npm - @nest-omni/core - Versions diffs - 4.1.3-11 → 4.1.3-13 - Mend

@nest-omni/core 4.1.3-11 → 4.1.3-13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (609) hide show

package/dist/file-upload/services/malicious-file-detector.service.js ADDED Viewed

@@ -0,0 +1,1234 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var MaliciousFileDetector_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MaliciousFileDetector = void 0;
+const common_1 = require("@nestjs/common");
+const fs = require("fs-extra");
+const path = require("path");
+const child_process_1 = require("child_process");
+const util_1 = require("util");
+const execAsync = (0, util_1.promisify)(child_process_1.exec);
+/**
+ * 恶意文件检测服务
+ */
+/**
+ * 恶意文件检测服务（增强版）
+ *
+ * 功能：
+ * 1. 多编码检测 - 支持 UTF-8, UTF-16LE, Latin1, ASCII, Base64
+ * 2. 文件结构分析 - 检测嵌套压缩、可执行内容、Office宏、高熵值、多态性
+ * 3. ClamAV集成 - 支持本地命令行和远程服务两种模式
+ *
+ * 使用示例：
+ * ```typescript
+ * // 方式1: 本地ClamAV（需要在当前机器安装）
+ * FileUploadModule.forRoot({
+ *   maliciousDetection: {
+ *     enableClamAV: true,
+ *     clamavMode: 'local',           // 本地模式
+ *     clamavCommand: 'clamdscan',    // 或 'clamscan'
+ *   },
+ * });
+ *
+ * // 方式2: 远程ClamAV服务（推荐用于生产环境）
+ * FileUploadModule.forRoot({
+ *   maliciousDetection: {
+ *     enableClamAV: true,
+ *     clamavMode: 'remote',          // 远程模式
+ *     clamavRemote: {
+ *       host: 'clamav-server.com',   // ClamAV服务器地址
+ *       port: 3310,                  // ClamAV守护进程端口
+ *       timeout: 30000,              // 超时时间(ms)
+ *     },
+ *   },
+ * });
+ *
+ * // 方式3: 仅使用多编码检测和结构分析（无需安装ClamAV）
+ * FileUploadModule.forRoot({
+ *   maliciousDetection: {
+ *     enableClamAV: false,           // 禁用ClamAV
+ *     enableMultiEncoding: true,     // 启用多编码检测
+ *     enableStructureAnalysis: true, // 启用结构分析
+ *     riskThreshold: 50,             // 风险阈值
+ *   },
+ * });
+ *
+ * // 直接使用服务
+ * const result = await maliciousDetector.scanFile('/path/to/file');
+ * console.log('Is Safe:', result.safe);
+ * console.log('Risk Score:', result.riskScore);
+ * console.log('Threats:', result.threats);
+ * console.log('Details:', result.details);
+ * ```
+ *
+ * 远程ClamAV服务部署示例：
+ * ```bash
+ * # Docker部署ClamAV服务
+ * docker run -d -p 3310:3310 \
+ *   --name clamav \
+ *   clamav/clamav:latest
+ *
+ * # 配置clamd.conf允许远程连接
+ * TCPSocket 3310
+ * TCPAddr 0.0.0.0
+ * StreamMaxLength 100M
+ * ```
+ *
+ * 检测结果示例：
+ * ```json
+ * {
+ *   "safe": false,
+ *   "isMalware": true,
+ *   "riskScore": 85,
+ *   "threats": [
+ *     "PE executable header (Windows)",
+ *     "Script tag injection (base64 encoded)",
+ *     "Executable content detected"
+ *   ],
+ *   "details": {
+ *     "encodingThreats": ["Script tag injection (base64 encoded)"],
+ *     "structureAnalysis": {
+ *       "anomalies": ["Executable content detected"],
+ *       "riskScore": 60,
+ *       "characteristics": {
+ *         "hasExecutableContent": true,
+ *         "entropy": 6.8
+ *       }
+ *     },
+ *     "clamavResult": {
+ *       "scanned": true,
+ *       "infected": true,
+ *       "virusName": "Win.Trojan.Agent"
+ *     }
+ *   }
+ * }
+ * ```
+ */
+let MaliciousFileDetector = MaliciousFileDetector_1 = class MaliciousFileDetector {
+    constructor(options) {
+        this.options = options;
+        this.logger = new common_1.Logger(MaliciousFileDetector_1.name);
+        // 并发控制：当前正在扫描的文件数
+        this.activeScanCount = 0;
+        // 支持的编码列表
+        this.encodings = ['utf8', 'utf16le', 'latin1', 'ascii', 'base64'];
+        // 恶意模式库（多编码）
+        this.maliciousPatterns = [
+            // 脚本注入模式
+            {
+                pattern: /<script[^>]*>.*?<\/script>/gi,
+                description: 'Script tag injection',
+                riskScore: 60,
+            },
+            {
+                pattern: /<iframe[^>]*>/gi,
+                description: 'Iframe injection',
+                riskScore: 50,
+            },
+            {
+                pattern: /on\w+\s*=\s*["'][^"']*["']/gi,
+                description: 'Event handler injection',
+                riskScore: 55,
+            },
+            {
+                pattern: /javascript:\s*[^\s]+/gi,
+                description: 'JavaScript protocol',
+                riskScore: 50,
+            },
+            {
+                pattern: /vbscript:\s*[^\s]+/gi,
+                description: 'VBScript protocol',
+                riskScore: 50,
+            },
+            // Shell命令模式
+            {
+                pattern: /\$\([^)]+\)/g,
+                description: 'Shell command substitution',
+                riskScore: 65,
+            },
+            {
+                pattern: /`[^`]+`/g,
+                description: 'Backtick command execution',
+                riskScore: 65,
+            },
+            {
+                pattern: /eval\s*\(/gi,
+                description: 'Eval function call',
+                riskScore: 70,
+            },
+            {
+                pattern: /exec\s*\(/gi,
+                description: 'Exec function call',
+                riskScore: 70,
+            },
+            // SQL注入模式
+            {
+                pattern: /union\s+select/gi,
+                description: 'SQL injection pattern',
+                riskScore: 45,
+            },
+            {
+                pattern: /';\s*drop\s+table/gi,
+                description: 'SQL drop table pattern',
+                riskScore: 80,
+            },
+            // 二进制注入标记
+            { pattern: /\x00/g, description: 'Null byte injection', riskScore: 40 },
+        ];
+        this.suspiciousSignatures = [
+            // 可执行文件
+            {
+                pattern: [0x4d, 0x5a],
+                description: 'PE executable header (Windows)',
+                riskScore: 70,
+            },
+            {
+                pattern: [0x7f, 0x45, 0x4c, 0x46],
