package org.owasp.esapi.filters;

import java.io.IOException;
import java.io.PrintWriter;
import java.util.Locale;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.apache.batik.util.XMLConstants;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Logger;
import org.owasp.esapi.StringUtilities;
import org.owasp.esapi.ValidationErrorList;
import org.owasp.esapi.errors.IntrusionException;
import org.owasp.esapi.errors.ValidationException;

/* loaded from: input_file:WEB-INF/lib/esapi-2.1.0.jar:org/owasp/esapi/filters/SecurityWrapperResponse.class */
public class SecurityWrapperResponse extends HttpServletResponseWrapper implements HttpServletResponse {
    private final Logger logger;
    private String mode;

    public SecurityWrapperResponse(HttpServletResponse httpServletResponse) {
        super(httpServletResponse);
        this.logger = ESAPI.getLogger("SecurityWrapperResponse");
        this.mode = "log";
    }

    public SecurityWrapperResponse(HttpServletResponse httpServletResponse, String str) {
        super(httpServletResponse);
        this.logger = ESAPI.getLogger("SecurityWrapperResponse");
        this.mode = "log";
        this.mode = str;
    }

    private HttpServletResponse getHttpServletResponse() {
        return (HttpServletResponse) super.getResponse();
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    public void addCookie(Cookie cookie) {
        String name = cookie.getName();
        String value = cookie.getValue();
        int maxAge = cookie.getMaxAge();
        String domain = cookie.getDomain();
        String path = cookie.getPath();
        boolean secure = cookie.getSecure();
        ValidationErrorList validationErrorList = new ValidationErrorList();
        String validInput = ESAPI.validator().getValidInput("cookie name", name, "HTTPCookieName", 50, false, validationErrorList);
        String validInput2 = ESAPI.validator().getValidInput("cookie value", value, "HTTPCookieValue", ESAPI.securityConfiguration().getMaxHttpHeaderSize(), false, validationErrorList);
        if (validationErrorList.size() == 0) {
            addHeader("Set-Cookie", createCookieHeader(name, value, maxAge, domain, path, secure));
            return;
        }
        if (this.mode.equals("skip")) {
            this.logger.warning(Logger.SECURITY_FAILURE, "Attempt to add unsafe data to cookie (skip mode). Skipping cookie and continuing.");
            return;
        }
        if (this.mode.equals("log")) {
            this.logger.warning(Logger.SECURITY_FAILURE, "Attempt to add unsafe data to cookie (log mode). Adding unsafe cookie anyway and continuing.");
            getHttpServletResponse().addCookie(cookie);
        } else {
            if (!this.mode.equals("sanitize")) {
                throw new IntrusionException("Security error", "Attempt to add unsafe data to cookie (throw mode)");
            }
            this.logger.warning(Logger.SECURITY_FAILURE, "Attempt to add unsafe data to cookie (sanitize mode). Sanitizing cookie and continuing.");
            addHeader("Set-Cookie", createCookieHeader(validInput, validInput2, maxAge, domain, path, secure));
        }
    }

