activestorage-clamav-analyzer 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 64d36015b61b0f2da77d7ad174feabb940e0e4dfa2aa6e95c62a49ec61e9acfc
+  data.tar.gz: 0e92c75870d1733459ca3d4112e07f144dbdf2b5fa4ee75c76c717122ab99004
+SHA512:
+  metadata.gz: 4766a756e4abedaf3e4c0069eefc9a802dc5167f01cb87d8607244f13e39107dca6bb7ff230ac5325fecd38ff3b62d8abdb842b7d796fcfab033d9632400e052
+  data.tar.gz: 9748013cb1bbb086cd237703f58ecf99f3496061eb32966a426ffdef3e2c418dcf176e4e77a6d92282b2fa41455ae50f1bb330776441ec1c3798b6b8ea122a07

data/.github/workflows/ruby.yml

@@ -0,0 +1,24 @@
+name: Ruby
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+    - name: Install ClamAV
+      run: sudo apt install clamav clamav-daemon
+    - name: Build and test with Rake
+      run: |
+        gem install bundler
+        bundle install --jobs 4 --retry 3
+        WITH_CLAMD=true bundle exec rake

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,4 @@
+AllCops:
+  TargetRubyVersion: 2.5
+  NewCops: enable
+  SuggestExtensions: false

data/.tool-versions

@@ -0,0 +1 @@
+ruby 3.0.0

data/Gemfile

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in activestorage-clamav-analyzer.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,128 @@
+PATH
+  remote: .
+  specs:
+    activestorage-clamav-analyzer (0.1.0)
+      activestorage
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionpack (7.0.3)
+      actionview (= 7.0.3)
+      activesupport (= 7.0.3)
+      rack (~> 2.0, >= 2.2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actionview (7.0.3)
+      activesupport (= 7.0.3)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activejob (7.0.3)
+      activesupport (= 7.0.3)
+      globalid (>= 0.3.6)
+    activemodel (7.0.3)
+      activesupport (= 7.0.3)
+    activerecord (7.0.3)
+      activemodel (= 7.0.3)
+      activesupport (= 7.0.3)
+    activestorage (7.0.3)
+      actionpack (= 7.0.3)
+      activejob (= 7.0.3)
+      activerecord (= 7.0.3)
+      activesupport (= 7.0.3)
+      marcel (~> 1.0)
+      mini_mime (>= 1.1.0)
+    activesupport (7.0.3)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+    ast (2.4.2)
+    builder (3.2.4)
+    coderay (1.1.3)
+    concurrent-ruby (1.1.10)
+    crass (1.0.6)
+    diff-lcs (1.3)
+    erubi (1.10.0)
+    globalid (1.0.0)
+      activesupport (>= 5.0)
+    i18n (1.10.0)
+      concurrent-ruby (~> 1.0)
+    loofah (2.18.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    marcel (1.0.2)
+    method_source (1.0.0)
+    mini_mime (1.1.2)
+    mini_portile2 (2.8.0)
+    minitest (5.15.0)
+    nokogiri (1.13.6)
+      mini_portile2 (~> 2.8.0)
+      racc (~> 1.4)
+    parallel (1.22.1)
+    parser (3.1.2.0)
+      ast (~> 2.4.1)
+    pry (0.14.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    racc (1.6.0)
+    rack (2.2.3)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.4.2)
+      loofah (~> 2.3)
+    rainbow (3.1.1)
+    rake (10.5.0)
+    regexp_parser (2.4.0)
+    rexml (3.2.5)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.2)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.4)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.2)
+    rubocop (1.29.1)
+      parallel (~> 1.10)
+      parser (>= 3.1.0.0)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.17.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.18.0)
+      parser (>= 3.1.1.0)
+    rubocop-rspec (2.6.0)
+      rubocop (~> 1.19)
+    ruby-progressbar (1.11.0)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
+    unicode-display_width (2.1.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activestorage-clamav-analyzer!
+  bundler (~> 2.0)
+  pry
+  rake (~> 10.0)
+  rspec (~> 3.0)
+  rubocop
+  rubocop-rspec
+
+BUNDLED WITH
+   2.3.11

