package com.alipay.security.open.redirect;

import com.alipay.security.open.common.log.LoggerUtil;
import com.alipay.security.open.common.log.SecurityLoggerFactory;
import com.alipay.security.open.common.string.StringUtil;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import org.slf4j.Logger;

/* loaded from: input_file:com/alipay/security/open/redirect/RedirectLocationCheckUtil.class */
public class RedirectLocationCheckUtil {
    private static final Logger logger = SecurityLoggerFactory.getLogger((Class<?>) RedirectLocationCheckUtil.class);
    private static List<Pattern> allowHostUrl = new ArrayList();
    private static List<String> schemeList = new ArrayList();

    public static RedirectCheckResultEnum doCheck(String str) {
        try {
            if (StringUtil.isBlank(str)) {
                LoggerUtil.formatError(logger, "RedirectLocationCheckUtil", "doCheck", "EmptyRedirectLocation", "pass=false", "重定向目标地址为空");
                return RedirectCheckResultEnum.EmptyRedirectLocation;
            }
            if (EofCrlfChecker.hasCrlfError(str)) {
                LoggerUtil.formatError(logger, "RedirectLocationCheckUtil", "doCheck", "CRLFERROR", "pass=false##location=" + str, "存在CRLF注入问题");
                return RedirectCheckResultEnum.CRLFERROR;
            }
            try {
                int indexOf = str.indexOf("?");
                String str2 = str;
                if (indexOf > -1) {
                    str2 = StringUtil.substring(str, 0, indexOf);
                }
                URI uri = new URI(str2);
                String scheme = uri.getScheme();
                return scheme == null ? innerRedirectCheck(str2) : normalRedirectCheck(str2, scheme, uri);
            } catch (URISyntaxException e) {
                LoggerUtil.formatError(logger, "RedirectLocationCheckUtil", "doCheck", "NotValidURI", "pass=false##location=" + str + "##exception=" + e.getMessage(), "不合法的URI");
                return RedirectCheckResultEnum.NotValidURI;
            }
        } catch (Exception e2) {
            LoggerUtil.formatWarn(logger, "RedirectLocationCheckUtil", "doCheckExtension", "CatchUnknowException", "pass=true##location=" + str + "##exception=" + e2.getMessage(), "捕获了未知异常,记录日志并放行");
            return RedirectCheckResultEnum.ValidRedirectLocation;
        }
    }

    private static RedirectCheckResultEnum innerRedirectCheck(String str) {
        if (str.startsWith("//")) {
            LoggerUtil.formatError(logger, "RedirectLocationCheckUtil", "doCheck", "InnerRedirectBypass", "pass=false##location=" + str, "利用域内跳转进行重定向检测绕过");
            return RedirectCheckResultEnum.InnerRedirectBypass;
        }
        LoggerUtil.formatWarn(logger, "RedirectLocationCheckUtil", "doCheck", "ValidRedirectLocation", "pass=true##location=" + str, "允许的重定向目标地址");
        return RedirectCheckResultEnum.ValidRedirectLocation;
    }

