package com.eviware.soapui.security.scan;

import com.eviware.soapui.SoapUI;
import com.eviware.soapui.config.SecurityScanConfig;
import com.eviware.soapui.config.XPathInjectionConfig;
import com.eviware.soapui.impl.rest.panels.component.RestResourceEditor;
import com.eviware.soapui.model.ModelItem;
import com.eviware.soapui.model.iface.MessageExchange;
import com.eviware.soapui.model.security.ScanRequestReportData;
import com.eviware.soapui.model.testsuite.TestCaseRunner;
import com.eviware.soapui.model.testsuite.TestStep;
import com.eviware.soapui.security.SecurityTestRunContext;
import com.eviware.soapui.security.SecurityTestRunner;
import com.eviware.soapui.security.result.SecurityScanRequestResult;
import com.eviware.soapui.support.StringUtils;
import com.eviware.soapui.support.UISupport;
import com.eviware.soapui.support.types.StringToStringMap;
import com.eviware.x.form.support.AField;
import com.eviware.x.form.support.AForm;
import com.eviware.x.impl.swing.JFormDialog;
import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener;
import java.util.List;
import javax.swing.JComponent;
import javax.swing.JLabel;
import javax.swing.JPanel;
import org.apache.xmlbeans.XmlException;

/* loaded from: input_file:com/eviware/soapui/security/scan/XPathInjectionSecurityScan.class */
public class XPathInjectionSecurityScan extends AbstractSecurityScanWithProperties {
    public static final String TYPE = "XPathInjectionSecurityScan";
    public static final String NAME = "XPath Injection";
    private static final String CWE_ID = "CWE-643";
    private XPathInjectionConfig xpathInjectionConfig;
    String[] defaultXPathInjectionStrings;
    private JFormDialog dialog;
    private ParameterValueInjector parameterValueInjector;

    @AForm(description = "XPath Injection Strings", name = "XPath Injection Strings")
    /* loaded from: input_file:com/eviware/soapui/security/scan/XPathInjectionSecurityScan$AdvancedSettings.class */
    protected interface AdvancedSettings {

        @AField(description = "XPath Strings", name = INJECTION_STRINGS, type = AField.AFieldType.STRINGLIST)
        public static final String INJECTION_STRINGS = "###Injection Strings";
    }

    public XPathInjectionSecurityScan(TestStep testStep, SecurityScanConfig securityScanConfig, ModelItem modelItem, String str) {
        super(testStep, securityScanConfig, modelItem, str);
        this.defaultXPathInjectionStrings = new String[]{" or name(//users/LoginID[1]) = 'LoginID' or 'a'='b", "' or '1'='1", "1/0", "'%20o/**/r%201/0%20--", "' o/**/r 1/0 --", RestResourceEditor.MATRIX_PARAMETER_DELIMETER, "'%20and%201=2%20--", "' and 1=2 --", "test�%20UNION%20select%201,%20@@version,%201,%201;�", "test� UNION select 1, @@version, 1, 1;�"};
        if (securityScanConfig.getConfig() == null || !(securityScanConfig.getConfig() instanceof XPathInjectionConfig)) {
            initXPathInjectionConfig();
        } else {
            this.xpathInjectionConfig = (XPathInjectionConfig) ((SecurityScanConfig) getConfig()).getConfig();
        }
        this.parameterValueInjector = new ParameterValueInjector(getParameterHolder().getParameterList(), this.xpathInjectionConfig.getXpathListList(), getExecutionStrategy().getStrategy());
    }

