package com.liferay.source.formatter.checks;

import com.liferay.portal.kernel.util.StringBundler;
import com.liferay.portal.kernel.util.Tuple;
import com.liferay.source.formatter.SourceFormatterMessage;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;

/* loaded from: input_file:com/liferay/source/formatter/checks/JavaXMLSecurityCheck.class */
public class JavaXMLSecurityCheck extends BaseFileCheck {
    private final List<String> _runOutsidePortalExcludes;
    private final List<String> _secureXMLExcludes;

    public JavaXMLSecurityCheck(List<String> list, List<String> list2) {
        this._runOutsidePortalExcludes = list;
        this._secureXMLExcludes = list2;
    }

    @Override // com.liferay.source.formatter.checks.FileCheck
    public Tuple process(String str, String str2, String str3) throws Exception {
        if (isExcludedPath(this._secureXMLExcludes, str2) || str.contains("/test/") || str.contains("/testIntegration/")) {
            return new Tuple(str3, Collections.emptySet());
        }
        HashSet hashSet = new HashSet();
        _checkXMLSecurity(hashSet, str, str2, str3);
        return new Tuple(str3, hashSet);
    }

    private void _checkXMLSecurity(Set<SourceFormatterMessage> set, String str, String str2, String str3) {
        boolean isExcludedPath = isExcludedPath(this._runOutsidePortalExcludes, str2);
        for (String str4 : new String[]{"DocumentBuilderFactory.newInstance", "new javax.xml.parsers.SAXParser", "new org.apache.xerces.parsers.SAXParser", "new org.dom4j.io.SAXReader", "new SAXParser", "new SAXReader", "SAXParserFactory.newInstance", "saxParserFactory.newInstance", "SAXParserFactory.newSAXParser", "saxParserFactory.newSAXParser", "XMLInputFactory.newFactory", "xmlInputFactory.newFactory", "XMLInputFactory.newInstance", "xmlInputFactory.newInstance"}) {
            if (str3.contains(str4)) {
                StringBundler stringBundler = new StringBundler(3);
                if (isExcludedPath) {
                    stringBundler.append("Possible XXE or Quadratic Blowup security ");
                    stringBundler.append("vulnerability using ");
                } else {
                    stringBundler.append("Use SecureXMLFactoryProviderUtil.");
                    stringBundler.append("newDocumentBuilderFactory instead of ");
                }
                stringBundler.append(str4);
                addMessage(set, str, stringBundler.toString());
            }
        }
    }
}