+                description: 'ELF executable header (Linux)',
+                riskScore: 70,
+            },
+            {
+                pattern: [0xfe, 0xed, 0xfa, 0xce],
+                description: 'Mach-O executable header (macOS)',
+                riskScore: 70,
+            },
+            {
+                pattern: [0xfe, 0xed, 0xfa, 0xcf],
+                description: 'Mach-O 64-bit executable (macOS)',
+                riskScore: 70,
+            },
+            // 脚本内容
+            {
+                pattern: '<script',
+                type: 'string',
+                description: 'Script tag detected',
+                riskScore: 40,
+            },
+            {
+                pattern: 'javascript:',
+                type: 'string',
+                description: 'JavaScript protocol',
+                riskScore: 50,
+            },
+            {
+                pattern: 'vbscript:',
+                type: 'string',
+                description: 'VBScript protocol',
+                riskScore: 50,
+            },
+            {
+                pattern: 'data:text/html',
+                type: 'string',
+                description: 'Data URI with HTML',
+                riskScore: 45,
+            },
+            // 宏病毒相关
+            {
+                pattern: 'vbaProject',
+                type: 'string',
+                description: 'VBA Project marker',
+                riskScore: 60,
+            },
+            {
+                pattern: 'Auto_Open',
+                type: 'string',
+                description: 'Auto-execute macro',
+                riskScore: 40,
+            },
+            {
+                pattern: 'Workbook_Open',
+                type: 'string',
+                description: 'Auto-execute macro',
+                riskScore: 40,
+            },
+            // 压缩炸弹检测
+            {
+                pattern: [0x50, 0x4b, 0x03, 0x04],
+                description: 'ZIP header',
+                checkRatio: true,
+                riskScore: 0, // 需要进一步检查压缩比
+            },
+        ];
+        this.options = Object.assign({ enabled: true, enableClamAV: false, clamavMode: 'local', clamavCommand: 'clamdscan', enableMultiEncoding: true, enableStructureAnalysis: true, riskThreshold: 50 }, options);
+        // 初始化并发控制参数
+        this.maxConcurrentScans = this.options.maxConcurrentScans || 5;
+        this.maxScanSize = this.options.maxScanSize || 10 * 1024 * 1024; // 默认 10MB
+        this.scanTimeout = this.options.scanTimeout || 60000; // 默认 60 秒
+        this.logger.debug(`MaliciousFileDetector initialized - maxConcurrent: ${this.maxConcurrentScans}, maxSize: ${this.maxScanSize}, timeout: ${this.scanTimeout}`);
+    }
+    /**
+     * 扫描文件（增强版 - 带并发控制和流式处理）
+     */
+    scanFile(filePath, buffer) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // 检查是否启用
+            if (this.options.enabled === false) {
+                this.logger.debug('Malicious detection is disabled');
+                return {
+                    safe: true,
+                    threats: [],
+                    riskScore: 0,
+                    isMalware: false,
+                };
+            }
+            // 如果没有文件路径且没有buffer，返回安全
+            if (!filePath && !buffer) {
+                this.logger.debug('No file path or buffer provided for scanning');
+                return {
+                    safe: true,
+                    threats: [],
+                    riskScore: 0,
+                    isMalware: false,
+                };
+            }
+            // 并发控制：等待直到有可用的扫描槽位
+            yield this.waitForScanSlot();
+            try {
+                // 增加活跃扫描计数
+                this.activeScanCount++;
+                this.logger.debug(`MaliciousFileDetector: Starting scan (${this.activeScanCount}/${this.maxConcurrentScans}): ${filePath || '(buffer)'}`);
+                // 设置超时保护
+                const scanPromise = this.performScan(filePath, buffer);
+                const timeoutPromise = new Promise((_, reject) => {
+                    setTimeout(() => {
+                        reject(new Error(`Scan timeout after ${this.scanTimeout}ms`));
+                    }, this.scanTimeout);
+                });
+                // 等待扫描完成或超时
+                return yield Promise.race([scanPromise, timeoutPromise]);
+            }
+            finally {
+                // 释放扫描槽位
+                this.activeScanCount--;
+                this.logger.debug(`MaliciousFileDetector: Scan completed (${this.activeScanCount}/${this.maxConcurrentScans})`);
+            }
+        });
+    }
+    /**
+     * 等待直到有可用的扫描槽位
+     */
+    waitForScanSlot() {
+        return __awaiter(this, void 0, void 0, function* () {
+            while (this.activeScanCount >= this.maxConcurrentScans) {
+                this.logger.debug(`MaliciousFileDetector: Waiting for scan slot (${this.activeScanCount}/${this.maxConcurrentScans})`);
+                // 等待 100ms 后重试
+                yield new Promise((resolve) => setTimeout(resolve, 100));
+            }
+        });
+    }
+    /**
+     * 执行实际的扫描操作
+     */
+    performScan(filePath, inputBuffer) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const threats = [];
+            let riskScore = 0;
+            const details = {};
+            try {
+                let scanBuffer;
+                let fileSize;
+                if (inputBuffer) {
+                    // Use provided buffer directly
+                    scanBuffer = inputBuffer;
+                    fileSize = inputBuffer.length;
+                    this.logger.debug(`MaliciousFileDetector: Using provided buffer - size: ${fileSize}`);
+                }
+                else if (filePath) {
+                    // Read file from disk
+                    const stats = yield fs.stat(filePath);
