package com.dotmarketing.common.util;

import com.dotcms.repackage.com.google.common.collect.ImmutableSet;
import com.dotcms.repackage.org.apache.commons.lang.StringEscapeUtils;
import com.dotcms.repackage.org.apache.commons.lang.StringUtils;
import com.dotcms.util.SecurityLoggerServiceAPI;
import com.dotmarketing.beans.Host;
import com.dotmarketing.business.APILocator;
import com.dotmarketing.business.DotStateException;
import com.dotmarketing.business.query.Criteria;
import com.dotmarketing.db.DbConnectionFactory;
import com.dotmarketing.exception.DotRuntimeException;
import com.dotmarketing.util.Logger;
import com.dotmarketing.util.SecurityLogger;
import com.dotmarketing.util.UtilMethods;
import com.liferay.portal.util.Constants;
import com.liferay.util.StringPool;
import com.liferay.util.StringUtil;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import net.sourceforge.squirrel_sql.fw.preferences.BaseQueryTokenizerPreferenceBean;
import net.sourceforge.squirrel_sql.fw.sql.QueryTokenizer;
import net.sourceforge.squirrel_sql.plugins.mssql.prefs.MSSQLPreferenceBean;
import net.sourceforge.squirrel_sql.plugins.mssql.tokenizer.MSSQLQueryTokenizer;
import net.sourceforge.squirrel_sql.plugins.mysql.tokenizer.MysqlQueryTokenizer;
import net.sourceforge.squirrel_sql.plugins.oracle.prefs.OraclePreferenceBean;
import net.sourceforge.squirrel_sql.plugins.oracle.tokenizer.OracleQueryTokenizer;

/* loaded from: input_file:com/dotmarketing/common/util/SQLUtil.class */
public class SQLUtil {
    private static SecurityLoggerServiceAPI securityLoggerServiceAPI = APILocator.getSecurityLogger();
    private static final Set<String> EVIL_SQL_CONDITION_WORDS = ImmutableSet.of("insert", "delete", Constants.UPDATE, "replace", "create", "drop", new String[]{"alter", "truncate", "declare", "exec", "--", "procedure", "pg_", com.dotmarketing.util.Constants.LOCK, com.dotmarketing.util.Constants.UNLOCK, "write", "engine", "mode", "set ", "sleep", StringPool.SEMICOLON});
    private static final Set<String> EVIL_SQL_PARAMETER_WORDS = ImmutableSet.of("select", "distinct", "like", Criteria.LOGICAL_OPERATOR_AND, Criteria.LOGICAL_OPERATOR_OR, "limit", new String[]{"group", "order", "as ", "count", "where", StringPool.NULL, "not "});
    private static final Set<String> EVIL_SQL_WORDS = new ImmutableSet.Builder().addAll(EVIL_SQL_CONDITION_WORDS).addAll(EVIL_SQL_PARAMETER_WORDS).build();
    private static final Set<String> ORDERBY_WHITELIST = ImmutableSet.of("title", "filename", "moddate", "tagname", "pageUrl", "category_name", new String[]{"category_velocity_var_name", "status", "workflow_step.name", "assigned_to", "mod_date", "structuretype,upper(name)", "upper(name)", "category_key", "page_url", "name", "velocity_var_name", "description", "category_", "sort_order", Host.HOST_NAME_KEY, "keywords", "mod_date,upper(name)", "relation_type_value"});

    public static List<String> tokenize(String str) {
        ArrayList arrayList = new ArrayList();
        if (str != null) {
            QueryTokenizer queryTokenizer = new QueryTokenizer(StringPool.SEMICOLON, "--", true);
            MSSQLQueryTokenizer mSSQLQueryTokenizer = null;
            if (DbConnectionFactory.isMsSql()) {
                mSSQLQueryTokenizer = new MSSQLQueryTokenizer(new MSSQLPreferenceBean());
            } else if (DbConnectionFactory.isOracle()) {
                queryTokenizer = new OracleQueryTokenizer(new OraclePreferenceBean());
            } else if (DbConnectionFactory.isMySql()) {
                BaseQueryTokenizerPreferenceBean baseQueryTokenizerPreferenceBean = new BaseQueryTokenizerPreferenceBean();
                baseQueryTokenizerPreferenceBean.setProcedureSeparator("#");
                queryTokenizer = new MysqlQueryTokenizer(baseQueryTokenizerPreferenceBean);
            }
            queryTokenizer.setScriptToTokenize(str.toString());
            while (queryTokenizer.hasQuery()) {
                String nextQuery = queryTokenizer.nextQuery();
                if (nextQuery != null) {
                    if (mSSQLQueryTokenizer != null) {
                        mSSQLQueryTokenizer.setScriptToTokenize(nextQuery);
                        if (mSSQLQueryTokenizer.hasQuery()) {
                            while (mSSQLQueryTokenizer.hasQuery()) {
                                String nextQuery2 = mSSQLQueryTokenizer.nextQuery();
                                if (nextQuery2 != null) {
                                    arrayList.add(nextQuery2);
                                }
                            }
                        } else {
                            arrayList.add(nextQuery);
                        }
                    } else {
                        arrayList.add(nextQuery);
                    }
                }
            }
        }
        return arrayList;
    }

