package com.eviware.soapui.security.scan;

import com.eviware.soapui.config.SQLInjectionScanConfig;
import com.eviware.soapui.config.SecurityScanConfig;
import com.eviware.soapui.impl.rest.panels.component.RestResourceEditor;
import com.eviware.soapui.impl.support.http.HttpRequestProperties;
import com.eviware.soapui.impl.wsdl.submit.filters.SavedRequestProperties;
import com.eviware.soapui.model.ModelItem;
import com.eviware.soapui.model.iface.MessageExchange;
import com.eviware.soapui.model.security.ScanRequestReportData;
import com.eviware.soapui.model.testsuite.TestCaseRunner;
import com.eviware.soapui.model.testsuite.TestStep;
import com.eviware.soapui.security.SecurityTestRunContext;
import com.eviware.soapui.security.SecurityTestRunner;
import com.eviware.soapui.security.result.SecurityScanRequestResult;
import com.eviware.soapui.support.StringUtils;
import com.eviware.soapui.support.UISupport;
import com.eviware.soapui.support.types.StringToStringMap;
import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener;
import java.util.List;
import java.util.Map;
import javax.swing.JComponent;
import javax.swing.JLabel;
import javax.swing.JPanel;
import org.apache.xmlbeans.XmlException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/eviware/soapui/security/scan/SQLInjectionScan.class */
public class SQLInjectionScan extends AbstractSecurityScanWithProperties {
    private static final Logger log = LoggerFactory.getLogger(SQLInjectionScan.class);
    public static final String TYPE = "SQLInjectionScan";
    public static final String NAME = "SQL Injection";
    private static final String CWE_ID = "CWE-89";
    private SQLInjectionScanConfig sqlInjectionConfig;
    private ParameterValueInjector parameterValueInjector;
    String[] defaultSqlInjectionStrings;

    public SQLInjectionScan(TestStep testStep, SecurityScanConfig securityScanConfig, ModelItem modelItem, String str) {
        super(testStep, securityScanConfig, modelItem, str);
        this.defaultSqlInjectionStrings = new String[]{"' or '1'='1", "'--", "1'", "admin'--", "/*!10000%201/0%20*/", "/*!10000 1/0 */", "1/0", "'%20o/**/r%201/0%20--", "' o/**/r 1/0 --", RestResourceEditor.MATRIX_PARAMETER_DELIMETER, "'%20and%201=2%20--", "' and 1=2 --", "test�%20UNION%20select%201,%20@@version,%201,%201;�", "test� UNION select 1, @@version, 1, 1;�"};
        if (securityScanConfig.getConfig() == null || !(securityScanConfig.getConfig() instanceof SQLInjectionScanConfig)) {
            initSqlInjectionConfig();
        } else {
            this.sqlInjectionConfig = (SQLInjectionScanConfig) ((SecurityScanConfig) getConfig()).getConfig();
        }
        this.parameterValueInjector = new ParameterValueInjector(getParameterHolder().getParameterList(), this.sqlInjectionConfig.getSqlInjectionStringsList(), getExecutionStrategy().getStrategy());
    }

    @Override // com.eviware.soapui.model.security.SecurityScan
    public String getScanTypeDescription() {
        return "Tries to exploit bad database integration coding.";
    }