+                    fileSize = stats.size;
+                    this.logger.debug(`MaliciousFileDetector: File stats - size: ${stats.size}`);
+                    // Skip malicious file detection for very small files (< 100 bytes)
+                    // These are usually test placeholders or empty files
+                    if (fileSize < 100) {
+                        this.logger.debug(`MaliciousFileDetector: Skipping scan for very small file (${fileSize} bytes)`);
+                        return {
+                            safe: true,
+                            threats: [],
+                            riskScore: 0,
+                            isMalware: false,
+                        };
+                    }
+                    // 使用流式处理读取文件（防止大文件占用过多内存）
+                    scanBuffer = yield this.readFileStream(filePath, stats.size);
+                    this.logger.debug(`MaliciousFileDetector: File read successfully, buffer size: ${scanBuffer.length}`);
+                }
+                else {
+                    // No input provided
+                    return {
+                        safe: true,
+                        threats: [],
+                        riskScore: 0,
+                        isMalware: false,
+                    };
+                }
+                // Skip malicious file detection for very small buffers (< 100 bytes)
+                if (scanBuffer.length < 100) {
+                    this.logger.debug(`MaliciousFileDetector: Skipping scan for very small buffer (${scanBuffer.length} bytes)`);
+                    return {
+                        safe: true,
+                        threats: [],
+                        riskScore: 0,
+                        isMalware: false,
+                    };
+                }
+                // 1. 检查可疑签名
+                for (const signature of this.suspiciousSignatures) {
+                    if (this.checkSignature(scanBuffer, signature)) {
+                        threats.push(signature.description);
+                        riskScore += signature.riskScore;
+                        this.logger.debug(`MaliciousFileDetector: Found suspicious signature: ${signature.description}, risk: ${signature.riskScore}`);
+                        // 如果需要检查压缩比
+                        if (signature.checkRatio && filePath) {
+                            const ratio = yield this.checkCompressionRatio(filePath, scanBuffer);
+                            if (ratio > 100) {
+                                threats.push('Suspicious compression ratio (possible zip bomb)');
+                                riskScore += 50;
+                                this.logger.debug(`MaliciousFileDetector: Found suspicious compression ratio: ${ratio}`);
+                            }
+                        }
+                    }
+                }
+                // 2. 多编码检测（新增）
+                if (this.options.enableMultiEncoding) {
+                    const encodingResult = this.detectMultiEncodingThreats(scanBuffer);
+                    if (encodingResult.threats.length > 0) {
+                        threats.push(...encodingResult.threats);
+                        riskScore += encodingResult.riskScore;
+                        details.encodingThreats = encodingResult.threats;
+                        this.logger.debug(`MaliciousFileDetector: Multi-encoding threats found: ${encodingResult.threats.join(', ')}, risk: ${encodingResult.riskScore}`);
+                    }
+                }
+                // 3. 文件结构分析（新增）
+                if (this.options.enableStructureAnalysis) {
+                    const structureResult = yield this.analyzeFileStructure(filePath, scanBuffer);
+                    if (structureResult.anomalies.length > 0) {
+                        threats.push(...structureResult.anomalies);
+                        riskScore += structureResult.riskScore;
+                        details.structureAnalysis = structureResult;
+                        this.logger.debug(`MaliciousFileDetector: Structure analysis threats found: ${structureResult.anomalies.join(', ')}, risk: ${structureResult.riskScore}`);
+                    }
+                }
+                // 4. ClamAV扫描（新增，可选）
+                if (this.options.enableClamAV && filePath) {
+                    const clamavResult = yield this.scanWithClamAV(filePath);
+                    details.clamavResult = clamavResult;
+                    if (clamavResult.infected) {
+                        threats.push(`Virus detected: ${clamavResult.virusName}`);
+                        riskScore += 100; // 直接判定为恶意
+                        this.logger.debug(`MaliciousFileDetector: ClamAV detected virus: ${clamavResult.virusName}`);
+                    }
+                }
+                // 5. 检查文件名
+                if (filePath) {
+                    const fileName = path.basename(filePath);
+                    if (this.hasSuspiciousName(fileName)) {
+                        threats.push('Suspicious filename pattern');
+                        riskScore += 20;
+                        this.logger.debug(`MaliciousFileDetector: Suspicious filename pattern detected: ${fileName}`);
+                    }
+                    // 6. 检查双扩展名
+                    if (this.hasDoubleExtension(fileName)) {
+                        threats.push('Double extension detected');
+                        riskScore += 30;
+                        this.logger.debug(`MaliciousFileDetector: Double extension detected: ${fileName}`);
+                    }
+                    // 7. 检查隐藏扩展名技巧
+                    if (this.hasHiddenExtension(fileName)) {
+                        threats.push('Hidden extension trick detected');
+                        riskScore += 40;
