package biz.papercut.pcng.util.io;

import java.io.FileInputStream;
import java.io.IOException;
import java.io.ObjectInputFilter;
import java.util.Arrays;
import java.util.List;
import java.util.Properties;
import java.util.stream.Collectors;
import org.apache.commons.lang.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:biz/papercut/pcng/util/io/SecureSerializationFilter.class */
public final class SecureSerializationFilter {
    private static final Logger logger = LoggerFactory.getLogger(SecureSerializationFilter.class);

    private SecureSerializationFilter() {
    }

    public static void installGlobalFilter(@NotNull String str) {
        String filterPattern = filterPattern(str);
        if (filterPattern != null) {
            ObjectInputFilter.Config.setSerialFilter(ObjectInputFilter.Config.createFilter(filterPattern));
        }
    }

    private static String filterPattern(String str) {
        Properties filterProperties = getFilterProperties(str);
        String str2 = (String) getMultiValueProperty(filterProperties, "blacklist").stream().filter(StringUtils::isNotBlank).map(str3 -> {
            return "!" + str3;
        }).collect(Collectors.joining(";"));
        String str4 = (String) getMultiValueProperty(filterProperties, "whitelist").stream().filter(StringUtils::isNotBlank).collect(Collectors.joining(";"));
        if (StringUtils.isNotBlank(str2) && StringUtils.isNotBlank(str4)) {
            logger.debug("Configure global de-serialization with black-list pattern: {}", str2);
            logger.debug("Configure global de-serialization with white-list pattern: {}", str4);
            return str2 + ";" + str4;
        }
        if (StringUtils.isNotBlank(str2)) {
            logger.debug("Configure global de-serialization with black-list pattern: {}", str2);
            return str2;
        }
        if (!StringUtils.isNotBlank(str4)) {
            return null;
        }
        logger.debug("Configure global de-serialization with white-list pattern: {}", str4);
        return str4;
    }

    private static Properties getFilterProperties(String str) {
        Properties defaultPatterns;
        try {
            defaultPatterns = loadProperties(str);
        } catch (IOException e) {
            logger.debug("Running with pre-set global de-serialization filter");
            defaultPatterns = defaultPatterns();
        }
        return defaultPatterns;
    }

    private static Properties defaultPatterns() {
        Properties properties = new Properties();
        properties.setProperty("blacklist", "bsh.XThis, bsh.Interpreter,com.mchange.v2.c3p0.impl.*,org.apache.commons.beanutils.BeanComparator,org.apache.commons.collections.Transformer,org.apache.commons.collections.functors.*,org.apache.commons.collections4.functors.*,org.apache.commons.fileupload.disk.DiskFileItem,org.codehaus.groovy.runtime.*,org.apache.groovy.runtime.*,java.rmi.server.*,javax.xml.transform.Templates,org.hibernate.tuple.**,org.hibernate.type.*,org.hibernate.engine.**,com.sun.org.apache.xalan.internal.xsltc.*,org.mozilla.javascript.*,java.lang.reflect.Proxy,javax.management.**,org.springframework.aop.framework.JdkDynamicAopProxy,org.jboss.weld.interceptor.**,java.beans.EventHandler,java.util.Comparator,net.sf.json.JSONObject,org.python.core.*,org.reflections.Reflections");
        return properties;
    }

    private static List<String> getMultiValueProperty(Properties properties, String str) {
        return (List) Arrays.stream(properties.getProperty(str, "").split(",")).map(str2 -> {
            return StringUtils.trim(str2);
        }).collect(Collectors.toList());
    }

    private static Properties loadProperties(String str) throws IOException {
        Properties properties = new Properties();
        try {
            FileInputStream fileInputStream = new FileInputStream(str);
            try {
                logger.debug("Loading serialization pattern configuration from {}", str);
                properties.load(fileInputStream);
                fileInputStream.close();
                return properties;
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (IOException e) {
            throw e;
        } catch (Throwable th3) {
            throw new RuntimeException(th3);
        }
    }
}
