package com.android.tools.lint.checks;

import com.android.SdkConstants;
import com.android.tools.lint.client.api.JavaEvaluator;
import com.android.tools.lint.detector.api.Category;
import com.android.tools.lint.detector.api.Context;
import com.android.tools.lint.detector.api.Detector;
import com.android.tools.lint.detector.api.Implementation;
import com.android.tools.lint.detector.api.Issue;
import com.android.tools.lint.detector.api.JavaContext;
import com.android.tools.lint.detector.api.Project;
import com.android.tools.lint.detector.api.Scope;
import com.android.tools.lint.detector.api.Severity;
import com.android.tools.lint.detector.api.SourceCodeScanner;
import com.android.tools.lint.detector.api.XmlContext;
import com.android.tools.lint.detector.api.XmlScanner;
import com.android.utils.XmlUtils;
import com.google.common.collect.Sets;
import com.intellij.psi.PsiElement;
import com.intellij.psi.PsiMember;
import com.intellij.psi.PsiMethod;
import com.intellij.psi.PsiParameter;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.jetbrains.uast.UCallExpression;
import org.jetbrains.uast.UClass;
import org.jetbrains.uast.USimpleNameReferenceExpression;
import org.jetbrains.uast.UastFacade;
import org.jetbrains.uast.util.UastExpressionUtils;
import org.jetbrains.uast.visitor.AbstractUastVisitor;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:com/android/tools/lint/checks/UnsafeBroadcastReceiverDetector.class */
public class UnsafeBroadcastReceiverDetector extends Detector implements SourceCodeScanner, XmlScanner {
    public static final Issue ACTION_STRING = Issue.create("UnsafeProtectedBroadcastReceiver", "Unsafe Protected `BroadcastReceiver`", "`BroadcastReceiver`s that declare an intent-filter for a protected-broadcast action string must check that the received intent's action string matches the expected value, otherwise it is possible for malicious actors to spoof intents.", Category.SECURITY, 6, Severity.WARNING, new Implementation(UnsafeBroadcastReceiverDetector.class, EnumSet.of(Scope.MANIFEST, Scope.JAVA_FILE), Scope.JAVA_FILE_SCOPE)).addMoreInfo("https://goo.gle/UnsafeProtectedBroadcastReceiver");
    public static final Issue BROADCAST_SMS = Issue.create("UnprotectedSMSBroadcastReceiver", "Unprotected SMS `BroadcastReceiver`", "BroadcastReceivers that declare an intent-filter for `SMS_DELIVER` or `SMS_RECEIVED` must ensure that the caller has the `BROADCAST_SMS` permission, otherwise it is possible for malicious actors to spoof intents.", Category.SECURITY, 6, Severity.WARNING, new Implementation(UnsafeBroadcastReceiverDetector.class, Scope.MANIFEST_SCOPE)).addMoreInfo("https://goo.gle/UnprotectedSMSBroadcastReceiver");
    private Set<String> mReceiversWithProtectedBroadcastIntentFilter = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/android/tools/lint/checks/UnsafeBroadcastReceiverDetector$OnReceiveVisitor.class */
    public static class OnReceiveVisitor extends AbstractUastVisitor {
        private final JavaEvaluator mEvaluator;
        private final PsiParameter mParameter;
        private boolean mCallsGetAction;
        private boolean mUsesIntent;

        public OnReceiveVisitor(JavaEvaluator javaEvaluator, PsiParameter psiParameter) {
            this.mEvaluator = javaEvaluator;
            this.mParameter = psiParameter;
        }

        public boolean getCallsGetAction() {
            return this.mCallsGetAction;
        }

        public boolean getUsesIntent() {
            return this.mUsesIntent;
        }

        public boolean visitCallExpression(UCallExpression uCallExpression) {
            PsiMember resolve;
            if (!this.mCallsGetAction && UastExpressionUtils.isMethodCall(uCallExpression) && (resolve = uCallExpression.resolve()) != null && "getAction".equals(resolve.getName()) && this.mEvaluator.isMemberInSubClassOf(resolve, SdkConstants.CLASS_INTENT, false)) {
                this.mCallsGetAction = true;
            }
            return super.visitCallExpression(uCallExpression);
        }

        public boolean visitSimpleNameReferenceExpression(USimpleNameReferenceExpression uSimpleNameReferenceExpression) {
            if (!this.mUsesIntent && this.mParameter != null) {
                if (this.mParameter.isEquivalentTo(uSimpleNameReferenceExpression.resolve())) {
                    this.mUsesIntent = true;
                }
            }
            return super.visitSimpleNameReferenceExpression(uSimpleNameReferenceExpression);
        }
    }

    @Override // com.android.tools.lint.detector.api.Detector, com.android.tools.lint.detector.api.XmlScanner
    public Collection<String> getApplicableElements() {
        return Collections.singletonList("receiver");
    }