    private String createCookieHeader(String str, String str2, int i, String str3, String str4, boolean z) {
        String str5 = (str + XMLConstants.XML_EQUAL_SIGN + str2) + "; Max-Age=" + i;
        if (str3 != null) {
            str5 = str5 + "; Domain=" + str3;
        }
        if (str4 != null) {
            str5 = str5 + "; Path=" + str4;
        }
        if (z || ESAPI.securityConfiguration().getForceSecureCookies()) {
            str5 = str5 + "; Secure";
        }
        if (ESAPI.securityConfiguration().getForceHttpOnlyCookies()) {
            str5 = str5 + "; HttpOnly";
        }
        return str5;
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    public void addDateHeader(String str, long j) {
        try {
            getHttpServletResponse().addDateHeader(ESAPI.validator().getValidInput("safeSetDateHeader", str, "HTTPHeaderName", 20, false), j);
        } catch (ValidationException e) {
            this.logger.warning(Logger.SECURITY_FAILURE, "Attempt to set invalid date header name denied", e);
        }
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    public void addHeader(String str, String str2) {
        try {
            String stripControls = StringUtilities.stripControls(str);
            String stripControls2 = StringUtilities.stripControls(str2);
            getHttpServletResponse().setHeader(ESAPI.validator().getValidInput("addHeader", stripControls, "HTTPHeaderName", 20, false), ESAPI.validator().getValidInput("addHeader", stripControls2, "HTTPHeaderValue", ESAPI.securityConfiguration().getMaxHttpHeaderSize(), false));
        } catch (ValidationException e) {
            this.logger.warning(Logger.SECURITY_FAILURE, "Attempt to add invalid header denied", e);
        }
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    public void addIntHeader(String str, int i) {
        try {
            getHttpServletResponse().addIntHeader(ESAPI.validator().getValidInput("safeSetDateHeader", str, "HTTPHeaderName", 20, false), i);
        } catch (ValidationException e) {
            this.logger.warning(Logger.SECURITY_FAILURE, "Attempt to set invalid int header name denied", e);
        }
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    public boolean containsHeader(String str) {
        return getHttpServletResponse().containsHeader(str);
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    @Deprecated
    public String encodeRedirectUrl(String str) {
        return str;
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    public String encodeRedirectURL(String str) {
        return str;
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    @Deprecated
    public String encodeUrl(String str) {
        return str;
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    public String encodeURL(String str) {
        return str;
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public void flushBuffer() throws IOException {
        getHttpServletResponse().flushBuffer();
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public int getBufferSize() {
        return getHttpServletResponse().getBufferSize();
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public String getCharacterEncoding() {
        return getHttpServletResponse().getCharacterEncoding();
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public String getContentType() {
        return getHttpServletResponse().getContentType();
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public Locale getLocale() {
        return getHttpServletResponse().getLocale();
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public ServletOutputStream getOutputStream() throws IOException {
        return getHttpServletResponse().getOutputStream();
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public PrintWriter getWriter() throws IOException {
        return getHttpServletResponse().getWriter();
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public boolean isCommitted() {
        return getHttpServletResponse().isCommitted();
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public void reset() {
        getHttpServletResponse().reset();
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public void resetBuffer() {
        getHttpServletResponse().resetBuffer();
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    public void sendError(int i) throws IOException {
        getHttpServletResponse().sendError(200, getHTTPMessage(i));
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    public void sendError(int i, String str) throws IOException {
        getHttpServletResponse().sendError(200, ESAPI.encoder().encodeForHTML(str));
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    public void sendRedirect(String str) throws IOException {
        if (ESAPI.validator().isValidRedirectLocation("Redirect", str, false)) {
            getHttpServletResponse().sendRedirect(str);
        } else {
            this.logger.fatal(Logger.SECURITY_FAILURE, "Bad redirect location: " + str);
            throw new IOException("Redirect failed");
        }
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public void setBufferSize(int i) {
        getHttpServletResponse().setBufferSize(i);
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public void setCharacterEncoding(String str) {
        getHttpServletResponse().setCharacterEncoding(ESAPI.securityConfiguration().getCharacterEncoding());
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public void setContentLength(int i) {
        getHttpServletResponse().setContentLength(i);
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public void setContentType(String str) {
        getHttpServletResponse().setContentType(str);
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    public void setDateHeader(String str, long j) {
        try {
            getHttpServletResponse().setDateHeader(ESAPI.validator().getValidInput("safeSetDateHeader", str, "HTTPHeaderName", 20, false), j);
        } catch (ValidationException e) {
            this.logger.warning(Logger.SECURITY_FAILURE, "Attempt to set invalid date header name denied", e);
        }
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    public void setHeader(String str, String str2) {
        try {
            String stripControls = StringUtilities.stripControls(str);
            String stripControls2 = StringUtilities.stripControls(str2);
            getHttpServletResponse().setHeader(ESAPI.validator().getValidInput("setHeader", stripControls, "HTTPHeaderName", 20, false), ESAPI.validator().getValidInput("setHeader", stripControls2, "HTTPHeaderValue", ESAPI.securityConfiguration().getMaxHttpHeaderSize(), false));
        } catch (ValidationException e) {
            this.logger.warning(Logger.SECURITY_FAILURE, "Attempt to set invalid header denied", e);
        }
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    public void setIntHeader(String str, int i) {
        try {
            getHttpServletResponse().setIntHeader(ESAPI.validator().getValidInput("safeSetDateHeader", str, "HTTPHeaderName", 20, false), i);
        } catch (ValidationException e) {
            this.logger.warning(Logger.SECURITY_FAILURE, "Attempt to set invalid int header name denied", e);
        }
    }

    @Override // javax.servlet.ServletResponseWrapper, javax.servlet.ServletResponse
    public void setLocale(Locale locale) {
        getHttpServletResponse().setLocale(locale);
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    public void setStatus(int i) {
        getHttpServletResponse().setStatus(200);
    }

    @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
    @Deprecated
    public void setStatus(int i, String str) {
        try {
            sendError(200, str);
        } catch (IOException e) {
            this.logger.warning(Logger.SECURITY_FAILURE, "Attempt to set response status failed", e);
        }
    }

    private String getHTTPMessage(int i) {
        return "HTTP error code: " + i;
    }
}
