package org.apache.shindig.gadgets.render;

import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.util.HashSet;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.shindig.common.uri.Uri;
import org.apache.shindig.gadgets.Gadget;
import org.apache.shindig.gadgets.GadgetContext;
import org.apache.shindig.gadgets.GadgetSpecFactory;
import org.apache.shindig.gadgets.http.EchoServer;
import org.apache.shindig.gadgets.parse.caja.CajaCssParser;
import org.apache.shindig.gadgets.parse.caja.CajaCssSanitizer;
import org.apache.shindig.gadgets.rewrite.BaseRewriterTestCase;
import org.apache.shindig.gadgets.rewrite.ContentRewriterFeatureFactory;
import org.apache.shindig.gadgets.rewrite.GadgetRewriter;
import org.apache.shindig.gadgets.rewrite.MutableContent;
import org.apache.shindig.gadgets.spec.GadgetSpec;
import org.apache.shindig.gadgets.spec.View;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/shindig/gadgets/render/SanitizingGadgetRewriterTest.class */
public class SanitizingGadgetRewriterTest extends BaseRewriterTestCase {
    private static final Set<String> DEFAULT_TAGS = ImmutableSet.of("html", "head", EchoServer.BODY_PARAM);
    private static final Pattern BODY_REGEX = Pattern.compile(".*<body>(.+)</body>.*");
    private final GadgetContext sanitaryGadgetContext = new GadgetContext() { // from class: org.apache.shindig.gadgets.render.SanitizingGadgetRewriterTest.1
        public String getParameter(String str) {
            if ("sanitize".equals(str)) {
                return "1";
            }
            return null;
        }

        public String getContainer() {
            return BaseRewriterTestCase.MOCK_CONTAINER;
        }
    };
    private final GadgetContext unsanitaryGadgetContext = new GadgetContext();
    private final GadgetContext unsanitaryGadgetContextNoCacheAndDebug = new GadgetContext() { // from class: org.apache.shindig.gadgets.render.SanitizingGadgetRewriterTest.2
        public boolean getIgnoreCache() {
            return true;
        }

        public boolean getDebug() {
            return true;
        }
    };
    private Gadget gadget;
    private Gadget gadgetNoCacheAndDebug;

    @Override // org.apache.shindig.gadgets.rewrite.BaseRewriterTestCase
    @Before
    public void setUp() throws Exception {
        super.setUp();
        this.gadget = new Gadget().setContext(this.unsanitaryGadgetContext);
        this.gadget.setSpec(new GadgetSpec(Uri.parse("www.example.org/gadget.xml"), "<Module><ModulePrefs title=''/><Content type='x-html-sanitized'/></Module>"));
        this.gadget.setCurrentView((View) this.gadget.getSpec().getViews().values().iterator().next());
        this.gadgetNoCacheAndDebug = new Gadget().setContext(this.unsanitaryGadgetContextNoCacheAndDebug);
        this.gadgetNoCacheAndDebug.setSpec(new GadgetSpec(Uri.parse("www.example.org/gadget.xml"), "<Module><ModulePrefs title=''/><Content type='x-html-sanitized'/></Module>"));
        this.gadgetNoCacheAndDebug.setCurrentView((View) this.gadgetNoCacheAndDebug.getSpec().getViews().values().iterator().next());
    }

    private String rewrite(Gadget gadget, String str, Set<String> set, Set<String> set2) throws Exception {
        GadgetRewriter createRewriter = createRewriter(set, set2);
        MutableContent mutableContent = new MutableContent(this.parser, str);
        createRewriter.rewrite(gadget, mutableContent);
        Matcher matcher = BODY_REGEX.matcher(mutableContent.getContent());
        return matcher.matches() ? matcher.group(1) : mutableContent.getContent();
    }

    private static Set<String> set(String... strArr) {
        return Sets.newHashSet(strArr);
    }

    private GadgetRewriter createRewriter(Set<String> set, Set<String> set2) {
        HashSet hashSet = new HashSet(set);
        hashSet.addAll(DEFAULT_TAGS);
        return new SanitizingGadgetRewriter(hashSet, set2, new ContentRewriterFeatureFactory((GadgetSpecFactory) null, ".*", "", "HTTP", "embed,img,script,link,style", "false"), new CajaCssSanitizer(new CajaCssParser()), new DefaultSanitizingProxyingLinkRewriterFactory(this.rewriterUris));
    }

