package org.egov.infstr.security.utils;

import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.Properties;
import java.util.StringTokenizer;
import java.util.WeakHashMap;
import org.apache.commons.lang.StringUtils;
import org.egov.infra.exception.ApplicationRuntimeException;
import org.egov.infra.utils.EgovThreadLocals;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/egov/infstr/security/utils/SecurityUtils.class */
public class SecurityUtils implements SecurityConstants {
    private static final Logger LOG = LoggerFactory.getLogger(SecurityUtils.class);
    private static final WeakHashMap<String, Properties> SQL_INJ_WHITE_LIST = new WeakHashMap<>();
    private static final String SQL_WHITE_LST_PROP_FILE = "/WEB-INF/sqlwhitelist.properties";

    public static String checkSQLInjection(String str) {
        if (StringUtils.isNotBlank(str)) {
            try {
                feedSQLWhiteList(SQL_WHITE_LST_PROP_FILE);
                if (SQL_INJ_WHITE_LIST.get(EgovThreadLocals.getServletContext().getServletContextName()).containsValue(str)) {
                    return str;
                }
            } catch (Exception e) {
                LOG.warn("SQL White Listed Properties is not loaded or unavailable, This will cause strict SQL Injection checking");
            }
            for (String str2 : SQL_INJ_BLK_LIST) {
                StringTokenizer stringTokenizer = new StringTokenizer(str, " ");
                while (stringTokenizer.hasMoreTokens()) {
                    if (stringTokenizer.nextToken().toLowerCase().equals(str2)) {
                        LOG.error("Found SQL Injection attack, Domain Name : {} User ID : {}", EgovThreadLocals.getDomainName(), EgovThreadLocals.getUserId());
                        throw new ApplicationRuntimeException("Invalid user input found, possible SQL Injection!");
                    }
                }
            }
        }
        return str;
    }

    public static String checkXSSAttack(String str) {
        return VirtualSanitizer.sanitize(str);
    }

    private static void feedSQLWhiteList(String str) throws FileNotFoundException, IOException {
        if (SQL_INJ_WHITE_LIST.containsKey(EgovThreadLocals.getServletContext().getServletContextName())) {
            return;
        }
        Properties properties = new Properties();
        properties.load(EgovThreadLocals.getServletContext().getResourceAsStream(str));
        SQL_INJ_WHITE_LIST.put(EgovThreadLocals.getServletContext().getServletContextName(), properties);
    }
}
