package io.dogboy.serializationisbad.core;

import io.dogboy.serializationisbad.core.config.PatchModule;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.util.HashSet;
import java.util.Iterator;

/* loaded from: input_file:io/dogboy/serializationisbad/core/ClassFilteringObjectInputStream.class */
public class ClassFilteringObjectInputStream extends ObjectInputStream {
    private final PatchModule patchModule;

    public ClassFilteringObjectInputStream(InputStream inputStream, PatchModule patchModule) throws IOException {
        super(inputStream);
        this.patchModule = patchModule;
    }

    private boolean isClassAllowed(String str) {
        if (str.startsWith("[L") && str.endsWith(";")) {
            str = str.substring(2, str.length() - 1);
        } else if (str.startsWith("L") && str.endsWith(";")) {
            str = str.substring(1, str.length() - 1);
        }
        if (SerializationIsBad.getInstance().getConfig().getClassAllowlist().contains(str) || this.patchModule.getClassAllowlist().contains(str)) {
            return true;
        }
        HashSet hashSet = new HashSet(SerializationIsBad.getInstance().getConfig().getPackageAllowlist());
        hashSet.addAll(this.patchModule.getPackageAllowlist());
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            if (str.startsWith(((String) it.next()) + ".")) {
                return true;
            }
        }
        return false;
    }

    @Override // java.io.ObjectInputStream
    protected Class<?> resolveClass(ObjectStreamClass objectStreamClass) throws IOException, ClassNotFoundException {
        SerializationIsBad.logger.debug("Resolving class " + objectStreamClass.getName());
        if (!isClassAllowed(objectStreamClass.getName())) {
            SerializationIsBad.logger.warn("Tried to resolve class " + objectStreamClass.getName() + ", which is not allowed to be deserialized");
            if (SerializationIsBad.getInstance().getConfig().isExecuteBlocking()) {
                throw new ClassNotFoundException("Class " + objectStreamClass.getName() + " is not allowed to be deserialized");
            }
        }
        return super.resolveClass(objectStreamClass);
    }
}