    @Test
    public void enforceTagWhiteList() throws Exception {
        Assert.assertEquals("<p>text <b>bold text</b></p><b>Bold text</b>", rewrite(this.gadget, "<p><style type=\"text/css\">A { font : bold }</style>text <b>bold text</b></p><b>Bold text</b><i>Italic text<b>Bold text</b></i>", set("p", "b"), set(new String[0])));
    }

    @Test
    public void enforceStyleSanitized() throws Exception {
        Assert.assertEquals("<html><head></head><body><p><style>A {\n  font: bold\n}</style>text <b>bold text</b></p><b>Bold text</b></body></html>", rewrite(this.gadget, "<p><style type=\"text/css\">A { font : bold; behavior : bad }</style>text <b>bold text</b></p><b>Bold text</b><i>Italic text<b>Bold text</b></i>", set("p", "b", "style"), set(new String[0])));
    }

    @Test
    public void enforceStyleLinkRewritten() throws Exception {
        Assert.assertEquals("<html><head><link href=\"http://www.test.com/dir/proxy?url=http%3A%2F%2Fwww.evil.com%2Fx.css&gadget=www.example.org%2Fgadget.xml&fp=45508&sanitize=1&rewriteMime=text/css\" rel=\"stylesheet\"></head><body></body></html>", rewrite(this.gadget, "<link rel=\"stylesheet\" href=\"http://www.test.com/dir/proxy?url=http%3A%2F%2Fwww.evil.com%2Fx.css&gadget=www.example.org%2Fgadget.xml&fp=45508rewriteMime=text/css\"/>", set("link"), set("rel", "href")));
    }

    @Test
    public void enforceStyleLinkRewrittenNoCacheAndDebug() throws Exception {
        Assert.assertEquals("<html><head><link href=\"http://www.test.com/dir/proxy?url=http%3A%2F%2Fwww.evil.com%2Fx.css&gadget=www.example.org%2Fgadget.xml&fp=45508&debug=1&nocache=1&sanitize=1&rewriteMime=text/css\" rel=\"stylesheet\"></head><body></body></html>", rewrite(this.gadgetNoCacheAndDebug, "<link rel=\"stylesheet\" href=\"http://www.test.com/dir/proxy?url=http%3A%2F%2Fwww.evil.com%2Fx.css&gadget=www.example.org%2Fgadget.xml&fp=45508rewriteMime=text/css\"/>", set("link"), set("rel", "href")));
    }

    @Test
    public void enforceNonStyleLinkStripped() throws Exception {
        Assert.assertEquals("<html><head></head><body></body></html>", rewrite(this.gadget, "<link rel=\"script\" href=\"www.exmaple.org/evil.js\"/>", set("link"), set("rel", "href", "type")));
    }

    @Test
    public void enforceNonStyleLinkStrippedNoCacheAndDebug() throws Exception {
        Assert.assertEquals("<html><head></head><body></body></html>", rewrite(this.gadgetNoCacheAndDebug, "<link rel=\"script\" href=\"www.exmaple.org/evil.js\"/>", set("link"), set("rel", "href", "type")));
    }

    @Test
    public void enforceCssImportLinkRewritten() throws Exception {
        Assert.assertEquals("<html><head><style>@import url('http://www.test.com/dir/proxy?url=www.example.org%2Fwww.evil.com%2Fx.js&gadget=www.example.org%2Fgadget.xml&fp=45508&sanitize=1&rewriteMime=text%2Fcss');</style></head><body></body></html>", rewrite(this.gadget, "<style type=\"text/css\">@import url('www.evil.com/x.js');</style>", set("style"), set(new String[0])));
    }

