package com.digiwin.dap.middleware.mybatis.interceptor;

import com.alibaba.druid.wall.Violation;
import com.alibaba.druid.wall.WallConfig;
import com.alibaba.druid.wall.WallProvider;
import com.alibaba.druid.wall.spi.MySqlWallProvider;
import com.alibaba.druid.wall.violation.SyntaxErrorViolation;
import com.digiwin.dap.middleware.lmc.common.Consts;
import java.sql.SQLException;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import net.bytebuddy.implementation.auxiliary.TypeProxy;
import org.apache.ibatis.cache.CacheKey;
import org.apache.ibatis.executor.Executor;
import org.apache.ibatis.mapping.BoundSql;
import org.apache.ibatis.mapping.MappedStatement;
import org.apache.ibatis.plugin.Interceptor;
import org.apache.ibatis.plugin.Intercepts;
import org.apache.ibatis.plugin.Invocation;
import org.apache.ibatis.plugin.Plugin;
import org.apache.ibatis.plugin.Signature;
import org.apache.ibatis.session.ResultHandler;
import org.apache.ibatis.session.RowBounds;

@Intercepts({@Signature(type = Executor.class, method = Consts.CONST_QUERY, args = {MappedStatement.class, TypeProxy.SilentConstruction.Appender.JAVA_LANG_OBJECT_DESCRIPTOR, RowBounds.class, ResultHandler.class}), @Signature(type = Executor.class, method = Consts.CONST_QUERY, args = {MappedStatement.class, TypeProxy.SilentConstruction.Appender.JAVA_LANG_OBJECT_DESCRIPTOR, RowBounds.class, ResultHandler.class, CacheKey.class, BoundSql.class})})
/* loaded from: input_file:WEB-INF/lib/dapware-mybatis-2.7.20.jar:com/digiwin/dap/middleware/mybatis/interceptor/InjectionInterceptor.class */
public class InjectionInterceptor implements Interceptor {
    private static WallProvider provider = null;
    private static final String ORDER_BY = "orderBy";
    private static final String SQL_PATTERN = "[a-zA-Z0-9_\\ \\,\\.]+";

    public InjectionInterceptor() {
        WallConfig wallConfig = new WallConfig(MySqlWallProvider.DEFAULT_CONFIG_DIR);
        wallConfig.setSelectWhereAlwayTrueCheck(false);
        wallConfig.setConditionAndAlwayTrueAllow(true);
        provider = new MySqlWallProvider(wallConfig);
    }

    public InjectionInterceptor(WallConfig wallConfig) {
        wallConfig.setSelectWhereAlwayTrueCheck(false);
        wallConfig.setConditionAndAlwayTrueAllow(true);
        provider = new MySqlWallProvider(wallConfig);
    }

    public void checkInjection(Object obj, String str) throws SQLException {
        if (obj instanceof Map) {
            Map map = (Map) obj;
            if (map.containsKey(ORDER_BY)) {
                String obj2 = map.get(ORDER_BY) == null ? "" : map.get(ORDER_BY).toString();
                if (!obj2.isEmpty() && !obj2.matches(SQL_PATTERN)) {
                    throw new SQLException("sql injection violation, " + obj2 + " : " + str);
                }
            }
        }
        List<Violation> violations = provider.check(str).getViolations();
        if (violations.size() > 0) {
            Violation violation = violations.get(0);
            if (!(violations.get(0) instanceof SyntaxErrorViolation)) {
                throw new SQLException("sql injection violation, " + violation.getMessage() + " : " + str);
            }
            throw new SQLException("sql injection violation, " + violation.getMessage() + " : " + str, ((SyntaxErrorViolation) violations.get(0)).getException());
        }
    }

    @Override // org.apache.ibatis.plugin.Interceptor
    public Object intercept(Invocation invocation) throws Throwable {
        CacheKey cacheKey;
        BoundSql boundSql;
        Object[] args = invocation.getArgs();
        MappedStatement mappedStatement = (MappedStatement) args[0];
        Object obj = args[1];
        RowBounds rowBounds = (RowBounds) args[2];
        ResultHandler resultHandler = (ResultHandler) args[3];
        Executor executor = (Executor) invocation.getTarget();
        if (args.length == 4) {
            boundSql = mappedStatement.getBoundSql(obj);
            cacheKey = executor.createCacheKey(mappedStatement, obj, rowBounds, boundSql);
        } else {
            cacheKey = (CacheKey) args[4];
            boundSql = (BoundSql) args[5];
        }
        checkInjection(obj, boundSql.getSql());
        return executor.query(mappedStatement, obj, rowBounds, resultHandler, cacheKey, boundSql);
    }

    @Override // org.apache.ibatis.plugin.Interceptor
    public Object plugin(Object obj) {
        return Plugin.wrap(obj, this);
    }

    @Override // org.apache.ibatis.plugin.Interceptor
    public void setProperties(Properties properties) {
    }
}
