package com.aote.util;

import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.json.JSONArray;
import org.json.JSONObject;

/* loaded from: input_file:com/aote/util/ParamFilter.class */
public class ParamFilter {
    static final Logger log = Logger.getLogger(ParamFilter.class);
    private static final Map<String, Object> sqlkeywords = new HashMap();

    public static void main(String[] strArr) {
        checkSqlJsonStr("{\n    \"condition\": \" 1=1  and f_user_state = 'test/**/or/**/1=1--+'\",\n    \"orderitem\": \"f_userinfo_code desc\",\n    \"items\": \"f_userinfo_code\"\n}");
    }

    public static void checkSqlMap(Map<String, Object> map) {
        Iterator<Object> it = map.values().iterator();
        while (it.hasNext()) {
            checkSqlStr(String.valueOf(it.next()));
        }
    }

    public static void checkSqlJsonStr(String str) {
        log.debug("待检数据：" + str);
        checkSqlJson(new JSONObject(str));
    }

    public static void checkSqlJson(JSONObject jSONObject) {
        Iterator it = jSONObject.keySet().iterator();
        while (it.hasNext()) {
            checkSqlJsonV(jSONObject.get((String) it.next()));
        }
    }

    public static void checkSqlJsonV(Object obj) {
        if (obj instanceof JSONArray) {
            JSONArray jSONArray = new JSONArray(String.valueOf(obj));
            for (int i = 0; i < jSONArray.length(); i++) {
                checkSqlJsonV(jSONArray.get(i));
            }
            return;
        }
        if (obj instanceof JSONObject) {
            checkSqlJson((JSONObject) obj);
            return;
        }
        if (obj instanceof String) {
            String valueOf = String.valueOf(obj);
            if (valueOf.startsWith("{")) {
                checkSqlJsonV(new JSONObject(valueOf));
            } else if (valueOf.startsWith("[")) {
                checkSqlJsonV(new JSONArray(valueOf));
            } else {
                checkSqlStr(valueOf);
            }
        }
    }

    public static void checkSqlStr(String str) {
        if (StringUtils.isBlank(str)) {
            return;
        }
        String lowerCase = str.toLowerCase();
        for (String str2 : sqlkeywords.keySet()) {
            if (lowerCase.contains(str2)) {
                log.error("参数包含非法字符:" + str2);
                throw new RuntimeException("参数包含非法字符:" + str2);
            }
        }
    }

    static {
        sqlkeywords.put("select", "select");
        sqlkeywords.put("insert", "insert");
        sqlkeywords.put("update", "update");
        sqlkeywords.put("delete", "delete");
        sqlkeywords.put("from", "from");
        sqlkeywords.put("drop", "drop");
        sqlkeywords.put("count", "count");
        sqlkeywords.put("truncate", "truncate");
        sqlkeywords.put("declare", "declare");
        sqlkeywords.put("asc(", "asc(");
        sqlkeywords.put("mid(", "mid(");
        sqlkeywords.put("char(", "char(");
        sqlkeywords.put("where", "where");
        sqlkeywords.put("master", "master");
        sqlkeywords.put("netlocalgroup", "netlocalgroup");
        sqlkeywords.put("administrators", "administrators");
        sqlkeywords.put("xp_cmdshell", "xp_cmdshell");
        sqlkeywords.put("exec", "exec");
        sqlkeywords.put("execute", "execute");
        sqlkeywords.put("xp_", "xp_");
        sqlkeywords.put("sp_", "sp_");
        sqlkeywords.put("0x", "0x");
        sqlkeywords.put(";", ";");
        sqlkeywords.put("/or/", "or");
        sqlkeywords.put("*or*", "or");
        sqlkeywords.put(" or ", "or");
        sqlkeywords.put("--", "--");
        sqlkeywords.put("''", "''");
        sqlkeywords.put("#", "#");
        sqlkeywords.put("union", "union");
        sqlkeywords.put("/", "/");
        sqlkeywords.put("//", "//");
        sqlkeywords.put("/**/", "/**/");
        sqlkeywords.put("--+", "--+");
    }
}
