package com.eviware.soapui.security.assertion;

import com.eviware.soapui.SoapUI;
import com.eviware.soapui.config.CrossSiteScriptingScanConfig;
import com.eviware.soapui.config.HttpRequestConfig;
import com.eviware.soapui.config.TestAssertionConfig;
import com.eviware.soapui.config.TestStepConfig;
import com.eviware.soapui.impl.support.HttpUtils;
import com.eviware.soapui.impl.wsdl.panels.teststeps.support.AbstractGroovyEditorModel;
import com.eviware.soapui.impl.wsdl.support.HelpUrls;
import com.eviware.soapui.impl.wsdl.support.MessageExchangeModelItem;
import com.eviware.soapui.impl.wsdl.teststeps.HttpTestRequestStep;
import com.eviware.soapui.impl.wsdl.teststeps.WsdlMessageAssertion;
import com.eviware.soapui.impl.wsdl.teststeps.WsdlTestStep;
import com.eviware.soapui.impl.wsdl.teststeps.assertions.AbstractTestAssertionFactory;
import com.eviware.soapui.impl.wsdl.teststeps.registry.HttpRequestStepFactory;
import com.eviware.soapui.impl.wsdl.teststeps.registry.WsdlTestStepRegistry;
import com.eviware.soapui.model.ModelItem;
import com.eviware.soapui.model.iface.MessageExchange;
import com.eviware.soapui.model.iface.SubmitContext;
import com.eviware.soapui.model.testsuite.Assertable;
import com.eviware.soapui.model.testsuite.AssertionError;
import com.eviware.soapui.model.testsuite.AssertionException;
import com.eviware.soapui.model.testsuite.ResponseAssertion;
import com.eviware.soapui.model.testsuite.TestAssertion;
import com.eviware.soapui.model.testsuite.TestCaseRunner;
import com.eviware.soapui.model.testsuite.TestStep;
import com.eviware.soapui.security.SecurityTestRunContext;
import com.eviware.soapui.security.SecurityTestRunner;
import com.eviware.soapui.security.SecurityTestRunnerImpl;
import com.eviware.soapui.security.scan.CrossSiteScriptingScan;
import com.eviware.soapui.support.SecurityScanUtil;
import com.eviware.soapui.support.UISupport;
import com.eviware.soapui.support.components.GroovyEditorComponent;
import com.eviware.soapui.support.scripting.SoapUIScriptEngine;
import com.eviware.soapui.support.scripting.SoapUIScriptEngineRegistry;
import com.eviware.soapui.support.xml.XmlObjectConfigurationBuilder;
import com.eviware.soapui.support.xml.XmlObjectConfigurationReader;
import com.eviware.x.form.XFormDialog;
import com.eviware.x.form.XFormField;
import com.eviware.x.form.XFormFieldListener;
import com.eviware.x.form.support.ADialogBuilder;
import com.eviware.x.form.support.AField;
import com.eviware.x.form.support.AForm;
import java.awt.Dimension;
import java.awt.event.ActionEvent;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.swing.AbstractAction;
import javax.swing.Action;
import javax.swing.JScrollPane;
import org.apache.xalan.templates.Constants;
import org.apache.xmlbeans.XmlObject;
import org.codehaus.groovy.syntax.Types;
import org.mortbay.jetty.HttpMethods;

/* loaded from: input_file:soapui-4.0.0.jar:com/eviware/soapui/security/assertion/CrossSiteScriptAssertion.class */
public class CrossSiteScriptAssertion extends WsdlMessageAssertion implements ResponseAssertion {
    public static final String ID = "CrosSiteScript";
    public static final String LABEL = "Cross Site Scripting Detection";
    public static final String GROOVY_SCRIPT = "groovyScript";
    public static final String CHECK_RESPONSE = "checkResponse";
    public static final String CHECK_SEPARATE_HTML = "checkSeparateHTML";
    private XFormDialog dialog;
    private String script;
    private GroovyEditorModel groovyEditorModel;
    private SoapUIScriptEngine scriptEngine;
    MessageExchange messageExchange;
    SubmitContext context;
    private boolean checkResponse;
    private boolean checkSeparateHTML;

    @AForm(description = "", name = "Cross Site Scripting on Separate HTML", helpUrl = HelpUrls.SECURITY_XSS_ASSERTION_HELP)
    /* loaded from: input_file:soapui-4.0.0.jar:com/eviware/soapui/security/assertion/CrossSiteScriptAssertion$CrossSiteScripSeparateHTMLConfigDialog.class */
    protected interface CrossSiteScripSeparateHTMLConfigDialog {

        @AField(description = "Check Imediate Response", name = CHECK_RESPONSE, type = AField.AFieldType.BOOLEAN)
        public static final String CHECK_RESPONSE = "###Check Response";

