package net.sf.deadbolt.handlers;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.sf.deadbolt.model.Room;
import org.apache.log4j.Logger;

/* loaded from: input_file:net/sf/deadbolt/handlers/SQLInjectionHandler.class */
public class SQLInjectionHandler extends DeadboltHandler {
    private static Logger logger;
    private String[] badStringsWeak = {"'", ";", "--"};
    private String[] badStringsStrong = {"'", ";", "--", "union", "drop", "insert", "update", "delete", "having", "group by", "select", "sum", "max", "min", "values", "@@", "from", "where", "create", "begin", "declare", "end", "exec", "shutdown", "xp_", "master", "bulk insert"};
    private String[] badStrings;
    private List excludedFields;
    static Class class$net$sf$deadbolt$handlers$SQLInjectionHandler;

    @Override // net.sf.deadbolt.handlers.DeadboltHandler
    public boolean authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Room room) {
        logger.debug("ENTERING: authenticate");
        boolean z = true;
        if ("WEAK".equals(room.getInitParam("LEVEL"))) {
            this.badStrings = this.badStringsWeak;
        } else {
            this.badStrings = this.badStringsStrong;
        }
        String initParam = room.getInitParam("EXCLUDED-FIELDS");
        logger.debug(new StringBuffer().append("The following fields will be excluded from this handler: ").append(initParam).toString());
        if (initParam != null) {
            String[] split = initParam.split(",");
            for (int i = 0; i < split.length; i++) {
                split[i] = split[i].trim();
            }
            this.excludedFields = Arrays.asList(split);
        } else {
            this.excludedFields = new ArrayList(0);
        }
        Enumeration parameterNames = httpServletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String str = (String) parameterNames.nextElement();
            if (!this.excludedFields.contains(str)) {
                logger.debug(new StringBuffer().append("The following parameter is being tested: ").append(str).toString());
                z = testValue(httpServletRequest.getParameter(str), httpServletRequest, room);
            }
            if (!z) {
                break;
            }
        }
        logger.debug("EXITING: authenticate");
        return z;
    }

    private boolean testValue(String str, HttpServletRequest httpServletRequest, Room room) {
        logger.debug("ENTERING: testValue");
        boolean z = true;
        int i = 0;
        while (true) {
            if (i >= this.badStrings.length) {
                break;
            }
            logger.debug(new StringBuffer().append("Testing value = ").append(str).append(" and badString = ").append(this.badStrings[i]).toString());
            if (str.matches(this.badStrings[i])) {
                logger.debug(new StringBuffer().append("A forbidden string was found: ").append(str).toString());
                addErrorMessage(httpServletRequest, room.getInitParam("ErrorMessage"));
                logger.debug("The value was rejected, returning false");
                z = false;
                break;
            }
            i++;
        }
        logger.debug("EXITING: testValue");
        return z;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        if (class$net$sf$deadbolt$handlers$SQLInjectionHandler == null) {
            cls = class$("net.sf.deadbolt.handlers.SQLInjectionHandler");
            class$net$sf$deadbolt$handlers$SQLInjectionHandler = cls;
        } else {
            cls = class$net$sf$deadbolt$handlers$SQLInjectionHandler;
        }
        logger = Logger.getLogger(cls.getName());
    }
}