    @Override // com.eviware.soapui.model.security.SecurityScan
    public String getScanTypeDescription() {
        return "Tries to exploit bad XML processing inside your target service.";
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScanWithProperties, com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public void updateSecurityConfig(SecurityScanConfig securityScanConfig) {
        super.updateSecurityConfig(securityScanConfig);
        if (this.xpathInjectionConfig != null) {
            this.xpathInjectionConfig = (XPathInjectionConfig) ((SecurityScanConfig) getConfig()).getConfig();
        }
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScanWithProperties
    public boolean supportsJson() {
        return true;
    }

    private void initXPathInjectionConfig() {
        ((SecurityScanConfig) getConfig()).setConfig(XPathInjectionConfig.Factory.newInstance());
        this.xpathInjectionConfig = (XPathInjectionConfig) ((SecurityScanConfig) getConfig()).getConfig();
        this.xpathInjectionConfig.setXpathListArray(this.defaultXPathInjectionStrings);
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    /* renamed from: getComponent */
    public JComponent mo1116getComponent() {
        JPanel createEmptyPanel = UISupport.createEmptyPanel(5, 75, 0, 5);
        createEmptyPanel.add(new JLabel("<html>Strings for XPath injection can be changed under advanced settings</html>"));
        return createEmptyPanel;
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan
    protected void execute(SecurityTestRunner securityTestRunner, TestStep testStep, SecurityTestRunContext securityTestRunContext) {
        try {
            createMessageExchange(this.parameterValueInjector.update(testStep, securityTestRunContext), (MessageExchange) testStep.run((TestCaseRunner) securityTestRunner, securityTestRunContext), securityTestRunContext);
        } catch (Exception e) {
            SoapUI.logError(e, "[XPathInjectionSecurityScan]Property value is not valid xml!");
            reportSecurityScanException("Property value is not XML or XPath is wrong!", e);
        } catch (XmlException e2) {
            SoapUI.logError(e2, "[XPathInjectionSecurityScan]XPath seems to be invalid!");
            reportSecurityScanException("Property value is not XML or XPath is wrong!", e2);
        }
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public ScanRequestReportData buildRequestMetaData(SecurityScanRequestResult securityScanRequestResult) {
        return new ScanRequestReportData(CWE_ID, buildActionPoints(securityScanRequestResult));
    }

    private String buildActionPoints(SecurityScanRequestResult securityScanRequestResult) {
        StringToStringMap changedParameters = securityScanRequestResult.changedParameters();
        return changedParameters.isEmpty() ? "" : "You may need to remove XPath tokens from the contents of the " + StringUtils.maybePlural("parameter", changedParameters.size()) + getParametersString(changedParameters);
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public String getConfigDescription() {
        return "Configures XPath Injection Security Scan";
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public String getConfigName() {
        return "XPath Injection Security Scan";
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public String getHelpURL() {
        return "/secure/scans/xpath_injection/start";
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public String getType() {
        return TYPE;
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan
    protected boolean hasNext(TestStep testStep, SecurityTestRunContext securityTestRunContext) {
        return this.parameterValueInjector != null && this.parameterValueInjector.hasNext();
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public JComponent getAdvancedSettingsPanel() {
        InjectionStringsEditor injectionStringsEditor = new InjectionStringsEditor("XPath");
        List<String> xpathListList = this.xpathInjectionConfig.getXpathListList();
        injectionStringsEditor.setOptions((String[]) xpathListList.toArray(new String[xpathListList.size()]));
        injectionStringsEditor.addPropertyChangeListener("options", new PropertyChangeListener() { // from class: com.eviware.soapui.security.scan.XPathInjectionSecurityScan.1
            @Override // java.beans.PropertyChangeListener
            public void propertyChange(PropertyChangeEvent propertyChangeEvent) {
                XPathInjectionSecurityScan.this.xpathInjectionConfig.setXpathListArray((String[]) propertyChangeEvent.getNewValue());
            }
        });
        return injectionStringsEditor;
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScanWithProperties, com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.impl.wsdl.AbstractWsdlModelItem, com.eviware.soapui.model.support.AbstractModelItem, com.eviware.soapui.model.Releasable
    public void release() {
        if (this.dialog != null) {
            this.dialog.release();
        }
        super.release();
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan
    protected void clear() {
        if (this.parameterValueInjector != null) {
            this.parameterValueInjector.clear();
        }
    }
}
