package com.atlassian.stash.internal.web.filters;

import com.atlassian.plugins.rest.common.security.jersey.AntiSniffingResponseFilter;
import com.google.common.base.Predicate;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Iterables;
import java.io.IOException;
import java.util.Map;
import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

@Component("standardResponseHeadersFilter")
/* loaded from: input_file:WEB-INF/classes/com/atlassian/stash/internal/web/filters/StandardResponseHeadersFilter.class */
public class StandardResponseHeadersFilter extends OncePerRequestFilter {
    static final String X_XSS_PROTECTION = "X-XSS-Protection";
    static final String X_CONTENT_TYPE_OPTIONS = "X-Content-Type-Options";
    static final String X_FRAME_OPTIONS = "X-Frame-Options";
    private final Map<String, Iterable<Pattern>> whiteListByHeader = ImmutableMap.builder().put("X-Frame-Options", ImmutableList.of(Pattern.compile("/plugins/servlet/.*"), Pattern.compile("/mvc/login"))).build();

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (!httpServletResponse.containsHeader("X-XSS-Protection") && !isWhiteListed("X-XSS-Protection", httpServletRequest)) {
            httpServletResponse.setHeader("X-XSS-Protection", "1; mode=block");
        }
        if (!httpServletResponse.containsHeader("X-Frame-Options") && !isWhiteListed("X-Frame-Options", httpServletRequest)) {
            httpServletResponse.setHeader("X-Frame-Options", "SAMEORIGIN");
        }
        httpServletResponse.setHeader("X-Content-Type-Options", AntiSniffingResponseFilter.ANTI_SNIFFING_HEADER_VALUE);
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private boolean isWhiteListed(String str, HttpServletRequest httpServletRequest) {
        final String str2 = httpServletRequest.getServletPath() + httpServletRequest.getPathInfo();
        return this.whiteListByHeader.containsKey(str) && Iterables.any(this.whiteListByHeader.get(str), new Predicate<Pattern>() { // from class: com.atlassian.stash.internal.web.filters.StandardResponseHeadersFilter.1
            @Override // com.google.common.base.Predicate
            public boolean apply(Pattern pattern) {
                return pattern.matcher(str2).matches();
            }
        });
    }
}