+                        this.logger.debug(`MaliciousFileDetector: Hidden extension trick detected: ${fileName}`);
+                    }
+                }
+                // 8. 检查文件大小异常
+                if (fileSize > 500 * 1024 * 1024) {
+                    // 大于500MB
+                    threats.push('Unusually large file size');
+                    riskScore += 15;
+                    this.logger.debug(`MaliciousFileDetector: Unusually large file size: ${fileSize}`);
+                }
+                // 9. 动态阈值调整（小文件更宽松）
+                let threshold = this.options.riskThreshold || 50;
+                if (fileSize < 1024) {
+                    // 小于1KB的文件，提高阈值（减少误报）
+                    threshold = Math.max(threshold, 80);
+                    this.logger.debug(`MaliciousFileDetector: Using increased threshold for small file (${fileSize} bytes): ${threshold}`);
+                }
+                else if (fileSize < 10 * 1024) {
+                    // 小于10KB的文件，适当提高阈值
+                    threshold = Math.max(threshold, 65);
+                    this.logger.debug(`MaliciousFileDetector: Using increased threshold for medium-small file (${fileSize} bytes): ${threshold}`);
+                }
+                const isSafe = riskScore < threshold;
+                this.logger.debug(`MaliciousFileDetector: Final result - safe: ${isSafe}, riskScore: ${riskScore}, threshold: ${threshold}, threats: ${threats.join(', ')}`);
+                return {
+                    safe: isSafe,
+                    threats,
+                    riskScore: Math.min(riskScore, 100),
+                    isMalware: riskScore >= 70,
+                    details: Object.keys(details).length > 0 ? details : undefined,
+                };
+            }
+            catch (error) {
+                this.logger.error(`Error scanning file: ${error.message}`);
+                return {
+                    safe: false,
+                    threats: ['Unable to scan file: ' + error.message],
+                    riskScore: 100,
+                    isMalware: true,
+                };
+            }
+        });
+    }
+    /**
+     * 使用流式处理读取文件（防止大文件占用过多内存）
+     */
+    readFileStream(filePath, fileSize) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // 限制读取大小
+            const readSize = Math.min(fileSize, this.maxScanSize);
+            // 如果文件较小，直接读取
+            if (fileSize <= 1024 * 1024) {
+                // 1MB 以下直接读取
+                return fs.readFile(filePath);
+            }
+            // 大文件使用流式处理
+            return new Promise((resolve, reject) => {
+                const chunks = [];
+                let totalRead = 0;
+                const stream = fs.createReadStream(filePath, {
+                    highWaterMark: 64 * 1024, // 每次读取 64KB
+                    end: readSize - 1, // 只读取前 N 字节
+                });
+                stream.on('data', (chunk) => {
+                    chunks.push(chunk);
+                    totalRead += chunk.length;
+                    // 额外的安全检查：如果超过限制，立即停止
+                    if (totalRead > this.maxScanSize) {
+                        stream.destroy();
+                        reject(new Error(`File size exceeds scan limit: ${this.maxScanSize}`));
+                    }
+                });
+                stream.on('end', () => {
+                    const buffer = Buffer.concat(chunks);
+                    this.logger.debug(`Read ${buffer.length} bytes from ${filePath} using stream`);
+                    resolve(buffer);
+                });
+                stream.on('error', (error) => {
+                    reject(error);
+                });
+            });
+        });
+    }
+    /**
+     * 检查签名
+     */
+    checkSignature(buffer, signature) {
+        if (signature.type === 'string') {
+            const content = buffer.toString('ascii').toLowerCase();
+            return content.includes(signature.pattern.toLowerCase());
+        }
+        else {
+            return this.bufferContains(buffer, signature.pattern);
+        }
+    }
+    /**
+     * 缓冲区包含检查
+     */
+    bufferContains(buffer, pattern) {
+        for (let i = 0; i <= buffer.length - pattern.length; i++) {
+            let match = true;
+            for (let j = 0; j < pattern.length; j++) {
+                if (buffer[i + j] !== pattern[j]) {
+                    match = false;
+                    break;
+                }
+            }
+            if (match)
+                return true;
+        }
+        return false;
+    }
+    /**
+     * 检查压缩比（简单实现）
+     */
+    checkCompressionRatio(filePath, buffer) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // 简化版本：检查ZIP文件的压缩信息
+            // 完整实现需要解析ZIP结构
+            const compressedSize = (yield fs.stat(filePath)).size;
+            // 读取ZIP中央目录来估算未压缩大小
+            // 这里使用简单的启发式：如果文件很小但声称很大，可能是炸弹
+            if (compressedSize < 10 * 1024 && buffer.length < 10 * 1024) {
+                // 小于10KB的文件，假设正常
+                return 10;
+            }
+            // 保守估计：返回较低的比率避免误报
+            return 10;
+        });
+    }
+    /**
+     * 检查可疑文件名
+     */
+    hasSuspiciousName(fileName) {
+        const suspiciousPatterns = [
+            /\.exe$/i,
+            /\.scr$/i,
+            /\.bat$/i,
+            /\.cmd$/i,
+            /\.vbs$/i,
+            /\.js$/i,
+            /\.jar$/i,
+            /\.com$/i,
+            /\.pif$/i,
+            /\.application$/i,
+            /\.gadget$/i,
+            /\.msi$/i,
+            /\.msp$/i,
+            /\.cpl$/i,
+            /\.dll$/i,
+            /\.hta$/i,
+            /\.ws$/i,
+            /\.wsf$/i,
+        ];
+        return suspiciousPatterns.some((pattern) => pattern.test(fileName));
+    }
+    /**
+     * 检查双扩展名
+     */
+    hasDoubleExtension(fileName) {
+        // 例如: document.pdf.exe, photo.jpg.scr
+        const dangerousExtensions = [
