package com.h3xstream.findsecbugs.serial;

import edu.umd.cs.findbugs.BugInstance;
import edu.umd.cs.findbugs.BugReporter;
import edu.umd.cs.findbugs.Detector;
import edu.umd.cs.findbugs.FieldAnnotation;
import edu.umd.cs.findbugs.ba.CFG;
import edu.umd.cs.findbugs.ba.CFGBuilderException;
import edu.umd.cs.findbugs.ba.ClassContext;
import edu.umd.cs.findbugs.ba.DataflowAnalysisException;
import edu.umd.cs.findbugs.ba.Location;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import org.apache.bcel.classfile.AnnotationEntry;
import org.apache.bcel.classfile.ElementValuePair;
import org.apache.bcel.classfile.Field;
import org.apache.bcel.classfile.JavaClass;
import org.apache.bcel.classfile.Method;
import org.apache.bcel.generic.ConstantPoolGen;
import org.apache.bcel.generic.InvokeInstruction;
import org.apache.bcel.generic.MethodGen;

/* loaded from: classes2.dex */
public class UnsafeJacksonDeserializationDetector implements Detector {
    private static final String a = "JACKSON_UNSAFE_DESERIALIZATION";
    private static final List<String> c = Arrays.asList("Lcom/fasterxml/jackson/annotation/JsonTypeInfo;");
    private static final List<String> d = Arrays.asList("CLASS", "MINIMAL_CLASS");
    private static final List<String> e = Arrays.asList("com.fasterxml.jackson.databind.ObjectMapper", "org.codehaus.jackson.map.ObjectMapper");
    private BugReporter b;

    public UnsafeJacksonDeserializationDetector(BugReporter bugReporter) {
        this.b = bugReporter;
    }

    private void a(Field field, JavaClass javaClass) {
        for (AnnotationEntry annotationEntry : field.getAnnotationEntries()) {
            if (c.contains(annotationEntry.getAnnotationType()) || annotationEntry.getAnnotationType().contains("JsonTypeInfo")) {
                for (ElementValuePair elementValuePair : annotationEntry.getElementValuePairs()) {
                    if ("use".equals(elementValuePair.getNameString()) && d.contains(elementValuePair.getValue().stringifyValue())) {
                        this.b.reportBug(new BugInstance(this, a, 1).addClass(javaClass).addString(javaClass.getClassName() + " on field " + field.getName() + " of type " + field.getType() + " annotated with " + annotationEntry.toShortString()).addField(FieldAnnotation.fromBCELField(javaClass, field)).addString(""));
                    }
                }
            }
        }
    }

    private void a(Method method, ClassContext classContext) {
        MethodGen methodGen = classContext.getMethodGen(method);
        ConstantPoolGen constantPoolGen = classContext.getConstantPoolGen();
        CFG cfg = classContext.getCFG(method);
        if (methodGen == null || methodGen.getInstructionList() == null) {
            return;
        }
        Iterator locationIterator = cfg.locationIterator();
        while (locationIterator.hasNext()) {
            Location location = (Location) locationIterator.next();
            InvokeInstruction instruction = location.getHandle().getInstruction();
            if (instruction instanceof InvokeInstruction) {
                InvokeInstruction invokeInstruction = instruction;
                if ("enableDefaultTyping".equals(invokeInstruction.getMethodName(constantPoolGen))) {
                    JavaClass javaClass = classContext.getJavaClass();
                    this.b.reportBug(new BugInstance(this, a, 1).addClass(javaClass).addMethod(javaClass, method).addCalledMethod(constantPoolGen, invokeInstruction).addSourceLine(classContext, method, location));
                }
            }
        }
    }

    public void a() {
    }

    public void a(ClassContext classContext) {
        JavaClass javaClass = classContext.getJavaClass();
        if (e.contains(javaClass.getClassName())) {
            return;
        }
        for (Field field : javaClass.getFields()) {
            a(field, javaClass);
        }
        for (Method method : javaClass.getMethods()) {
            try {
                a(method, classContext);
            } catch (CFGBuilderException | DataflowAnalysisException unused) {
            }
        }
    }
}
