package com.liferay.source.formatter.check;

import com.liferay.petra.string.StringBundler;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/* loaded from: input_file:com/liferay/source/formatter/check/JavaDeserializationSecurityCheck.class */
public class JavaDeserializationSecurityCheck extends BaseFileCheck {
    private static final Pattern[] _javaSerializationVulnerabilityPatterns = {Pattern.compile(".*(new [a-z\\.\\s]*ObjectInputStream).*", 32), Pattern.compile(".*(extends [a-z\\.\\s]*ObjectInputStream).*", 32)};

    @Override // com.liferay.source.formatter.check.BaseFileCheck
    protected String doProcess(String str, String str2, String str3) {
        if (str2.contains("/test/") || str2.contains("/testIntegration/")) {
            return str3;
        }
        _checkDeserializationSecurity(str, str3, str2);
        return str3;
    }

    private void _checkDeserializationSecurity(String str, String str2, String str3) {
        for (Pattern pattern : _javaSerializationVulnerabilityPatterns) {
            Matcher matcher = pattern.matcher(str2);
            if (matcher.matches()) {
                StringBundler stringBundler = new StringBundler(3);
                if (isExcludedPath("run.outside.portal.excludes", str3)) {
                    stringBundler.append("Possible Java Serialization Remote Code Execution ");
                    stringBundler.append("vulnerability using ");
                } else {
                    stringBundler.append("Use ProtectedObjectInputStream instead of ");
                }
                stringBundler.append(matcher.group(1));
                addMessage(str, stringBundler.toString());
            }
        }
    }
}
