ratonvirus 0.1.0

data/lib/ratonvirus/error.rb

@@ -0,0 +1,7 @@
+module Ratonvirus
+  class Error < StandardError; end
+
+  class InvalidError < Error; end
+  class NotDefinedError < Error; end
+  class NotImplementedError < Error; end
+end

data/lib/ratonvirus/processable.rb

@@ -0,0 +1,17 @@
+module Ratonvirus
+  class Processable
+    def initialize(storage, asset)
+      @storage = storage
+      @asset = asset
+    end
+
+    def path(&block)
+      return unless block_given?
+      @storage.asset_path(@asset, &block)
+    end
+
+    def remove
+      @storage.asset_remove(@asset)
+    end
+  end
+end

data/lib/ratonvirus/scanner/addon/remove_infected.rb

@@ -0,0 +1,18 @@
+module Ratonvirus
+  module Scanner
+    module Addon
+      module RemoveInfected
+        def self.extended(validator)
+          validator.after_scan :remove_infected_file
+        end
+
+        private
+          def remove_infected_file(processable)
+            return unless errors.include?(:antivirus_virus_detected)
+
+            processable.remove
+          end
+      end
+    end
+  end
+end

data/lib/ratonvirus/scanner/base.rb

@@ -0,0 +1,154 @@
+module Ratonvirus
+  module Scanner
+    class Base
+      include Support::Callbacks
+
+      class << self
+        def executable?
+          false
+        end
+      end
+
+      attr_reader :config
+      attr_reader :errors # Only available after `virus?` has been called.
+
+      def initialize(configuration={})
+        @config = default_config.merge!(configuration)
+
+        # Make the following callbacks available:
+        # - before_process_scan
+        # - before_scan
+        # - after_scan
+        # - after_process_scan
+        #
+        # Usage:
+        #   module CustomAddon
+        #     def self.extended(validator)
+        #       validator.before_process_scan :around_scan
+        #       validator.before_scan :do_something
+        #       validator.after_scan :do_something
+        #       validator.before_process_scan :around_scan
+        #     end
+        #
+        #     private
+        #       def around_scan(resource)
+        #         puts resource.inspect
+        #         # Depends on the provided resource, e.g.
+        #         # => #<ActiveStorage::Attached::One: ...>
+        #         # => #<ActiveStorage::Attached::Many: ...>
+        #         # => #<CarrierWave::Uploader::Base: ...>
+        #         # => #<File: ...>
+        #         # => #<String: ...>
+        #       end
+        #
+        #       def do_something(processable)
+        #         puts processable.inspect
+        #         # => #<Ratonvirus::Processable: ...>
+        #       end
+        #   end
+        define_callbacks :process_scan # Around the scan for the whole resource
+        define_callbacks :scan # The actual scan for individual assets
+
+        setup
+      end
+
+      # This method can be overridden in the scanner implementations in case
+      # the setup needs to be customized.
+      def setup
+        if config[:force_availability]
+          @available = true
+        else
+          available?
+        end
+      end
+
+      def available?
+        return @available unless @available.nil?
+
+        @available = self.class.executable?
+      end
+
+      # The virus? method runs the scan and returns a boolean indicating
+      # whether the scanner rejected the given resource or detected a virus.
+      # Scanning is mainly used to detect viruses but the scanner can reject the
+      # resource also because of other reasons than it detecting a virus.
+      #
+      # All these cases, however, should be interpreted as the resource
+      # containing a virus because in case there is e.g. a client error, we
+      # cannot be sure whether the file contains a virus and therefore it's
+      # safer to assume the worst.
+      #
+      # Possible errors are:
+      # - :antivirus_virus_detected - A virus was detected.
+      # - :antivirus_file_not_found - The scanner did not find the file for the
+      #   given resource.
+      # - :antivirus_client_error - There was a client error at the scanner,
+      #   e.g. it is temporarily unavailable.
+      def virus?(resource)
+        prepare
+
+        @errors = []
+
+        run_callbacks :process_scan, resource do
+          storage.process(resource) do |processable|
+            # In case multiple processables are processed, make sure that the
+            # local errors for each scan refer only to that scan.
+            errors_before = @errors
+            @errors = []
+
+            begin
+              scan(processable)
+            ensure
+              # Make sure that after the scan, the errors are reverted back to
+              # all errors.
+              @errors = errors_before + @errors
+            end
+          end
+        end
+
+        # Only show unique errors
+        errors.uniq!
+
+        errors.any?
+      end
+
+      protected
+        def default_config
+          {
+            force_availability: false,
+          }
+        end
+
+        def storage
+          Ratonvirus.storage
+        end
+
+        def scan(processable)
+          processable.path do |path|
+            run_callbacks :scan, processable do
+              run_scan(path)
+            end
+          end
+        end
+
+        def run_scan(path)
+          raise NotImplementedError.new(
+            "Implement run_scan on #{self.class.name}"
+          )
+        end
+
+      private
+        # Prepare is called each time before scanning is run. During the first
+        # call to this method, the addons are applied to the scanner instance.
+        def prepare
+          return if @ready
+
+          Ratonvirus.addons.each do |addon_cls|
+            extend addon_cls
+          end
+
+          @ready = true
+        end
+    end
+  end
+end