    @Test
    public void enforceCssImportLinkRewrittenNoCacheAndDebug() throws Exception {
        Assert.assertEquals("<html><head><style>@import url('http://www.test.com/dir/proxy?url=www.example.org%2Fwww.evil.com%2Fx.js&gadget=www.example.org%2Fgadget.xml&fp=45508&debug=1&nocache=1&sanitize=1&rewriteMime=text%2Fcss');</style></head><body></body></html>", rewrite(this.gadgetNoCacheAndDebug, "<style type=\"text/css\">@import url('www.evil.com/x.js');</style>", set("style"), set(new String[0])));
    }

    @Test
    public void enforceCssImportBadLinkStripped() throws Exception {
        Assert.assertEquals("<html><head><style>A {\n  font: bold\n}</style></head><body></body></html>", rewrite(this.gadget, "<style type=\"text/css\">@import url('javascript:doevil()'); A { font : bold }</style>", set("style"), set(new String[0])));
    }

    @Test
    public void enforceAttributeWhiteList() throws Exception {
        Assert.assertEquals("<p bar=\"baz\">Paragraph</p>", rewrite(this.gadget, "<p foo=\"bar\" bar=\"baz\">Paragraph</p>", set("p"), set("bar")));
    }

    @Test
    public void enforceImageSrcProxied() throws Exception {
        Assert.assertEquals("<img src=\"http://www.test.com/dir/proxy?url=http%3A%2F%2Fwww.evil.com%2Fx.js&gadget=www.example.org%2Fgadget.xml&fp=45508&sanitize=1&rewriteMime=image/*\">Evil happens", rewrite(this.gadget, "<img src='http://www.evil.com/x.js'>Evil happens</img>", set("img"), set("src")));
    }

    @Test
    public void enforceImageSrcProxiedNoCacheAndDebug() throws Exception {
        Assert.assertEquals("<img src=\"http://www.test.com/dir/proxy?url=http%3A%2F%2Fwww.evil.com%2Fx.js&gadget=www.example.org%2Fgadget.xml&fp=45508&debug=1&nocache=1&sanitize=1&rewriteMime=image/*\">Evil happens", rewrite(this.gadgetNoCacheAndDebug, "<img src='http://www.evil.com/x.js'>Evil happens</img>", set("img"), set("src")));
    }

    @Test
    public void enforceBadImageUrlStripped() throws Exception {
        Assert.assertEquals("<img>Evil happens", rewrite(this.gadget, "<img src='java\\ script:evil()'>Evil happens</img>", set("img"), set("src")));
    }

    @Test
    public void enforceTargetTopRestricted() throws Exception {
        Assert.assertEquals("<a href=\"http://www.example.com\">x</a>", rewrite(this.gadget, "<a href=\"http://www.example.com\" target=\"_top\">x</a>", set("a"), set("href", "target")));
    }

    @Test
    public void enforceTargetSelfAllowed() throws Exception {
        Assert.assertEquals("<a href=\"http://www.example.com\" target=\"_self\">x</a>", rewrite(this.gadget, "<a href=\"http://www.example.com\" target=\"_self\">x</a>", set("a"), set("href", "target")));
    }

    @Test
    public void enforceTargetBlankAllowed() throws Exception {
        Assert.assertEquals("<a href=\"http://www.example.com\" target=\"_BlAnK\">x</a>", rewrite(this.gadget, "<a href=\"http://www.example.com\" target=\"_BlAnK\">x</a>", set("a"), set("href", "target")));
    }

    @Test
    public void sanitizationBypassAllowed() throws Exception {
        GadgetRewriter createRewriter = createRewriter(set(new String[0]), set(new String[0]));
        MutableContent mutableContent = new MutableContent(this.parser, "<p foo=\"bar\"><b>Parag</b><!--raph--></p>");
        Document document = mutableContent.getDocument();
        MutableContent.notifyEdit(document);
        String content = mutableContent.getContent();
        SanitizingGadgetRewriter.bypassSanitization((Element) document.getElementsByTagName("p").item(0), true);
        createRewriter.rewrite(this.gadget, mutableContent);
        Assert.assertEquals(content, mutableContent.getContent());
    }