    private static RedirectCheckResultEnum normalRedirectCheck(String str, String str2, URI uri) {
        if (isSchemeAllowed(str2, schemeList) && !StringUtil.equals(str2, "http") && !StringUtil.equals(str2, "https")) {
            LoggerUtil.formatInfo(logger, "RedirectLocationCheckUtil", "doCheck", "AllowedSchemeRedirectLocation", "pass=true##location=" + str, "允许的scheme重定向目标地址");
            return RedirectCheckResultEnum.AllowedSchemeRedirectLocation;
        }
        if (!StringUtil.equals(str2, "http") && !StringUtil.equals(str2, "https")) {
            LoggerUtil.formatError(logger, "RedirectLocationCheckUtil", "doCheck", "NotValidPropotal", "pass=false##location=" + str, "不被允许的协议头");
            return RedirectCheckResultEnum.NotValidPropotal;
        }
        String host = uri.getHost();
        String authority = uri.getAuthority();
        String path = uri.getPath();
        int port = uri.getPort();
        if (port != -1) {
            host = host + ":" + port;
        }
        if (StringUtil.isBlank(host)) {
            LoggerUtil.formatError(logger, "RedirectLocationCheckUtil", "doCheck", "NotValidURI", "pass=false##location=" + str + "##exception=HostIsBlank", "不合法的URI");
            return RedirectCheckResultEnum.NotValidURI;
        }
        if (StringUtil.isNotBlank(authority) && !StringUtil.equals(authority, host)) {
            LoggerUtil.formatError(logger, "RedirectLocationCheckUtil", "doCheck", "DifferentAuthorityAndHost", "pass=false##location=" + str + "##exception=DifferentAuthorityAndHost", "利用异常的Host或Authority尝试绕过");
            return RedirectCheckResultEnum.DifferentAuthorityAndHost;
        }
        String str3 = str2 + "://" + host + path;
        Iterator<Pattern> it = allowHostUrl.iterator();
        while (it.hasNext()) {
            if (it.next().matcher(str3).find()) {
                return RedirectCheckResultEnum.ValidRedirectLocation;
            }
        }
        LoggerUtil.formatError(logger, "RedirectLocationCheckUtil", "doCheck", "NotValidRedirectLocation", "pass=false##location=" + str, "不被允许的重定向目标地址");
        return RedirectCheckResultEnum.NotValidRedirectLocation;
    }

    private static boolean isSchemeAllowed(String str, List<String> list) {
        return (list == null || list.isEmpty() || !list.contains(str)) ? false : true;
    }

    public static void setWhiteHostList(List<String> list) {
        if (list == null || list.isEmpty()) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(Pattern.compile(StringUtil.trim(it.next())));
        }
        allowHostUrl = arrayList;
    }

    public static void setSchemeList(List<String> list) {
        schemeList = list;
    }

    static {
        allowHostUrl.add(Pattern.compile("^http(s)?://([a-z0-9_\\-]+\\.)*(taobao|alibaba|alibaba-inc|alipay-inc|aliloan|koubei|alimama)\\.(com|net|cn|com\\.cn)(:\\d+)?(/.*)?$"));
        allowHostUrl.add(Pattern.compile("^http(s)?://([a-z0-9_\\-]+\\.)*(1688|alibado|alisoft)\\.(com|cn|com\\.cn)(:\\d+)?(/.*)?$"));
        allowHostUrl.add(Pattern.compile("^http(s)?://([a-z0-9_\\-]+\\.)*(alipay|zmxy|zhimaxy|mayibank)\\.(net|com\\.cn)(:\\d+)?(/.*)?$"));
        allowHostUrl.add(Pattern.compile("^http(s)?://([a-z0-9_\\-]+\\.)*(mybank)\\.(cn)(:\\d+)?(/.*)?$"));
        allowHostUrl.add(Pattern.compile("^http(s)?://([a-z0-9_\\-]+\\.)*(mayibank|zhimaxy)\\.(cn)(:\\d+)?(/.*)?$"));
        allowHostUrl.add(Pattern.compile("^http(s)?://([a-z0-9_\\-]+\\.)*(alipay|aliexpress|atpanel|taobaocdn|taojianghu|taojapan|hitao|taohua|tao123|tmall|etao|alitrip|zhifubao|zhifu|alipaydev|alipayobjects|alipay-cloud)\\.(com)(:\\d+)?(/.*)?$"));
        allowHostUrl.add(Pattern.compile("^http(s)?://([a-z0-9_\\-]+\\.)*(alibank)\\.(net)(:\\d+)?(/.*)?$"));
        allowHostUrl.add(Pattern.compile("^http(s)?://([a-z0-9_\\-]+\\.)*(aliimg)\\.(com|net)(:\\d+)?(/.*)?$"));
        allowHostUrl.add(Pattern.compile("^http(s)?://([a-z0-9_\\-]+\\.)*(taobao|koubei)\\.(org)(:\\d+)?(/.*)?$"));
        allowHostUrl.add(Pattern.compile("^http(s)?://([a-z0-9_\\-]+\\.)*(yahoo)\\.(cn|com\\.cn)(:\\d+)?(/.*)?$"));
    }
}