+            '.exe',
+            '.scr',
+            '.bat',
+            '.cmd',
+            '.vbs',
+            '.com',
+        ];
+        const lowerName = fileName.toLowerCase();
+        const parts = lowerName.split('.');
+        if (parts.length < 3) {
+            return false;
+        }
+        // 检查倒数第二个扩展名是否是安全的，最后一个是危险的
+        const lastExt = '.' + parts[parts.length - 1];
+        const secondLastExt = '.' + parts[parts.length - 2];
+        const safeExtensions = [
+            '.jpg',
+            '.jpeg',
+            '.png',
+            '.gif',
+            '.pdf',
+            '.doc',
+            '.docx',
+            '.txt',
+        ];
+        return (safeExtensions.includes(secondLastExt) &&
+            dangerousExtensions.includes(lastExt));
+    }
+    /**
+     * 检查隐藏扩展名技巧
+     */
+    hasHiddenExtension(fileName) {
+        // 检查是否使用空格或特殊字符隐藏真实扩展名
+        // 例如: "document.pdf                    .exe"
+        // 检查文件名中是否有多个连续空格
+        if (/\s{5,}/.test(fileName)) {
+            return true;
+        }
+        // 检查是否使用了右到左覆盖字符 (RTLO attack)
+        // U+202E
+        if (fileName.includes('\u202E')) {
+            return true;
+        }
+        // 检查是否使用了零宽字符
+        if (/[\u200B-\u200D\uFEFF]/.test(fileName)) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * 多编码检测（新增）
+     * 通过多种编码方式解析文件内容，检测隐藏的恶意模式
+     */
+    detectMultiEncodingThreats(buffer) {
+        const threats = [];
+        let riskScore = 0;
+        // 遍历所有编码方式
+        for (const encoding of this.encodings) {
+            try {
+                let content;
+                // 特殊处理base64编码
+                if (encoding === 'base64') {
+                    // 尝试将buffer解码为base64
+                    const base64Pattern = /[A-Za-z0-9+/]{20,}={0,2}/g;
+                    const asciiContent = buffer.toString('ascii');
+                    const matches = asciiContent.match(base64Pattern);
+                    if (matches) {
+                        for (const match of matches) {
+                            try {
+                                const decoded = Buffer.from(match, 'base64').toString('utf8');
+                                content = decoded;
+                                // 检查解码后的内容
+                                for (const pattern of this.maliciousPatterns) {
+                                    if (pattern.pattern.test(content)) {
+                                        threats.push(`${pattern.description} (base64 encoded)`);
+                                        riskScore += pattern.riskScore;
+                                    }
+                                }
+                            }
+                            catch (_a) {
+                                // 解码失败，跳过
+                            }
+                        }
+                    }
+                    continue;
+                }
+                // 其他编码方式
+                content = buffer.toString(encoding).toLowerCase();
+                // 检查所有恶意模式
+                for (const pattern of this.maliciousPatterns) {
+                    if (pattern.pattern.test(content)) {
+                        const threatDesc = encoding === 'utf8'
+                            ? pattern.description
+                            : `${pattern.description} (${encoding} encoding)`;
+                        // 避免重复添加相同威胁
+                        if (!threats.includes(threatDesc)) {
+                            threats.push(threatDesc);
+                            riskScore += pattern.riskScore;
+                        }
+                    }
+                }
+            }
+            catch (error) {
+                // 编码转换失败，跳过该编码
+            }
+        }
+        return { threats, riskScore };
+    }
+    /**
+     * 文件结构分析（新增）
+     * 分析文件的深层结构，检测异常特征
+     */
+    analyzeFileStructure(filePath, buffer) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const anomalies = [];
+            let riskScore = 0;
+            const characteristics = {};
+            // 1. 检测嵌套压缩文件
+            const hasNestedArchive = this.detectNestedArchive(buffer);
+            if (hasNestedArchive) {
+                anomalies.push('Nested archive detected');
+                riskScore += 35;
+                characteristics.hasNestedArchive = true;
+            }
+            // 2. 检测可执行内容
+            const hasExecutable = this.detectExecutableContent(buffer);
+            if (hasExecutable) {
+                anomalies.push('Executable content detected');
+                riskScore += 60;
+                characteristics.hasExecutableContent = true;
+            }
+            // 3. 检测Office宏
+            const hasMacros = this.detectOfficeMacros(buffer);
+            if (hasMacros) {
+                anomalies.push('Office macros detected');
+                riskScore += 50;
+                characteristics.hasMacros = true;
+            }
+            // 4. 计算文件熵值（检测加密/混淆）
+            const entropy = this.calculateEntropy(buffer);
+            characteristics.entropy = entropy;
+            if (entropy > 7.5) {
+                // 高熵值可能表示加密或压缩
+                anomalies.push('High entropy detected (possible encryption/obfuscation)');
+                riskScore += 30;
+            }
+            // 5. 检测多态性（文件头与内容不匹配）
+            const hasPolymorphism = yield this.detectPolymorphism(buffer);
+            if (hasPolymorphism) {
+                anomalies.push('Polymorphic file structure detected');
+                riskScore += 45;
+            }
+            return {
+                anomalies,
+                riskScore,
+                characteristics,
+            };
+        });
+    }
+    /**
+     * ClamAV病毒扫描（增强版 - 支持本地/远程）
+     */
+    scanWithClamAV(filePath) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (this.options.clamavMode === 'remote') {