data/lib/ratonvirus/scanner/eicar.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Ratonvirus
+  module Scanner
+    # Dummy EICAR file scanner to test the integration with this gem.
+    #
+    # Only to be used for testing the functionality of this gem.
+    class Eicar < Base
+      # SHA256 digest of the EICAR test file for virus testing
+      # See: https://en.wikipedia.org/wiki/EICAR_test_file
+      EICAR_SHA256 = '131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267'
+
+      class << self
+        def executable?
+          true
+        end
+      end
+
+      protected
+        def run_scan(path)
+          if !File.file?(path)
+            errors << :antivirus_file_not_found
+          else
+            sha256 = Digest::SHA256.file path
+            if sha256 == EICAR_SHA256
+              errors << :antivirus_virus_detected
+            end
+          end
+        rescue
+          errors << :antivirus_client_error
+        end
+    end
+  end
+end

data/lib/ratonvirus/scanner/support/callbacks.rb

@@ -0,0 +1,84 @@
+module Ratonvirus
+  module Scanner
+    module Support
+      # Provides a simple callbacks implementation to be used with the scanners.
+      #
+      # We cannot use the ActiveSupport::Callbacks because that applies the
+      # callbacks to the whole class. We only want to define callbacks on the
+      # single instance of a class.
+      #
+      # Defining new callbacks hooks to the instance:
+      #   class Cls
+      #     include Ratonvirus::Support::Callbacks
+      #
+      #     def initialize
+      #       define_callbacks :hook
+      #     end
+      #   end
+      #
+      # Triggering the callback hooks:
+      #   class Cls
+      #     # ...
+      #     def some_method
+      #       run_callbacks :hook, resource do
+      #         puts "... do something ..."
+      #       end
+      #     end
+      #     # ...
+      #   end
+      #
+      # Applying functionality to the hooks:
+      #   class Cls
+      #     def attach_callbacks
+      #       before_hook :run_before
+      #       after_hook :run_after
+      #     end
+      #
+      #     def run_before
+      #       puts "This is run before the hook"
+      #     end
+      #
+      #     def run_after
+      #       puts "This is run after the hook"
+      #     end
+      #   end
+      module Callbacks
+        private
+          def run_callbacks(type, *args, &block)
+            if @_callbacks.nil?
+              raise NotDefinedError.new("No callbacks defined")
+            end
+            if @_callbacks[type].nil?
+              raise NotDefinedError.new("Callbacks for #{type} not defined")
+            end
+
+            run_callback_callables @_callbacks[type][:before], *args
+            result = yield *args
+            run_callback_callables @_callbacks[type][:after], *args
+
+            result
+          end
+
+          def run_callback_callables(callables, *args)
+            callables.each do |callable|
+              send(callable, *args)
+            end
+          end
+
+          def define_callbacks(type)
+            @_callbacks ||= {}
+            @_callbacks[type] ||= {}
+            @_callbacks[type][:before] = []
+            @_callbacks[type][:after] = []
+
+            define_singleton_method "before_#{type}" do |callable|
+              @_callbacks[type][:before] << callable
+            end
+            define_singleton_method "after_#{type}" do |callable|
+              @_callbacks[type][:after] << callable
+            end
+          end
+      end
+    end
+  end
+end