    public static String concat(String... strArr) throws DotRuntimeException {
        if (strArr == null) {
            throw new DotRuntimeException("the column list being concated are null");
        }
        StringBuilder sb = new StringBuilder();
        boolean z = true;
        for (String str : strArr) {
            if (DbConnectionFactory.isMsSql()) {
                if (!z) {
                    sb.append(" + ");
                }
                sb.append("cast( ").append(str).append(" as varchar(512))");
            } else if (DbConnectionFactory.isMySql()) {
                if (z) {
                    sb.append("CONCAT(");
                } else {
                    sb.append(",");
                }
                sb.append(str);
            } else {
                if (!z) {
                    sb.append(" || ");
                }
                sb.append(str);
            }
            z = false;
        }
        if (DbConnectionFactory.isMySql()) {
            sb.append(Criteria.GROUPING_END);
        }
        return sb.toString();
    }

    public static String addLimits(String str, long j, long j2) {
        if (j == 0 && j2 == -1) {
            return str;
        }
        StringBuffer stringBuffer = new StringBuffer();
        int i = 0;
        if (str != null) {
            str = str.toLowerCase();
            i = StringUtil.count(str, "select");
        }
        if (!UtilMethods.isSet(str) || !str.trim().contains("select") || i > 1) {
            return str;
        }
        if (DbConnectionFactory.isPostgres() || DbConnectionFactory.isMySql() || DbConnectionFactory.isH2()) {
            stringBuffer.append(str + " LIMIT " + j2 + " OFFSET " + j);
        } else if (DbConnectionFactory.isMsSql()) {
            String str2 = StringPool.BLANK;
            if (str.startsWith("select")) {
                str = str.substring(6);
            }
            if (str.contains("order by")) {
                str2 = str.substring(str.indexOf("order by"), str.length());
                str = str.replace(str2, StringPool.BLANK).trim();
            }
            stringBuffer.append(" SELECT TOP " + j2 + " * FROM (SELECT ROW_NUMBER()  OVER (" + str2 + ") AS RowNumber," + str + ") temp  WHERE RowNumber >" + j);
        } else if (DbConnectionFactory.isOracle()) {
            stringBuffer.append("select * from ( select temp.*, ROWNUM rnum from ( " + str + " ) temp where ROWNUM <= " + (j2 + j) + " ) where rnum > " + j);
        }
        return stringBuffer.toString();
    }

    public static String sanitizeSortBy(String str) {
        if (StringUtils.isBlank(str) || str.contains(StringPool.NULL)) {
            return StringPool.BLANK;
        }
        if (ORDERBY_WHITELIST.contains(str.replaceAll(" asc", StringPool.BLANK).replaceAll(" desc", StringPool.BLANK).replaceAll(StringPool.DASH, StringPool.BLANK).toLowerCase())) {
            return str;
        }
        Logger.error(SQLUtil.class, "Invalid or pernicious sql parameter passed in : " + str, (Throwable) new DotStateException("Invalid or pernicious sql parameter passed in : " + str));
        SecurityLogger.logDebug(SQLUtil.class, "Invalid or pernicious sql parameter passed in : " + str);
        return StringPool.BLANK;
    }

    public static String sanitizeParameter(String str) {
        return !UtilMethods.isSet(str) ? StringPool.BLANK : sanitizeSQL(StringEscapeUtils.escapeSql(str), EVIL_SQL_WORDS);
    }

    public static String sanitizeCondition(String str) {
        return !UtilMethods.isSet(str) ? StringPool.BLANK : sanitizeSQL(str, EVIL_SQL_CONDITION_WORDS);
    }

    private static String sanitizeSQL(String str, Set<String> set) {
        String lowerCase = str.toLowerCase();
        for (String str2 : set) {
            int indexOf = lowerCase.indexOf(str2);
            if (indexOf != -1 && (indexOf == 0 || !isValidSQLCharacter(lowerCase.charAt(indexOf - 1)))) {
                if (indexOf + str2.length() == lowerCase.length() || !isValidSQLCharacter(lowerCase.charAt(indexOf + str2.length()))) {
                    Logger.error(SQLUtil.class, "Invalid or pernicious sql parameter passed in : " + str, (Throwable) new DotStateException("Invalid or pernicious sql parameter passed in : " + str));
                    securityLoggerServiceAPI.logInfo(SQLUtil.class, "Invalid or pernicious sql parameter passed in : " + str);
                    return StringPool.BLANK;
                }
            }
        }
        return str;
    }

    private static boolean isValidSQLCharacter(char c) {
        return Character.isLetterOrDigit(c) || '-' == c || '_' == c;
    }
}