    @Test
    public void sanitizationBypassOnlySelf() throws Exception {
        GadgetRewriter createRewriter = createRewriter(set(new String[0]), set(new String[0]));
        MutableContent mutableContent = new MutableContent(this.parser, "<p foo=\"bar\"><b>Parag</b><!--raph--></p>");
        SanitizingGadgetRewriter.bypassSanitization((Element) mutableContent.getDocument().getElementsByTagName("p").item(0), false);
        createRewriter.rewrite(this.gadget, mutableContent);
        Matcher matcher = BODY_REGEX.matcher(mutableContent.getContent());
        matcher.matches();
        Assert.assertEquals("<p foo=\"bar\"></p>", matcher.group(1));
    }

    @Test
    public void sanitizationBypassPreservedAcrossClone() throws Exception {
        GadgetRewriter createRewriter = createRewriter(set(new String[0]), set(new String[0]));
        MutableContent mutableContent = new MutableContent(this.parser, "<p foo=\"bar\"><b>Parag</b><!--raph--></p>");
        Element element = (Element) mutableContent.getDocument().getElementsByTagName("p").item(0);
        SanitizingGadgetRewriter.bypassSanitization(element, false);
        element.getParentNode().replaceChild((Element) element.cloneNode(true), element);
        createRewriter.rewrite(this.gadget, mutableContent);
        Matcher matcher = BODY_REGEX.matcher(mutableContent.getContent());
        matcher.matches();
        Assert.assertEquals("<p foo=\"bar\"></p>", matcher.group(1));
    }

    @Test
    public void restrictHrefAndSrcAttributes() throws Exception {
        Assert.assertEquals("<element href=\"http://example.org/valid-href\" src=\"http://example.org/valid-src\"></element> <element href=\"https://example.org/valid-href\" src=\"https://example.org/valid-src\"></element> <element></element> <element></element> <element href=\"//example.org/valid-href\" src=\"//example.org/valid-src\"></element>", rewrite(this.gadget, "<element href=\"http://example.org/valid-href\" src=\"http://example.org/valid-src\"/> <element href=\"https://example.org/valid-href\" src=\"https://example.org/valid-src\"/> <element href=\"http-evil://example.org/valid-href\" src=\"http-evil://example.org/valid-src\"/> <element href=\"javascript:evil()\" src=\"javascript:evil()\" /> <element href=\"//example.org/valid-href\" src=\"//example.org/valid-src\"/>", set("element"), set("href", "src")));
    }

    @Test
    public void allCommentsStripped() throws Exception {
        Assert.assertEquals("<b>Hello, world</b>", rewrite(this.gadget, "<b>Hello, world</b><!--<b>evil</b>-->", set("b"), set(new String[0])));
    }

    @Test
    public void doesNothingWhenNotSanitized() throws Exception {
        Gadget context = new Gadget().setContext(this.unsanitaryGadgetContext);
        context.setSpec(new GadgetSpec(Uri.parse("www.example.org/gadget.xml"), "<Module><ModulePrefs title=''/><Content type='html'/></Module>"));
        context.setCurrentView((View) context.getSpec().getViews().values().iterator().next());
        Assert.assertEquals("<script src=\"http://evil.org/evil\"></script> <b>hello</b>", rewrite(context, "<script src=\"http://evil.org/evil\"></script> <b>hello</b>", set("b"), set(new String[0])));
    }

    @Test
    public void forceSanitizeUnsanitaryGadget() throws Exception {
        Gadget context = new Gadget().setContext(this.sanitaryGadgetContext);
        context.setSpec(new GadgetSpec(Uri.parse("www.example.org/gadget.xml"), "<Module><ModulePrefs title=''/><Content type='html'/></Module>"));
        context.setCurrentView((View) context.getSpec().getViews().values().iterator().next());
        Assert.assertEquals("<html><head></head><body><p><style>A {\n  font: bold\n}</style>text <b>bold text</b></p><b>Bold text</b></body></html>", rewrite(context, "<p><style type=\"text/css\">A { font : bold; behavior : bad }</style>text <b>bold text</b></p><b>Bold text</b><i>Italic text<b>Bold text</b></i>", set("p", "b", "style"), set(new String[0])));
    }
}
