog;
    private ParameterValueInjector parameterValueInjector;

    @AForm(description = CrossSiteScriptingScan.NAME, name = CrossSiteScriptingScan.NAME)
    /* loaded from: input_file:com/eviware/soapui/security/scan/CrossSiteScriptingScan$AdvancedSettings.class */
    protected interface AdvancedSettings {

        @AField(description = "Cross Site Scripting Vectors", name = PARAMETER_EXPOSURE_STRINGS, type = AField.AFieldType.STRINGLIST)
        public static final String PARAMETER_EXPOSURE_STRINGS = "###Cross Site Scripting";
    }

    public CrossSiteScriptingScan(TestStep testStep, SecurityScanConfig securityScanConfig, ModelItem modelItem, String str) {
        super(testStep, securityScanConfig, modelItem, str);
        this.defaultParameterExposureStrings = new ArrayList();
        if (securityScanConfig.getConfig() == null || !(securityScanConfig.getConfig() instanceof CrossSiteScriptingScanConfig)) {
            initConfig();
        } else {
            this.cssConfig = (CrossSiteScriptingScanConfig) ((SecurityScanConfig) getConfig()).getConfig();
        }
        this.parameterValueInjector = new ParameterValueInjector(getParameterHolder().getParameterList(), this.cssConfig.getParameterExposureStringsList(), getExecutionStrategy().getStrategy());
    }

    @Override // com.eviware.soapui.model.security.SecurityScan
    public String getScanTypeDescription() {
        return "Tries to find cross-site scripting vulnerabilities.";
    }

    /* JADX WARN: Finally extract failed */
    private void initDefaultVectors() {
        Throwable th = null;
        try {
            try {
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(SoapUI.class.getResourceAsStream("/com/eviware/soapui/resources/security/XSS-vectors.txt")));
                while (true) {
                    try {
                        String readLine = bufferedReader.readLine();
                        if (readLine == null) {
                            break;
                        } else {
                            this.defaultParameterExposureStrings.add(readLine);
                        }
                    } catch (Throwable th2) {
                        if (bufferedReader != null) {
                            bufferedReader.close();
                        }
                        throw th2;
                    }
                }
                if (bufferedReader != null) {
                    bufferedReader.close();
                }
            } catch (Throwable th3) {
                if (0 == 0) {
                    th = th3;
                } else if (null != th3) {
                    th.addSuppressed(th3);
                }
                throw th;
            }
        } catch (Exception e) {
            SoapUI.logError(e);
        }
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScanWithProperties, com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public void initializeScan(TestStep testStep) {
        super.initializeScan(testStep);
        addWsdlAssertion(CrossSiteScriptAssertion.LABEL);
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScanWithProperties
    public boolean supportsJson() {
        return true;
    }

    private void initConfig() {
        initDefaultVectors();
        ((SecurityScanConfig) getConfig()).setConfig(CrossSiteScriptingScanConfig.Factory.newInstance());
        this.cssConfig = (CrossSiteScriptingScanConfig) ((SecurityScanConfig) getConfig()).getConfig();
        this.cssConfig.setParameterExposureStringsArray((String[]) this.defaultParameterExposureStrings.toArray(new String[this.defaultParameterExposureStrings.size()]));
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScanWithProperties, com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public void updateSecurityConfig(SecurityScanConfig securityScanConfig) {
        super.updateSecurityConfig(securityScanConfig);
        if (this.cssConfig != null) {
            this.cssConfig = (CrossSiteScriptingScanConfig) ((SecurityScanConfig) getConfig()).getConfig();
        }
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan
    protected void execute(SecurityTestRunner securityTestRunner, TestStep testStep, SecurityTestRunContext securityTestRunContext) {
        try {
            sendToContext(securityTestRunContext, testStep, securityTestRunner);
            StringToStringMap update = this.parameterValueInjector.update(testStep, securityTestRunContext, true);
            if (testStep instanceof RestTestRequestStep) {
                RestRequestStepResult restRequestStepResult = (RestRequestStepResult) testStep.run((TestCaseRunner) securityTestRunner, securityTestRunContext);
                restRequestStepResult.setRequestContent("");
                createMessageExchange(update, restRequestStepResult, securityTestRunContext);
            } else {
                MessageExchange messageExchange = (MessageExchange) testStep.run((TestCaseRunner) securityTestRunner, securityTestRunContext);
                if (messageExchange instanceof WsdlTestRequestStepResult) {
                    ((WsdlTestRequestStepResult) messageExchange).setRequestContent("", false);
                }
                createMessageExchange(update, messageExchange, securityTestRunContext);
            }
        } catch (Exception e) {
            log.error("Property value is not valid XML!", e);
            reportSecurityScanException("Property value is not XML or XPath is wrong!", e);
        } catch (XmlException e2) {
            log.error("XPath seems to be invalid!", e2);
            reportSecurityScanException("Property value is not XML or XPath is wrong!", e2);
        }
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public ScanRequestReportData buildRequestMetaData(SecurityScanRequestResult securityScanRequestResult) {
        return new ScanRequestReportData(CWE_ID, buildActionPoints(securityScanRequestResult));
    }