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Ackama
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,118 @@
+# ActiveStorage::ClamAV::Analyzer
+
+This gem packages an analyzer to perform ClamAV virus scans on uploaded ActiveStorage::Blob objects, adding the results of the scan to the blob metadata.
+
+The actual analyzer is very simple, and can be found in `lib/active_storage/clamav/analyzer` if you would prefer to just drop this in `app/analyzers` in your codebase and prepend it to the analyzers list yourself.
+
+## Installing ClamAV
+
+Ensure you have ClamAV installed. This gem uses these commands, but does not
+set them up if they are missing. On your path you should have:
+
+- `clamav`
+- `clamscan`
+
+On most platforms, you can install ClamAV with the package name:
+
+- Mac OS: `brew install clamav` (Further setup steps are necessary with Homebrewed ClamAV, see https://gist.github.com/mendozao/3ea393b91f23a813650baab9964425b9)
+- Debian/Ubuntu: `apt install clamav`
+
+There are plenty of other installation methods and platforms available. More information about these is available on [ClamAV's website](https://docs.clamav.net/manual/Installing.html)
+
+You can also run ClamAV scans in a Docker container. The [ClamAV documentation] has [an installation page](https://docs.clamav.net/manual/Installing/Docker.html) dedicated to this. While you will have to tune `ActiveStorage::ClamAV::Analyzer.command` for this, it should work with this gem.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'activestorage-clamav-analyzer', require: "active_storage/clamav/analyzer"
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install activestorage-clamav-analyzer
+
+This gem will automatically add itself to the analyzer pipeline and run across any
+supported image files. If you wish to control the precise analyzer order, you can
+manipulate the `ActiveStorage.analyzers` array.
+
+## Usage
+
+This gem automatically adds itself to the analysis pipeline, simply ensure that analysis is run on your uploaded files.
+
+To manually analyze a particular blob, simply grab an attachment and pass the
+blob directly to the analyzer:
+
+```ruby
+ActiveStorage::ClamAV::Analyzer.new(ActiveStorage::Attachment.first.blob).metadata
+ =>  {
+    "analyzed"=>true,
+    "clamav": {
+        "detection": true,
+        "output": "test.txt: Eicar-Signature FOUND\n\n-------" #...
+    }}
+```
+
+## Recipes
+
+#### Scan with ClamD
+
+`clamscan` is the default command, but starts up ClamAV from scratch each time it is run, which takes several seconds.
+Using `clamd` is much faster, but requires you to have started `clamd` ahead of time.
+
+An example of the speedups that are possible:
+
+- `clamscan README.md 9.68s user 0.36s system 96% cpu 10.400 total`
+- `clamdscan README.md 0.01s user 0.00s system 36% cpu 0.026 total`
+
+If your infrastructure set up allows you to run `clamd`, you can adjust the command to use `clamdscan`, which will
+scan files in a fraction of the time:
+
+```ruby
+# config/initializers/active_storage.rb
+ActiveStorage::ClamAV::Analyzer.command = "clamdscan"
+```
+
+#### Scan with a Docker container
+
+ClamAV has comprehensive documentation on [how to scan files in a Docker container](https://docs.clamav.net/manual/Installing/Docker.html).
+If you'd like to do this yourself using the ClamAV analyzer, that's no problem! You'll need to build a custom
+command to mount the blob's tempfile into your container to get the result. `ActiveStorage::ClamAV::Analyzer.command` accepts anything
+that responds to `#call`, so you can customise your command:
+
+```ruby
+# config/initializers/active_storage.rb
+
+clamav_command = (tempfile) -> { "docker run --rm -v #{tempfile.path}:#{tempfile.path} clamav/clamav clamscan" }
+ActiveStorage::ClamAV::Analyzer.command = clamav_command
+```
+
+#### Remove blobs that have a detection
+
+This analyzer records detections, but by default takes no action. Destroying blobs from a library could surprise some library
+users, and also would prevent any investigation of the blob, who uploaded it, and what the exact detection is.
+
+The analyzer does however call a callable (Proc, lambda, etc) when a detection occurs, passing the blob - so it's very simple
+to remove the blob automatically when a detection occurs.
+
+```ruby
+ActiveStorage::ClamAV::Analyzer.on_detection = (blob) -> { blob.destroy }
+```
+
+You can use the same technique to take some other action - perhaps quarantine the blob in some way (make it inactive), or
+add it to a moderation or alert queue.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake` to run the lint checks and tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/ackama/activestorage-clamav-analyzer.