        @AField(description = "Check Response from URLs specified in Custom Script", name = CHECK_SEPARATE_HTML, type = AField.AFieldType.BOOLEAN)
        public static final String CHECK_SEPARATE_HTML = "###Check Separate HTML";

        @AField(description = "", name = LABEL, type = AField.AFieldType.LABEL)
        public static final String LABEL = "Enter Custom Script that returns a list of URLs to check for Cross Site Scripts ";

        @AField(description = "Groovy script", name = GROOVY, type = AField.AFieldType.COMPONENT)
        public static final String GROOVY = "###Groovy url list";
    }

    /* loaded from: input_file:soapui-4.0.0.jar:com/eviware/soapui/security/assertion/CrossSiteScriptAssertion$Factory.class */
    public static class Factory extends AbstractTestAssertionFactory {
        public Factory() {
            super(CrossSiteScriptAssertion.ID, CrossSiteScriptAssertion.LABEL, (Class<? extends TestAssertion>) CrossSiteScriptAssertion.class, (Class<? extends ModelItem>) CrossSiteScriptingScan.class);
        }

        @Override // com.eviware.soapui.impl.wsdl.teststeps.assertions.TestAssertionFactory
        public Class<? extends WsdlMessageAssertion> getAssertionClassType() {
            return CrossSiteScriptAssertion.class;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:soapui-4.0.0.jar:com/eviware/soapui/security/assertion/CrossSiteScriptAssertion$GroovyEditorModel.class */
    public class GroovyEditorModel extends AbstractGroovyEditorModel {
        @Override // com.eviware.soapui.impl.wsdl.panels.teststeps.support.AbstractGroovyEditorModel
        public Action createRunAction() {
            return new AbstractAction() { // from class: com.eviware.soapui.security.assertion.CrossSiteScriptAssertion.GroovyEditorModel.1
                /* JADX WARN: Multi-variable type inference failed */
                /* JADX WARN: Type inference failed for: r0v62, types: [java.util.List] */
                public void actionPerformed(ActionEvent actionEvent) {
                    ArrayList arrayList = new ArrayList();
                    CrossSiteScriptAssertion.this.scriptEngine.setScript(CrossSiteScriptAssertion.this.script);
                    CrossSiteScriptAssertion.this.scriptEngine.setVariable("urls", arrayList);
                    CrossSiteScriptAssertion.this.scriptEngine.setVariable(MessageExchangeModelItem.MESSAGE_EXCHANGE, CrossSiteScriptAssertion.this.messageExchange);
                    CrossSiteScriptAssertion.this.scriptEngine.setVariable("context", CrossSiteScriptAssertion.this.context);
                    CrossSiteScriptAssertion.this.scriptEngine.setVariable("log", SoapUI.ensureGroovyLog());
                    try {
                        Object run = CrossSiteScriptAssertion.this.scriptEngine.run();
                        if (run instanceof List) {
                            arrayList = (List) run;
                        }
                        String str = "";
                        Iterator it = arrayList.iterator();
                        while (it.hasNext()) {
                            str = str + "\n" + ((String) it.next());
                        }
                        UISupport.showInfoMessage("Generated urls :" + str + " \n\nScript result" + (run == null ? "" : ": " + run + ""));
                    } catch (Exception e) {
                        SoapUI.logError(e);
                    } finally {
                        CrossSiteScriptAssertion.this.scriptEngine.clearVariables();
                    }
                }
            };
        }

        public GroovyEditorModel(ModelItem modelItem) {
            super(new String[]{"urls", "log", "context", MessageExchangeModelItem.MESSAGE_EXCHANGE}, modelItem, "");
        }

        @Override // com.eviware.soapui.impl.wsdl.panels.teststeps.support.AbstractGroovyEditorModel, com.eviware.soapui.impl.wsdl.panels.teststeps.support.GroovyEditorModel
        public String getScript() {
            return CrossSiteScriptAssertion.this.script;
        }

        @Override // com.eviware.soapui.impl.wsdl.panels.teststeps.support.AbstractGroovyEditorModel, com.eviware.soapui.impl.wsdl.panels.teststeps.support.GroovyEditorModel
        public void setScript(String str) {
            CrossSiteScriptAssertion.this.script = str;
        }
    }

    public CrossSiteScriptAssertion(TestAssertionConfig testAssertionConfig, Assertable assertable) {
        super(testAssertionConfig, assertable, false, true, false, true);
        this.groovyEditorModel = new GroovyEditorModel(this);
        init();
        this.scriptEngine = SoapUIScriptEngineRegistry.create(this);
    }

    private void init() {
        XmlObjectConfigurationReader xmlObjectConfigurationReader = new XmlObjectConfigurationReader(getConfiguration());
        this.script = xmlObjectConfigurationReader.readString(GROOVY_SCRIPT, "");
        this.checkResponse = xmlObjectConfigurationReader.readBoolean(CHECK_RESPONSE, true);
        this.checkSeparateHTML = xmlObjectConfigurationReader.readBoolean(CHECK_SEPARATE_HTML, false);
        this.groovyEditorModel.setScript(this.script);
    }