    private String buildActionPoints(SecurityScanRequestResult securityScanRequestResult) {
        StringToStringMap changedParameters = securityScanRequestResult.changedParameters();
        return changedParameters.isEmpty() ? "" : "You should ensure that HTML tags passed into the " + StringUtils.maybePlural("parameter", changedParameters.size()) + getParametersString(changedParameters) + " will not be echoed back in the response";
    }

    private void sendToContext(SecurityTestRunContext securityTestRunContext, TestStep testStep, SecurityTestRunner securityTestRunner) {
        securityTestRunContext.put(TEST_CASE_RUNNER, (Object) securityTestRunner);
        securityTestRunContext.put(TEST_STEP, (Object) testStep);
    }

    private void removeFromContext(SecurityTestRunContext securityTestRunContext) {
        securityTestRunContext.remove(TEST_CASE_RUNNER);
        securityTestRunContext.remove(TEST_STEP);
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    /* renamed from: getComponent */
    public JComponent mo1116getComponent() {
        JPanel createEmptyPanel = UISupport.createEmptyPanel(5, 75, 0, 5);
        createEmptyPanel.add(new JLabel("<html>Strings for Cross Site Scripting can be configured under Advanced Settings</html>"));
        return createEmptyPanel;
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public String getType() {
        return TYPE;
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan
    protected boolean hasNext(TestStep testStep, SecurityTestRunContext securityTestRunContext) {
        boolean hasNext = this.parameterValueInjector.hasNext();
        if (hasNext) {
            securityTestRunContext.put(PARAMETER_EXPOSURE_SCAN_CONFIG, (Object) this.cssConfig);
            return hasNext;
        }
        securityTestRunContext.remove(PARAMETER_EXPOSURE_SCAN_CONFIG);
        removeFromContext(securityTestRunContext);
        return hasNext;
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan
    protected void clear() {
        this.parameterValueInjector.clear();
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public String getConfigDescription() {
        return "Configures parameter exposure security scan";
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public String getConfigName() {
        return "Cross Site Scripting Scan";
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public String getHelpURL() {
        return "/secure/scans/xss/start";
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public JComponent getAdvancedSettingsPanel() {
        this.dialog = (JFormDialog) ADialogBuilder.buildDialog(AdvancedSettings.class);
        JStringListFormField jStringListFormField = (JStringListFormField) this.dialog.getFormField(AdvancedSettings.PARAMETER_EXPOSURE_STRINGS);
        jStringListFormField.setOptions(this.cssConfig.getParameterExposureStringsList().toArray());
        jStringListFormField.setProperty("dimension", new Dimension(470, 150));
        jStringListFormField.getComponent().addPropertyChangeListener("options", new PropertyChangeListener() { // from class: com.eviware.soapui.security.scan.CrossSiteScriptingScan.1
            @Override // java.beans.PropertyChangeListener
            public void propertyChange(PropertyChangeEvent propertyChangeEvent) {
                String[] strArr = (String[]) propertyChangeEvent.getNewValue();
                String[] strArr2 = (String[]) propertyChangeEvent.getOldValue();
                if (strArr.length > strArr2.length) {
                    String[] strArr3 = (String[]) propertyChangeEvent.getNewValue();
                    CrossSiteScriptingScan.this.cssConfig.addParameterExposureStrings(strArr3[strArr3.length - 1]);
                }
                if (strArr.length < strArr2.length) {
                    for (int i = 0; i < strArr2.length; i++) {
                        if (i >= strArr.length) {
                            CrossSiteScriptingScan.this.cssConfig.removeParameterExposureStrings(strArr2.length - 1);
                        } else if (strArr[i] != strArr2[i]) {
                            CrossSiteScriptingScan.this.cssConfig.removeParameterExposureStrings(i);
                            return;
                        }
                    }
                }
            }
        });
        return this.dialog.getPanel();
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScanWithProperties, com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.impl.wsdl.AbstractWsdlModelItem, com.eviware.soapui.model.support.AbstractModelItem, com.eviware.soapui.model.Releasable
    public void release() {
        if (this.dialog != null) {
            this.dialog.release();
        }
        super.release();
    }
}