data/Rakefile

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+
+RuboCop::RakeTask.new(:rubocop) do |t|
+  t.options = ['--parallel']
+end
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: %i[rubocop spec]

data/activestorage-clamav-analyzer.gemspec

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+Gem::Specification.new do |spec|
+  spec.name          = 'activestorage-clamav-analyzer'
+  spec.version       = '0.1.0'
+  spec.authors       = ['Josh McArthur']
+  spec.email         = ['joshua.mcarthur@gmail.com']
+  spec.required_ruby_version = '>= 2.5.0'
+
+  spec.summary       = '
+    Performs anti-virus scans on ActiveStorage::Blob objects using ClamAV'
+  spec.description   = '
+    Add ActiveStorage Analyzer class to perform ClamAV virus scans on
+    ActiveStorage::Blob objects. Supports ClamAV daemon mode, custom arguments
+    and callbacks on detection.'
+  spec.homepage      = 'https://github.com/ackama/activestorage-clamav-analyzer'
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = spec.homepage
+  spec.metadata['changelog_uri'] = spec.homepage
+  spec.metadata['rubygems_mfa_required'] = 'true'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been
+  # added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      f.match(%r{^(test|spec|features)/})
+    end
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 2.0'
+  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rubocop'
+  spec.add_development_dependency 'rubocop-rspec'
+  spec.add_dependency 'activestorage'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+end

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'activestorage/clamav/analyzer'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+bundle exec rake

data/lib/active_storage/clamav/analyzer.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require 'open3'
+require 'active_storage'
+require 'active_storage/analyzer/image_analyzer'
+
+module ActiveStorage
+  module ClamAV
+    ##
+    # Uses ClamAV to perform an antivirus scan on the ActiveStorage::Blob,
+    # taking action if a detection occurs and otherwise recording the scan
+    # results as metadata.
+    #
+    # This analyzer requires that ClamAV is installed, but otherwise makes the
+    # command and flags available via accessors on this module.
+    class Analyzer < ActiveStorage::Analyzer
+      ##
+      # Configure the command to run when analyzing blobs. This can either be a
+      # string of command or command + args, or can be a callable object.
+      # If callable, it will be called before analysing, and will pass an
+      # instance of a tempfile. This is useful for using ClamAV via things
+      # like Docker, when you may want to mount the tempfile into a container
+      # for scanning.
+      mattr_accessor :command, default: 'clamscan'
+
+      ##
+      # Configure a callable to run when ClamAV returns a non-zero status
+      # indicating a virus was detected. The callable receives the blob and
+      # can take action to quarantine or remove the blob record, send an alert,
+      # or some other action.
+      mattr_accessor :on_detection, default: ->(blob) {}
+
+      ##
+      # All blobs can be virus scanned
+      def self.accept?
+        true
+      end
+
+      def metadata
+        { clamav: download_blob_to_tempfile(&method(:perform_virus_scan)) }
+      end
+
+      private
+
+      def run_command(*args)
+        command = if self.command.respond_to?(:call)
+                    self.command.call(*args)
+                  else
+                    self.command
+                  end
+
+        stdout, _stderr, status = Open3.capture3(command, *args)
+        status == 127 && \
+          raise("#{command} not found. Is it installed and available on PATH?")
+
+        [stdout, status]
+      end
+
+      def perform_virus_scan(tempfile)
+        output, status = run_command(tempfile.path)
+        on_detection.call(blob) rescue nil unless status.success? # rubocop:disable Style/RescueModifier
+
+        {
+          detection: !status.success?,
+          output: output
+        }
+      end
+    end
+  end
+end
+
+require 'active_storage/clamav/railtie' if defined?(Rails)

data/lib/active_storage/clamav/railtie.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module ActiveStorage
+  module ClamAV
+    ##
+    # Adds the analyser to the list of ActiveStorage analyzers
+    # when the Rails app is configured
+    class Railtie < Rails::Railtie
+      config.active_storage.analyzers.prepend ActiveStorage::ClamAV::Analyzer
+    end
+  end
+end

metadata

@@ -0,0 +1,163 @@
+--- !ruby/object:Gem::Specification
+name: activestorage-clamav-analyzer
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Josh McArthur
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2022-05-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activestorage
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |2-
+
+      Add ActiveStorage Analyzer class to perform ClamAV virus scans on
+      ActiveStorage::Blob objects. Supports ClamAV daemon mode, custom arguments
+      and callbacks on detection.
+email:
+- joshua.mcarthur@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/ruby.yml"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".tool-versions"
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- activestorage-clamav-analyzer.gemspec
+- bin/console
+- bin/setup
+- lib/active_storage/clamav/analyzer.rb
+- lib/active_storage/clamav/railtie.rb
+homepage: https://github.com/ackama/activestorage-clamav-analyzer
+licenses: []
+metadata:
+  homepage_uri: https://github.com/ackama/activestorage-clamav-analyzer
+  source_code_uri: https://github.com/ackama/activestorage-clamav-analyzer
+  changelog_uri: https://github.com/ackama/activestorage-clamav-analyzer
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.2.3
+signing_key:
+specification_version: 4
+summary: Performs anti-virus scans on ActiveStorage::Blob objects using ClamAV
+test_files: []