package cn.com.yusys.yusp.common.annotation;

import cn.com.yusys.yusp.common.exception.IcspException;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONArray;
import com.alibaba.fastjson.JSONException;
import com.alibaba.fastjson.JSONObject;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Pattern;
import org.apache.commons.lang3.StringUtils;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;

@Aspect
@Component
/* loaded from: input_file:cn/com/yusys/yusp/common/annotation/SqlInjectionAspect.class */
public class SqlInjectionAspect {
    private Logger logger = LoggerFactory.getLogger(getClass());

    @Pointcut("@annotation(cn.com.yusys.yusp.common.annotation.SqlInjection)")
    public void sqlInjection() {
    }

    @Around("sqlInjection()")
    public Object round(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
        this.logger.info("sql注入检查环绕通知开始........");
        this.logger.info(proceedingJoinPoint.getSignature().getName());
        Object[] args = proceedingJoinPoint.getArgs();
        proceedingJoinPoint.getSignature().getParameterNames();
        for (int i = 0; i < args.length; i++) {
            if (containsSqlInjection(JSON.toJSONString(args[i]))) {
                HashMap hashMap = new HashMap();
                getSqlInjection("方法参数" + i, JSON.toJSONString(args[i]), hashMap);
                for (String str : hashMap.keySet()) {
                    this.logger.info(str + ":" + ((String) hashMap.get(str)));
                }
                this.logger.info("以上字段存在非法入参........");
                this.logger.info("sql注入检查环绕通知结束........");
                throw new IcspException("500", "存在非法参数,请规范接口入参");
            }
        }
        this.logger.info("sql注入检查环绕通知结束........");
        return proceedingJoinPoint.proceed();
    }

    public static boolean containsSqlInjection(Object obj) {
        if (null == obj || StringUtils.isEmpty(String.valueOf(obj))) {
            return false;
        }
        return Pattern.compile("\\b(alert|and|exec|insert|select|drop|grant|alter|delete|update|count|chr|mid|master|truncate|char|declare|or)\\b|(\\*|'|%)").matcher(obj.toString()).find();
    }

    public static void getSqlInjection(String str, String str2, Map<String, String> map) {
        if (StringUtils.isEmpty(str2)) {
            return;
        }
        int testIsArrayORObject = testIsArrayORObject(str2);
        if (testIsArrayORObject == 1) {
            JSONObject parseObject = JSONObject.parseObject(str2);
            for (String str3 : parseObject.keySet()) {
                String string = parseObject.getString(str3);
                if (containsSqlInjection(string)) {
                    getSqlInjection(str + "." + str3, string, map);
                }
            }
            return;
        }
        if (testIsArrayORObject != 2) {
            map.put(str, str2);
            return;
        }
        if (str2.equals("null")) {
            return;
        }
        JSONArray parseArray = JSONObject.parseArray(str2);
        for (int i = 0; i < parseArray.size(); i++) {
            JSONObject jSONObject = parseArray.getJSONObject(i);
            for (String str4 : jSONObject.keySet()) {
                String string2 = jSONObject.getString(str4);
                if (containsSqlInjection(string2)) {
                    getSqlInjection(str + "." + str4, string2, map);
                }
            }
        }
    }

    public static int testIsArrayORObject(String str) {
        try {
            JSONObject.parseArray(str);
            return 2;
        } catch (JSONException e) {
            try {
                JSONObject.parseObject(str);
                return 1;
            } catch (JSONException e2) {
                return 0;
            }
        }
    }
}
