package io.whitesource.cure;

import java.io.IOException;
import java.io.InputStream;
import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.commons.io.FilenameUtils;

/* loaded from: input_file:io/whitesource/cure/SecureObjectInputStream.class */
public class SecureObjectInputStream extends ObjectInputStream {
    private final Set<String> classesWhitelist;
    private final Set<String> packagesWhitelist;

    public SecureObjectInputStream(InputStream inputStream, Set<String> set) throws IOException {
        super(inputStream);
        this.packagesWhitelist = new HashSet();
        this.classesWhitelist = set;
    }

    public SecureObjectInputStream(InputStream inputStream, Set<String> set, Set<String> set2) throws IOException {
        super(inputStream);
        this.packagesWhitelist = new HashSet();
        this.classesWhitelist = set;
        this.packagesWhitelist.addAll(set2);
    }

    @Override // java.io.ObjectInputStream
    protected Class<?> resolveClass(ObjectStreamClass objectStreamClass) throws IOException, ClassNotFoundException {
        String name = objectStreamClass.getName();
        if (this.classesWhitelist.contains(name) || isSubpackage(name)) {
            return super.resolveClass(objectStreamClass);
        }
        throw new InvalidClassException("Unauthorized deserialization attempt detected for class " + objectStreamClass.getName());
    }

    private boolean isSubpackage(String str) {
        String removeExtension = FilenameUtils.removeExtension(str);
        Iterator<String> it = this.packagesWhitelist.iterator();
        while (it.hasNext()) {
            if (removeExtension.startsWith(it.next())) {
                return true;
            }
        }
        return false;
    }
}