    @Override // com.android.tools.lint.detector.api.Detector, com.android.tools.lint.detector.api.XmlScanner
    public void visitElement(XmlContext xmlContext, Element element) {
        if ("receiver".equals(element.getTagName())) {
            String resolveManifestName = com.android.tools.lint.detector.api.Lint.resolveManifestName(element, xmlContext.getProject());
            String attributeNS = element.getAttributeNS("http://schemas.android.com/apk/res/android", "permission");
            if (attributeNS.isEmpty()) {
                attributeNS = ((Element) element.getParentNode()).getAttributeNS("http://schemas.android.com/apk/res/android", "permission");
            }
            Element firstSubTagByName = XmlUtils.getFirstSubTagByName(element, "intent-filter");
            if (firstSubTagByName != null) {
                Iterator<Element> it = XmlUtils.getSubTagsByName(firstSubTagByName, "action").iterator();
                while (it.hasNext()) {
                    String attributeNS2 = it.next().getAttributeNS("http://schemas.android.com/apk/res/android", "name");
                    if (("android.provider.Telephony.SMS_DELIVER".equals(attributeNS2) || "android.provider.Telephony.SMS_RECEIVED".equals(attributeNS2)) && !"android.permission.BROADCAST_SMS".equals(attributeNS)) {
                        xmlContext.report(BROADCAST_SMS, element, xmlContext.getNameLocation(element), "BroadcastReceivers that declare an intent-filter for `SMS_DELIVER` or `SMS_RECEIVED` must ensure that the caller has the `BROADCAST_SMS` permission, otherwise it is possible for malicious actors to spoof intents", fix().set("http://schemas.android.com/apk/res/android", "permission", "android.permission.BROADCAST_SMS").build());
                    } else if (BroadcastReceiverUtils.isProtectedBroadcast(attributeNS2)) {
                        if (this.mReceiversWithProtectedBroadcastIntentFilter == null) {
                            this.mReceiversWithProtectedBroadcastIntentFilter = Sets.newHashSet();
                        }
                        this.mReceiversWithProtectedBroadcastIntentFilter.add(resolveManifestName);
                    }
                }
            }
        }
    }

    private Set<String> getReceiversWithProtectedBroadcastIntentFilter(Context context) {
        Project mainProject;
        Document mergedManifest;
        Element firstSubTagByName;
        Element firstSubTagByName2;
        if (this.mReceiversWithProtectedBroadcastIntentFilter == null) {
            this.mReceiversWithProtectedBroadcastIntentFilter = Sets.newHashSet();
            if (!context.getScope().contains(Scope.MANIFEST) && (mergedManifest = (mainProject = context.getMainProject()).getMergedManifest()) != null && mergedManifest.getDocumentElement() != null && (firstSubTagByName = XmlUtils.getFirstSubTagByName(mergedManifest.getDocumentElement(), "application")) != null) {
                for (Element element : XmlUtils.getSubTags(firstSubTagByName)) {
                    if ("receiver".equals(element.getTagName()) && (firstSubTagByName2 = XmlUtils.getFirstSubTagByName(element, "intent-filter")) != null) {
                        Iterator<Element> it = XmlUtils.getSubTagsByName(firstSubTagByName2, "action").iterator();
                        while (it.hasNext()) {
                            if (BroadcastReceiverUtils.isProtectedBroadcast(it.next().getAttributeNS("http://schemas.android.com/apk/res/android", "name"))) {
                                this.mReceiversWithProtectedBroadcastIntentFilter.add(com.android.tools.lint.detector.api.Lint.resolveManifestName(element, mainProject));
                            }
                        }
                    }
                }
            }
        }
        return this.mReceiversWithProtectedBroadcastIntentFilter;
    }

    @Override // com.android.tools.lint.detector.api.Detector, com.android.tools.lint.detector.api.SourceCodeScanner
    public List<String> applicableSuperClasses() {
        return Collections.singletonList(SdkConstants.CLASS_BROADCASTRECEIVER);
    }

    @Override // com.android.tools.lint.detector.api.Detector, com.android.tools.lint.detector.api.SourceCodeScanner
    public void visitClass(JavaContext javaContext, UClass uClass) {
        String qualifiedName;
        if (uClass.getName() == null || (qualifiedName = uClass.getQualifiedName()) == null || !getReceiversWithProtectedBroadcastIntentFilter(javaContext).contains(qualifiedName)) {
            return;
        }
        JavaEvaluator evaluator = javaContext.getEvaluator();
        for (PsiMethod psiMethod : uClass.findMethodsByName("onReceive", false)) {
            if (evaluator.parametersMatch(psiMethod, SdkConstants.CLASS_CONTEXT, SdkConstants.CLASS_INTENT)) {
                checkOnReceive(javaContext, psiMethod);
            }
        }
    }

    private static void checkOnReceive(JavaContext javaContext, PsiMethod psiMethod) {
        OnReceiveVisitor onReceiveVisitor = new OnReceiveVisitor(javaContext.getEvaluator(), psiMethod.getParameterList().getParameters()[1]);
        UastFacade.INSTANCE.getMethodBody(psiMethod).accept(onReceiveVisitor);
        if (onReceiveVisitor.getCallsGetAction()) {
            return;
        }
        javaContext.report(ACTION_STRING, (PsiElement) psiMethod, javaContext.getNameLocation((PsiElement) psiMethod), !onReceiveVisitor.getUsesIntent() ? "This broadcast receiver declares an intent-filter for a protected broadcast action string, which can only be sent by the system, not third-party applications. However, the receiver's `onReceive` method does not appear to call `getAction` to ensure that the received Intent's action string matches the expected value, potentially making it possible for another actor to send a spoofed intent with no action string or a different action string and cause undesired behavior." : "This broadcast receiver declares an intent-filter for a protected broadcast action string, which can only be sent by the system, not third-party applications. However, the receiver's onReceive method does not appear to call getAction to ensure that the received Intent's action string matches the expected value, potentially making it possible for another actor to send a spoofed intent with no action string or a different action string and cause undesired behavior. In this case, it is possible that the onReceive method passed the received Intent to another method that checked the action string. If so, this finding can safely be ignored.");
    }
}