    @Override // com.eviware.soapui.impl.wsdl.teststeps.WsdlMessageAssertion
    protected String internalAssertResponse(MessageExchange messageExchange, SubmitContext submitContext) throws AssertionException {
        TestStep cloneTestStepForSecurityScan = SecurityTestRunnerImpl.cloneTestStepForSecurityScan((WsdlTestStep) ((TestStep) submitContext.getProperty(CrossSiteScriptingScan.TEST_STEP)));
        SecurityTestRunner securityTestRunner = (SecurityTestRunner) submitContext.getProperty(CrossSiteScriptingScan.TEST_CASE_RUNNER);
        List<String> submitScript = submitScript(messageExchange, submitContext);
        CrossSiteScriptingScanConfig crossSiteScriptingScanConfig = (CrossSiteScriptingScanConfig) submitContext.getProperty(CrossSiteScriptingScan.PARAMETER_EXPOSURE_SCAN_CONFIG);
        ArrayList arrayList = new ArrayList();
        boolean z = false;
        if (this.checkResponse) {
            z = checkResponse(messageExchange, submitContext, crossSiteScriptingScanConfig, arrayList);
        }
        boolean z2 = false;
        if (this.checkSeparateHTML) {
            z2 = checkSeparateHTML(messageExchange, submitContext, cloneTestStepForSecurityScan, securityTestRunner, submitScript, crossSiteScriptingScanConfig, arrayList);
        }
        if (z || z2) {
            throw new AssertionException((AssertionError[]) arrayList.toArray(new AssertionError[arrayList.size()]));
        }
        return "OK";
    }

    private boolean checkSeparateHTML(MessageExchange messageExchange, SubmitContext submitContext, TestStep testStep, SecurityTestRunner securityTestRunner, List<String> list, CrossSiteScriptingScanConfig crossSiteScriptingScanConfig, List<AssertionError> list2) {
        boolean z = false;
        for (String str : list) {
            MessageExchange messageExchange2 = (MessageExchange) createHttpRequest((WsdlTestStep) testStep, str).run((TestCaseRunner) securityTestRunner, (SecurityTestRunContext) submitContext);
            Iterator<String> it = crossSiteScriptingScanConfig.getParameterExposureStringsList().iterator();
            while (it.hasNext()) {
                String expand = submitContext.expand(it.next());
                if (SecurityScanUtil.contains(submitContext, new String(messageExchange2.getRawResponseData()), expand, false) != null) {
                    list2.add(new AssertionError("XSS content sent in request '" + (expand.length() > 25 ? expand.substring(0, 22) + "... " : expand) + "' is exposed in response on link " + str + " . Possibility for XSS script attack in: " + messageExchange.getModelItem().getName()));
                    z = true;
                }
            }
        }
        return z;
    }

    private boolean checkResponse(MessageExchange messageExchange, SubmitContext submitContext, CrossSiteScriptingScanConfig crossSiteScriptingScanConfig, List<AssertionError> list) {
        boolean z = false;
        Iterator<String> it = crossSiteScriptingScanConfig.getParameterExposureStringsList().iterator();
        while (it.hasNext()) {
            String expand = submitContext.expand(it.next());
            if (SecurityScanUtil.contains(submitContext, new String(messageExchange.getRawResponseData()), expand, false) != null) {
                list.add(new AssertionError("Content that is sent in request '" + (expand.length() > 25 ? expand.substring(0, 22) + "... " : expand) + "' is exposed in response. Possibility for XSS script attack in: " + messageExchange.getModelItem().getName()));
                z = true;
            }
        }
        return z;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v26, types: [java.util.List] */
    private List<String> submitScript(MessageExchange messageExchange, SubmitContext submitContext) {
        ArrayList arrayList = new ArrayList();
        this.scriptEngine.setScript(this.script);
        this.scriptEngine.setVariable("urls", arrayList);
        this.scriptEngine.setVariable(MessageExchangeModelItem.MESSAGE_EXCHANGE, messageExchange);
        this.messageExchange = messageExchange;
        this.scriptEngine.setVariable("context", submitContext);
        this.context = submitContext;
        this.scriptEngine.setVariable("log", SoapUI.ensureGroovyLog());
        try {
            Object run = this.scriptEngine.run();
            if (run instanceof List) {
                arrayList = (List) run;
            }
        } catch (Exception e) {
            SoapUI.logError(e);
        } finally {
            this.scriptEngine.clearVariables();
        }
        return arrayList;
    }