    private void initSqlInjectionConfig() {
        ((SecurityScanConfig) getConfig()).setConfig(SQLInjectionScanConfig.Factory.newInstance());
        this.sqlInjectionConfig = (SQLInjectionScanConfig) ((SecurityScanConfig) getConfig()).getConfig();
        this.sqlInjectionConfig.setSqlInjectionStringsArray(this.defaultSqlInjectionStrings);
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScanWithProperties, com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public void updateSecurityConfig(SecurityScanConfig securityScanConfig) {
        super.updateSecurityConfig(securityScanConfig);
        if (this.sqlInjectionConfig != null) {
            this.sqlInjectionConfig = (SQLInjectionScanConfig) ((SecurityScanConfig) getConfig()).getConfig();
        }
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScanWithProperties
    public boolean supportsJson() {
        return true;
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    /* renamed from: getComponent */
    public JComponent mo1116getComponent() {
        JPanel createEmptyPanel = UISupport.createEmptyPanel(5, 75, 0, 5);
        createEmptyPanel.add(new JLabel("<html>Strings for SQL injection can be changed under advanced settings</html>"));
        return createEmptyPanel;
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public String getType() {
        return TYPE;
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan
    protected void execute(SecurityTestRunner securityTestRunner, TestStep testStep, SecurityTestRunContext securityTestRunContext) {
        try {
            StringToStringMap update = this.parameterValueInjector.update(testStep, securityTestRunContext);
            saveUpdatedStandardProperties(update);
            try {
                MessageExchange messageExchange = (MessageExchange) testStep.run((TestCaseRunner) securityTestRunner, securityTestRunContext);
                SavedRequestProperties.clear();
                createMessageExchange(update, messageExchange, securityTestRunContext);
            } catch (Throwable th) {
                SavedRequestProperties.clear();
                throw th;
            }
        } catch (XmlException e) {
            log.error("XPath seems to be invalid!", e);
            reportSecurityScanException("Property value is not XML or XPath is wrong!", e);
        } catch (Exception e2) {
            log.error("Property value is not valid xml!", e2);
            reportSecurityScanException("Property value is not XML or XPath is wrong!", e2);
        }
    }

    private void saveUpdatedStandardProperties(StringToStringMap stringToStringMap) {
        for (Map.Entry<String, String> entry : stringToStringMap.entrySet()) {
            String key = entry.getKey();
            if (HttpRequestProperties.isStandardProperty(key)) {
                SavedRequestProperties.saveProperty(key, entry.getValue());
            }
        }
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public ScanRequestReportData buildRequestMetaData(SecurityScanRequestResult securityScanRequestResult) {
        return new ScanRequestReportData(CWE_ID, buildActionPoints(securityScanRequestResult));
    }

    private String buildActionPoints(SecurityScanRequestResult securityScanRequestResult) {
        StringToStringMap changedParameters = securityScanRequestResult.changedParameters();
        return changedParameters.isEmpty() ? "" : "You may need to remove SQL tokens from the contents of the " + StringUtils.maybePlural("parameter", changedParameters.size()) + getParametersString(changedParameters);
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan
    protected void clear() {
        this.parameterValueInjector.clear();
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan
    protected boolean hasNext(TestStep testStep, SecurityTestRunContext securityTestRunContext) {
        return this.parameterValueInjector.hasNext();
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public String getConfigDescription() {
        return "Configures SQL injection security scan";
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public String getConfigName() {
        return "SQL Injection Security Scan";
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public String getHelpURL() {
        return "/secure/scans/sql_injection/start";
    }

    @Override // com.eviware.soapui.security.scan.AbstractSecurityScan, com.eviware.soapui.model.security.SecurityScan
    public JComponent getAdvancedSettingsPanel() {
        InjectionStringsEditor injectionStringsEditor = new InjectionStringsEditor("SQL");
        List<String> sqlInjectionStringsList = this.sqlInjectionConfig.getSqlInjectionStringsList();
        injectionStringsEditor.setOptions((String[]) sqlInjectionStringsList.toArray(new String[sqlInjectionStringsList.size()]));
        injectionStringsEditor.addPropertyChangeListener("options", new PropertyChangeListener() { // from class: com.eviware.soapui.security.scan.SQLInjectionScan.1
            @Override // java.beans.PropertyChangeListener
            public void propertyChange(PropertyChangeEvent propertyChangeEvent) {
                SQLInjectionScan.this.sqlInjectionConfig.setSqlInjectionStringsArray((String[]) propertyChangeEvent.getNewValue());
            }
        });
        return injectionStringsEditor;
    }
}