+                return this.scanWithRemoteClamAV(filePath);
+            }
+            else {
+                return this.scanWithLocalClamAV(filePath);
+            }
+        });
+    }
+    /**
+     * 本地ClamAV扫描（增强安全性）
+     */
+    scanWithLocalClamAV(filePath) {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                // 1. 验证 ClamAV 命令（仅允许白名单命令）
+                this.validateClamAVCommand();
+                // 2. 验证文件路径安全性
+                this.validateFilePath(filePath);
+                // 3. 验证文件存在且可读
+                const absoluteFilePath = path.resolve(filePath);
+                if (!fs.existsSync(absoluteFilePath)) {
+                    throw new Error(`File does not exist: ${filePath}`);
+                }
+                // 使用 spawn 和参数数组，避免命令注入
+                const { spawn } = yield Promise.resolve().then(() => require('child_process'));
+                return new Promise((resolve, reject) => {
+                    const args = ['--no-summary', absoluteFilePath];
+                    // 使用安全选项启动进程
+                    const child = spawn(this.options.clamavCommand, args, {
+                        timeout: 30000, // 进程级超时
+                        windowsHide: true, // Windows 下隐藏窗口
+                        shell: false, // 禁用 shell，防止 shell 注入
+                    });
+                    let stdout = '';
+                    let stderr = '';
+                    let killed = false;
+                    // 限制输出大小，防止内存溢出
+                    const MAX_OUTPUT_SIZE = 1024 * 1024; // 1MB
+                    child.stdout.on('data', (data) => {
+                        if (stdout.length + data.length > MAX_OUTPUT_SIZE) {
+                            this.logger.warn('ClamAV output size exceeded limit');
+                            child.kill('SIGKILL');
+                            killed = true;
+                            reject(new Error('ClamAV output size exceeded limit'));
+                            return;
+                        }
+                        stdout += data.toString();
+                    });
+                    child.stderr.on('data', (data) => {
+                        if (stderr.length + data.length > MAX_OUTPUT_SIZE) {
+                            this.logger.warn('ClamAV error output size exceeded limit');
+                            child.kill('SIGKILL');
+                            killed = true;
+                            reject(new Error('ClamAV error output size exceeded limit'));
+                            return;
+                        }
+                        stderr += data.toString();
+                    });
+                    // 设置超时
+                    const timeout = setTimeout(() => {
+                        if (!killed && !child.killed) {
+                            this.logger.warn('ClamAV scan timeout, killing process');
+                            child.kill('SIGKILL');
+                            killed = true;
+                        }
+                    }, 30000);
+                    child.on('close', (code) => {
+                        clearTimeout(timeout);
+                        // 如果已经被 killed，不再处理
+                        if (killed) {
+                            return;
+                        }
+                        // ClamAV 退出码：0=无病毒, 1=发现病毒, 其他=错误
+                        if (code !== 0 && code !== 1) {
+                            reject(new Error(`ClamAV process exited with code ${code}: ${stderr}`));
+                            return;
+                        }
+                        // 解析ClamAV输出
+                        const output = stdout + stderr;
+                        if (output.includes('FOUND')) {
+                            // 提取病毒名称（限制长度）
+                            const match = output.match(/: ([^:]+) FOUND/);
+                            const virusName = match ? match[1].substring(0, 100) : 'Unknown';
+                            resolve({
+                                scanned: true,
+                                infected: true,
+                                virusName,
+                            });
+                        }
+                        else {
+                            resolve({
+                                scanned: true,
+                                infected: false,
+                            });
+                        }
+                    });
+                    child.on('error', (error) => {
+                        clearTimeout(timeout);
+                        if (!killed) {
+                            // 尝试清理进程
+                            try {
+                                if (!child.killed) {
+                                    child.kill('SIGKILL');
+                                }
+                            }
+                            catch (killError) {
+                                this.logger.error(`Failed to kill ClamAV process: ${killError.message}`);
+                            }
+                            reject(error);
+                        }
+                    });
+                });
+            }
+            catch (error) {
+                // ClamAV不可用或扫描失败
+                this.logger.warn(`Local ClamAV scan failed: ${error.message}`);
+                return {
+                    scanned: false,
+                    infected: false,
+                    error: error.message,
+                };
+            }
+        });
+    }
+    /**
+     * 验证 ClamAV 命令（仅允许白名单）
+     */
+    validateClamAVCommand() {
+        const allowedCommands = ['clamscan', 'clamdscan'];
+        const commandBasename = path.basename(this.options.clamavCommand);
+        if (!allowedCommands.includes(commandBasename)) {
+            throw new Error(`Invalid ClamAV command: ${commandBasename}. Allowed: ${allowedCommands.join(', ')}`);