data/lib/ratonvirus/storage/active_storage.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+module Ratonvirus
+  module Storage
+    class ActiveStorage < Base
+      def changed?(record, attribute)
+        # With Active Storage we assume the record is always changed because
+        # there is currently no way to know if the attribute has actually
+        # changed.
+        #
+        # Calling record.changed? will not also work because it is not marked
+        # as dirty in case the Active Storage attachment has changed.
+        #
+        # NOTE:
+        # This should be changed in the future as the `attachment_changes` was
+        # introduced to Rails by this commit:
+        # https://github.com/rails/rails/commit/e8682c5bf051517b0b265e446aa1a7eccfd47bf7
+        #
+        # However, it is still not available in Rails 5.2.x.
+        true
+      end
+
+      def accept?(resource)
+        resource.is_a?(::ActiveStorage::Attached::One) ||
+        resource.is_a?(::ActiveStorage::Attached::Many)
+      end
+
+      def process(resource, &block)
+        return unless block_given?
+        return if resource.nil?
+
+        if resource.attached?
+          if resource.is_a?(::ActiveStorage::Attached::One)
+            if resource.attachment
+              yield processable(resource.attachment)
+            end
+          elsif resource.is_a?(::ActiveStorage::Attached::Many)
+            resource.attachments.each do |attachment|
+              yield processable(attachment)
+            end
+          end
+        end
+      end
+
+      def asset_path(asset, &block)
+        return unless block_given?
+        return if asset.nil?
+        return unless asset.blob
+
+        blob_path asset.blob, &block
+      end
+
+      def asset_remove(asset)
+        asset.purge
+      end
+
+      private
+        # This creates a local copy of the blob for the scanning process. A
+        # local copy is needed for processing because the actual blob may be
+        # stored at a remote storage service (such as Amazon S3), meaning it
+        # cannot be otherwise processed locally.
+        #
+        # NOTE:
+        # Later implementations of Active Storage have the blob.open method that
+        # provides similar functionality. However, Rails 5.2.x still does not
+        # include this functionality, so we need to take care of it ourselves.
+        #
+        # This was introduced in the following commit:
+        # https://github.com/rails/rails/commit/ee21b7c2eb64def8f00887a9fafbd77b85f464f1
+        #
+        # SEE:
+        # https://edgeguides.rubyonrails.org/active_storage_overview.html#downloading-files
+        def blob_path(blob)
+          tempfile = Tempfile.open(
+            ["Ratonvirus", blob.filename.extension_with_delimiter ],
+            tempdir
+          )
+
+          begin
+            tempfile.binmode
+            blob.download { |chunk| tempfile.write(chunk) }
+            tempfile.flush
+            tempfile.rewind
+
+            yield tempfile.path
+          ensure
+            tempfile.close!
+          end
+        end
+
+        def tempdir
+          Dir.tmpdir
+        end
+    end
+  end
+end

data/lib/ratonvirus/storage/base.rb

@@ -0,0 +1,56 @@
+module Ratonvirus
+  module Storage
+    class Base
+      attr_reader :config
+
+      def initialize(configuration={})
+        @config = configuration.dup
+
+        if respond_to?(:setup)
+          setup
+        end
+      end
+
+      # Default process implementation.
+      def process(resource)
+        return unless block_given?
+        return if resource.nil?
+
+        resource = [resource] unless resource.is_a?(Array)
+
+        resource.each do |asset|
+          yield processable(asset)
+        end
+      end
+
+      def changed?(record, attribute)
+        raise NotImplementedError.new(
+          "Implement changed? on #{self.class.name}"
+        )
+      end
+
+      def accept?(resource)
+        raise NotImplementedError.new(
+          "Implement accept? on #{self.class.name}"
+        )
+      end
+
+      def asset_path(asset)
+        raise NotImplementedError.new(
+          "Implement path on #{self.class.name}"
+        )
+      end
+
+      def asset_remove(asset)
+        raise NotImplementedError.new(
+          "Implement remove on #{self.class.name}"
+        )
+      end
+
+      protected
+        def processable(asset)
+          Processable.new(self, asset)
+        end
+    end
+  end
+end