package info.magnolia.cms.security;

import info.magnolia.audit.AuditLoggingUtil;
import info.magnolia.cms.filters.AbstractMgnlFilter;
import info.magnolia.context.MgnlContext;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/magnolia-core-5.3.3.jar:info/magnolia/cms/security/CsrfSecurityFilter.class */
public class CsrfSecurityFilter extends AbstractMgnlFilter {
    private static final Logger log = LoggerFactory.getLogger(CsrfSecurityFilter.class);
    public static final String REFERRER = "referer";

    @Override // info.magnolia.cms.filters.AbstractMgnlFilter
    public void doFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        String header = httpServletRequest.getHeader(REFERRER);
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        try {
            if (StringUtils.isEmpty(header)) {
                handlePossibleCsrf(httpServletRequest, httpServletResponse, stringBuffer);
                return;
            }
            String host = new URI(header).getHost();
            String host2 = new URI(stringBuffer).getHost();
            if (host == null || !host.equalsIgnoreCase(host2)) {
                handlePossibleCsrf(httpServletRequest, httpServletResponse, stringBuffer);
            } else {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            }
        } catch (URISyntaxException e) {
            handlePossibleCsrf(httpServletRequest, httpServletResponse, stringBuffer);
        }
    }

    protected void handlePossibleCsrf(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        String format = String.format("Referrer was null or referrer- and request-host did not match. User '%s' attempted to access url '%s'.", MgnlContext.getUser().getName(), str);
        log.warn("{}. {}", "Possible CSRF Attack", format);
        AuditLoggingUtil.logSecurity(httpServletRequest.getRemoteAddr(), "Possible CSRF Attack", format);
        httpServletResponse.setStatus(400);
    }
}