+        }
+        // 检查命令路径不包含危险字符
+        const dangerousChars = [';', '&', '|', '$', '`', '\n', '\r'];
+        for (const char of dangerousChars) {
+            if (this.options.clamavCommand.includes(char)) {
+                throw new Error(`Dangerous character in ClamAV command path: ${char}`);
+            }
+        }
+    }
+    /**
+     * 验证文件路径，防止命令注入
+     */
+    validateFilePath(filePath) {
+        // 检查是否包含危险字符
+        const dangerousChars = [
+            '"',
+            "'",
+            '`',
+            ';',
+            '&',
+            '|',
+            '$',
+            '(',
+            ')',
+            '<',
+            '>',
+            '\n',
+            '\r',
+        ];
+        for (const char of dangerousChars) {
+            if (filePath.includes(char)) {
+                throw new Error(`Dangerous character detected in file path: ${char}`);
+            }
+        }
+        // 检查路径遍历
+        if (filePath.includes('..')) {
+            throw new Error('Path traversal not allowed in file path');
+        }
+        // 检查空字节注入
+        if (filePath.includes('\0')) {
+            throw new Error('Null byte detected in file path');
+        }
+        // 检查是否为绝对路径（根据业务需求决定是否允许）
+        if (path.isAbsolute(filePath)) {
+            // 可以根据需要抛出错误或允许
+            // throw new Error('Absolute paths not allowed');
+        }
+    }
+    /**
+     * 远程ClamAV扫描（通过ClamAV守护进程的网络接口）
+     */
+    scanWithRemoteClamAV(filePath) {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                const { host, port, timeout = 30000 } = this.options.clamavRemote || {};
+                if (!host || !port) {
+                    throw new Error('Remote ClamAV host and port must be configured');
+                }
+                // 读取文件内容
+                const fileBuffer = yield fs.readFile(filePath);
+                // 使用Node.js net模块连接到ClamAV守护进程
+                const net = yield Promise.resolve().then(() => require('net'));
+                // 响应大小限制（1MB）
+                const MAX_RESPONSE_SIZE = 1024 * 1024;
+                return new Promise((resolve, reject) => {
+                    const client = new net.Socket();
+                    let response = '';
+                    let responseSize = 0;
+                    // 设置超时
+                    const timeoutId = setTimeout(() => {
+                        client.destroy();
+                        reject(new Error('Remote ClamAV scan timeout'));
+                    }, timeout);
+                    client.connect(port, host, () => {
+                        // 发送INSTREAM命令
+                        client.write('zINSTREAM\0');
+                        // 发送文件大小（4字节，网络字节序）
+                        const sizeBuffer = Buffer.alloc(4);
+                        sizeBuffer.writeUInt32BE(fileBuffer.length, 0);
+                        client.write(sizeBuffer);
+                        // 发送文件内容
+                        client.write(fileBuffer);
+                        // 发送结束标记（长度为0）
+                        const endBuffer = Buffer.alloc(4);
+                        endBuffer.writeUInt32BE(0, 0);
+                        client.write(endBuffer);
+                    });
+                    client.on('data', (data) => {
+                        responseSize += data.length;
+                        // 防止响应过大
+                        if (responseSize > MAX_RESPONSE_SIZE) {
+                            client.destroy();
+                            clearTimeout(timeoutId);
+                            this.logger.warn('Remote ClamAV response size exceeded limit');
+                            resolve({
+                                scanned: false,
+                                infected: false,
+                                error: 'Response size exceeded limit',
+                            });
+                            return;
+                        }
+                        response += data.toString('utf8', 0, Math.min(data.length, MAX_RESPONSE_SIZE - response.length));
+                    });
+                    client.on('end', () => {
+                        clearTimeout(timeoutId);
+                        // 验证响应格式
+                        if (!this.isValidClamAVResponse(response)) {
+                            this.logger.warn('Invalid ClamAV response format');
+                            resolve({
+                                scanned: false,
+                                infected: false,
+                                error: 'Invalid response format',
+                            });
+                            return;
+                        }
+                        // 解析响应
+                        if (response.includes('FOUND')) {
+                            const match = response.match(/stream: ([^\s]+) FOUND/);
+                            const virusName = match ? match[1] : 'Unknown';
+                            // 验证病毒名称格式
+                            if (!this.isValidVirusName(virusName)) {
+                                this.logger.warn('Invalid virus name format');
+                                resolve({
+                                    scanned: true,
+                                    infected: true,
+                                    virusName: 'Unknown',
+                                });
+                                return;
+                            }
+                            resolve({
+                                scanned: true,
+                                infected: true,
+                                virusName,
+                            });
+                        }
+                        else if (response.includes('OK')) {
+                            resolve({
+                                scanned: true,