    private HttpTestRequestStep createHttpRequest(WsdlTestStep wsdlTestStep, String str) {
        HttpRequestConfig newInstance = HttpRequestConfig.Factory.newInstance();
        newInstance.setEndpoint(HttpUtils.ensureEndpointStartsWithProtocol(str));
        newInstance.setMethod(HttpMethods.GET);
        TestStepConfig newInstance2 = TestStepConfig.Factory.newInstance();
        newInstance2.setType(HttpRequestStepFactory.HTTPREQUEST_TYPE);
        newInstance2.setConfig(newInstance);
        newInstance2.setName("Separate Request");
        return (HttpTestRequestStep) WsdlTestStepRegistry.getInstance().getFactory(HttpRequestStepFactory.HTTPREQUEST_TYPE).buildTestStep(wsdlTestStep.getTestCase(), newInstance2, false);
    }

    @Override // com.eviware.soapui.impl.wsdl.teststeps.WsdlMessageAssertion
    protected String internalAssertRequest(MessageExchange messageExchange, SubmitContext submitContext) throws AssertionException {
        return null;
    }

    protected XmlObject createConfiguration() {
        XmlObjectConfigurationBuilder xmlObjectConfigurationBuilder = new XmlObjectConfigurationBuilder();
        xmlObjectConfigurationBuilder.add(GROOVY_SCRIPT, this.script);
        xmlObjectConfigurationBuilder.add(CHECK_RESPONSE, this.checkResponse);
        xmlObjectConfigurationBuilder.add(CHECK_SEPARATE_HTML, this.checkSeparateHTML);
        return xmlObjectConfigurationBuilder.finish();
    }

    @Override // com.eviware.soapui.impl.wsdl.teststeps.WsdlMessageAssertion, com.eviware.soapui.model.testsuite.TestAssertion
    public boolean configure() {
        if (this.dialog == null) {
            buildDialog();
        }
        this.dialog.show();
        if (this.dialog.getReturnValue() != 1) {
            return true;
        }
        this.checkResponse = Boolean.valueOf(this.dialog.getFormField(CrossSiteScripSeparateHTMLConfigDialog.CHECK_RESPONSE).getValue()).booleanValue();
        this.checkSeparateHTML = Boolean.valueOf(this.dialog.getFormField(CrossSiteScripSeparateHTMLConfigDialog.CHECK_SEPARATE_HTML).getValue()).booleanValue();
        setConfiguration(createConfiguration());
        return true;
    }

    protected GroovyEditorComponent buildGroovyPanel() {
        return new GroovyEditorComponent(this.groovyEditorModel, null);
    }

    protected void buildDialog() {
        this.dialog = ADialogBuilder.buildDialog(CrossSiteScripSeparateHTMLConfigDialog.class);
        this.dialog.setSize(600, 600);
        this.dialog.setBooleanValue(CrossSiteScripSeparateHTMLConfigDialog.CHECK_RESPONSE, this.checkResponse);
        this.dialog.setBooleanValue(CrossSiteScripSeparateHTMLConfigDialog.CHECK_SEPARATE_HTML, this.checkSeparateHTML);
        final GroovyEditorComponent buildGroovyPanel = buildGroovyPanel();
        this.dialog.getFormField(CrossSiteScripSeparateHTMLConfigDialog.GROOVY).setProperty(Constants.ELEMNAME_COMPONENT_STRING, new JScrollPane(buildGroovyPanel));
        this.dialog.getFormField(CrossSiteScripSeparateHTMLConfigDialog.GROOVY).setProperty("dimension", new Dimension(Types.INTEGER_NUMBER, 400));
        this.dialog.getFormField(CrossSiteScripSeparateHTMLConfigDialog.CHECK_SEPARATE_HTML).addFormFieldListener(new XFormFieldListener() { // from class: com.eviware.soapui.security.assertion.CrossSiteScriptAssertion.1
            @Override // com.eviware.x.form.XFormFieldListener
            public void valueChanged(XFormField xFormField, String str, String str2) {
                buildGroovyPanel.setEnabled(new Boolean(str).booleanValue());
            }
        });
        buildGroovyPanel.setEnabled(this.checkSeparateHTML);
    }

    @Override // com.eviware.soapui.impl.wsdl.teststeps.WsdlMessageAssertion
    public void release() {
        if (this.dialog != null) {
            this.dialog.release();
        }
        super.release();
    }
}
