package com.seeyon.ctp.common.web.filter;

import com.seeyon.ctp.common.SystemEnvironment;
import com.seeyon.ctp.common.constants.Plugins;
import com.seeyon.ctp.util.FileUtil;
import com.seeyon.ctp.util.Strings;
import java.io.File;
import java.io.IOException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.io.FileUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.tools.ant.DirectoryScanner;

/* loaded from: input_file:com/seeyon/ctp/common/web/filter/JSPValve.class */
public class JSPValve {
    private static Log LOG = LogFactory.getLog(JSPValve.class);
    private static String SECURITY_CONF_DIR = SystemEnvironment.getApplicationFolder() + File.separator + "WEB-INF" + File.separator + "cfgHome" + File.separator + Plugins.SECURITY;
    private static Map<String, Long> JSP_WHITELIST = new HashMap();

    private static void init() {
        File file = new File(SECURITY_CONF_DIR);
        DirectoryScanner directoryScanner = new DirectoryScanner();
        directoryScanner.setBasedir(file);
        directoryScanner.setIncludes(new String[]{"jsp_whitelist_*"});
        directoryScanner.scan();
        for (String str : directoryScanner.getIncludedFiles()) {
            try {
                Iterator it = FileUtils.readLines(new File(file, str), "UTF-8").iterator();
                while (it.hasNext()) {
                    String trim = ((String) it.next()).trim();
                    if (!trim.startsWith("#")) {
                        File file2 = new File(SystemEnvironment.getApplicationFolder(), trim);
                        if (file2.exists()) {
                            JSP_WHITELIST.put(trim, Long.valueOf(file2.lastModified()));
                        }
                    }
                }
            } catch (IOException e) {
                LOG.error(e.getLocalizedMessage(), e);
            }
        }
    }

    public static void doFilter(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException, ServletException {
        if ((servletRequest instanceof HttpServletRequest) && (servletResponse instanceof HttpServletResponse)) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            String requestURI = httpServletRequest.getRequestURI();
            if (requestURI.toLowerCase().endsWith(".jsp")) {
                String substring = requestURI.substring(8);
                Long l = JSP_WHITELIST.get(substring);
                if (l == null) {
                    ((HttpServletResponse) servletResponse).sendError(404);
                    onError("拦截到可疑的jsp访问：" + substring + " 来自 " + Strings.getRemoteAddr(httpServletRequest));
                    return;
                }
                File file = new File(SystemEnvironment.getApplicationFolder(), substring);
                if (file.exists() && FileUtil.inDirectory(file, new File(SystemEnvironment.getApplicationFolder())) && file.lastModified() != l.longValue()) {
                    ((HttpServletResponse) servletResponse).sendError(401);
                    onError("jsp在运行期被篡改：" + substring + " 拒绝访问。 ");
                }
            }
        }
    }

    private static void onError(String str) throws ServletException {
        LOG.error(str);
        throw new ServletException(str);
    }

    static {
        init();
    }
}