+                                infected: false,
+                            });
+                        }
+                        else {
+                            resolve({
+                                scanned: false,
+                                infected: false,
+                                error: 'Unexpected response: ' + response.substring(0, 100),
+                            });
+                        }
+                    });
+                    client.on('error', (error) => {
+                        clearTimeout(timeoutId);
+                        this.logger.warn(`Remote ClamAV connection error: ${error.message}`);
+                        resolve({
+                            scanned: false,
+                            infected: false,
+                            error: error.message,
+                        });
+                    });
+                });
+            }
+            catch (error) {
+                this.logger.warn(`Remote ClamAV scan failed: ${error.message}`);
+                return {
+                    scanned: false,
+                    infected: false,
+                    error: error.message,
+                };
+            }
+        });
+    }
+    /**
+     * 验证 ClamAV 响应格式
+     */
+    isValidClamAVResponse(response) {
+        if (!response || typeof response !== 'string') {
+            return false;
+        }
+        // ClamAV 响应应该包含 'stream:' 关键字
+        // 和 'FOUND' 或 'OK' 等状态
+        const validPatterns = [
+            /^stream: .+ FOUND$/m,
+            /^stream: OK$/m,
+            /^stream: .+ ERROR$/m,
+        ];
+        return validPatterns.some((pattern) => pattern.test(response));
+    }
+    /**
+     * 验证病毒名称格式
+     */
+    isValidVirusName(name) {
+        if (!name || typeof name !== 'string') {
+            return false;
+        }
+        // 病毒名称应该只包含字母、数字、连字符、下划线和点
+        // 长度不超过 100 字符
+        return /^[a-zA-Z0-9._-]{1,100}$/.test(name);
+    }
+    /**
+     * 检测嵌套压缩文件
+     */
+    detectNestedArchive(buffer) {
+        const archiveSignatures = [
+            { pattern: [0x50, 0x4b, 0x03, 0x04], name: 'ZIP' },
+            { pattern: [0x52, 0x61, 0x72, 0x21], name: 'RAR' },
+            { pattern: [0x1f, 0x8b], name: 'GZIP' },
+            { pattern: [0x42, 0x5a, 0x68], name: 'BZIP2' },
+            { pattern: [0x37, 0x7a, 0xbc, 0xaf], name: '7Z' },
+        ];
+        // 检测每个签名出现的次数
+        for (const sig of archiveSignatures) {
+            let occurrences = 0;
+            let offset = 0;
+            // 查找所有出现位置
+            while (offset < buffer.length) {
+                const index = this.bufferIndexOf(buffer, sig.pattern, offset);
+                if (index === -1)
+                    break;
+                occurrences++;
+                offset = index + sig.pattern.length;
+                // 如果同一个签名出现多次，可能是嵌套
+                if (occurrences > 1) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+    /**
+     * 检测可执行内容
+     */
+    detectExecutableContent(buffer) {
+        const executableSignatures = [
+            [0x4d, 0x5a], // PE (Windows)
+            [0x7f, 0x45, 0x4c, 0x46], // ELF (Linux)
+            [0xfe, 0xed, 0xfa, 0xce], // Mach-O (macOS)
+            [0xfe, 0xed, 0xfa, 0xcf], // Mach-O 64-bit
+            [0xca, 0xfe, 0xba, 0xbe], // Java class
+        ];
+        return executableSignatures.some((sig) => this.bufferContains(buffer, sig));
+    }
+    /**
+     * 检测Office宏
+     */
+    detectOfficeMacros(buffer) {
+        const macroIndicators = [
+            'vbaProject.bin',
+            'VBA',
+            'AutoOpen',
+            'Auto_Open',
+            'Workbook_Open',
+            'Document_Open',
+            'AutoExec',
+        ];
+        const content = buffer.toString('ascii').toLowerCase();
+        return macroIndicators.some((indicator) => content.includes(indicator.toLowerCase()));
+    }
+    /**
+     * 计算Shannon熵值
+     * 用于检测加密或高度压缩的内容
+     */
+    calculateEntropy(buffer) {
+        const freq = new Map();
+        // 统计字节频率
+        for (let i = 0; i < buffer.length; i++) {
+            const byte = buffer[i];
+            freq.set(byte, (freq.get(byte) || 0) + 1);
+        }
+        // 计算熵值
+        let entropy = 0;
+        const len = buffer.length;
+        for (const count of freq.values()) {
+            const p = count / len;
+            entropy -= p * Math.log2(p);
+        }
+        return entropy;
+    }
+    /**
+     * 检测多态性（文件类型伪装）
+     */
+    detectPolymorphism(buffer) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // 简化实现：检查文件头是否与内容一致
+            // 例如：声称是图片但包含可执行代码
+            const isImage = this.bufferContains(buffer, [0xff, 0xd8, 0xff]) || // JPEG
+                this.bufferContains(buffer, [0x89, 0x50, 0x4e, 0x47]); // PNG
+            if (isImage && this.detectExecutableContent(buffer)) {
+                return true; // 图片中嵌入了可执行代码
+            }
+            return false;
+        });
+    }
+    /**
+     * 在buffer中查找pattern的位置
+     */
+    bufferIndexOf(buffer, pattern, startOffset = 0) {
+        for (let i = startOffset; i <= buffer.length - pattern.length; i++) {
+            let match = true;
+            for (let j = 0; j < pattern.length; j++) {
+                if (buffer[i + j] !== pattern[j]) {
+                    match = false;
+                    break;
+                }
+            }
+            if (match)
+                return i;
+        }
+        return -1;
+    }
+};
+exports.MaliciousFileDetector = MaliciousFileDetector;
+exports.MaliciousFileDetector = MaliciousFileDetector = MaliciousFileDetector_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Optional)()),
+    __param(0, (0, common_1.Inject)('MALICIOUS_DETECTOR_OPTIONS')),
+    __metadata("design:paramtypes", [Object])
+], MaliciousFileDetector);