@nest-omni/core 4.1.3-2 → 4.1.3-22

package/file-upload/services/malicious-file-detector.service.js

@@ -0,0 +1,1234 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var MaliciousFileDetector_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MaliciousFileDetector = void 0;
+const common_1 = require("@nestjs/common");
+const fs = require("fs-extra");
+const path = require("path");
+const child_process_1 = require("child_process");
+const util_1 = require("util");
+const execAsync = (0, util_1.promisify)(child_process_1.exec);
+/**
+ * 恶意文件检测服务
+ */
+/**
+ * 恶意文件检测服务（增强版）
+ *
+ * 功能：
+ * 1. 多编码检测 - 支持 UTF-8, UTF-16LE, Latin1, ASCII, Base64
+ * 2. 文件结构分析 - 检测嵌套压缩、可执行内容、Office宏、高熵值、多态性
+ * 3. ClamAV集成 - 支持本地命令行和远程服务两种模式
+ *
+ * 使用示例：
+ * ```typescript
+ * // 方式1: 本地ClamAV（需要在当前机器安装）
+ * FileUploadModule.forRoot({
+ *   maliciousDetection: {
+ *     enableClamAV: true,
+ *     clamavMode: 'local',           // 本地模式
+ *     clamavCommand: 'clamdscan',    // 或 'clamscan'
+ *   },
+ * });
+ *
+ * // 方式2: 远程ClamAV服务（推荐用于生产环境）
+ * FileUploadModule.forRoot({
+ *   maliciousDetection: {
+ *     enableClamAV: true,
+ *     clamavMode: 'remote',          // 远程模式
+ *     clamavRemote: {
+ *       host: 'clamav-server.com',   // ClamAV服务器地址
+ *       port: 3310,                  // ClamAV守护进程端口
+ *       timeout: 30000,              // 超时时间(ms)
+ *     },
+ *   },
+ * });
+ *
+ * // 方式3: 仅使用多编码检测和结构分析（无需安装ClamAV）
+ * FileUploadModule.forRoot({
+ *   maliciousDetection: {
+ *     enableClamAV: false,           // 禁用ClamAV
+ *     enableMultiEncoding: true,     // 启用多编码检测
+ *     enableStructureAnalysis: true, // 启用结构分析
+ *     riskThreshold: 50,             // 风险阈值
+ *   },
+ * });
+ *
+ * // 直接使用服务
+ * const result = await maliciousDetector.scanFile('/path/to/file');
+ * console.log('Is Safe:', result.safe);
+ * console.log('Risk Score:', result.riskScore);
+ * console.log('Threats:', result.threats);
+ * console.log('Details:', result.details);
+ * ```
+ *
+ * 远程ClamAV服务部署示例：
+ * ```bash
+ * # Docker部署ClamAV服务
+ * docker run -d -p 3310:3310 \
+ *   --name clamav \
+ *   clamav/clamav:latest
+ *
+ * # 配置clamd.conf允许远程连接
+ * TCPSocket 3310
+ * TCPAddr 0.0.0.0
+ * StreamMaxLength 100M
+ * ```
+ *
+ * 检测结果示例：
+ * ```json
+ * {
+ *   "safe": false,
+ *   "isMalware": true,
+ *   "riskScore": 85,
+ *   "threats": [
+ *     "PE executable header (Windows)",
+ *     "Script tag injection (base64 encoded)",
+ *     "Executable content detected"
+ *   ],
+ *   "details": {
+ *     "encodingThreats": ["Script tag injection (base64 encoded)"],
+ *     "structureAnalysis": {
+ *       "anomalies": ["Executable content detected"],
+ *       "riskScore": 60,
+ *       "characteristics": {
+ *         "hasExecutableContent": true,
+ *         "entropy": 6.8
+ *       }
+ *     },
+ *     "clamavResult": {
+ *       "scanned": true,
+ *       "infected": true,
+ *       "virusName": "Win.Trojan.Agent"
+ *     }
+ *   }
+ * }
+ * ```
+ */
+let MaliciousFileDetector = MaliciousFileDetector_1 = class MaliciousFileDetector {
+    constructor(options) {
+        this.options = options;
+        this.logger = new common_1.Logger(MaliciousFileDetector_1.name);
+        // 并发控制：当前正在扫描的文件数
+        this.activeScanCount = 0;
+        // 支持的编码列表
+        this.encodings = ['utf8', 'utf16le', 'latin1', 'ascii', 'base64'];
+        // 恶意模式库（多编码）
+        this.maliciousPatterns = [
+            // 脚本注入模式
+            {
+                pattern: /<script[^>]*>.*?<\/script>/gi,
+                description: 'Script tag injection',
+                riskScore: 60,
+            },
+            {
+                pattern: /<iframe[^>]*>/gi,
+                description: 'Iframe injection',
+                riskScore: 50,
+            },
+            {
+                pattern: /on\w+\s*=\s*["'][^"']*["']/gi,
+                description: 'Event handler injection',
+                riskScore: 55,
+            },
+            {
+                pattern: /javascript:\s*[^\s]+/gi,
+                description: 'JavaScript protocol',
+                riskScore: 50,
+            },
+            {
+                pattern: /vbscript:\s*[^\s]+/gi,
+                description: 'VBScript protocol',
+                riskScore: 50,
+            },
+            // Shell命令模式
+            {
+                pattern: /\$\([^)]+\)/g,
+                description: 'Shell command substitution',
+                riskScore: 65,
+            },
+            {
+                pattern: /`[^`]+`/g,
+                description: 'Backtick command execution',
+                riskScore: 65,
+            },
+            {
+                pattern: /eval\s*\(/gi,
+                description: 'Eval function call',
+                riskScore: 70,
+            },
+            {
+                pattern: /exec\s*\(/gi,
+                description: 'Exec function call',
+                riskScore: 70,
+            },
+            // SQL注入模式
+            {
+                pattern: /union\s+select/gi,
+                description: 'SQL injection pattern',
+                riskScore: 45,
+            },
+            {
+                pattern: /';\s*drop\s+table/gi,
+                description: 'SQL drop table pattern',
+                riskScore: 80,
+            },
+            // 二进制注入标记
+            { pattern: /\x00/g, description: 'Null byte injection', riskScore: 40 },
+        ];
+        this.suspiciousSignatures = [
+            // 可执行文件
+            {
+                pattern: [0x4d, 0x5a],
+                description: 'PE executable header (Windows)',
+                riskScore: 70,
+            },
+            {
+                pattern: [0x7f, 0x45, 0x4c, 0x46],
+                description: 'ELF executable header (Linux)',
+                riskScore: 70,
+            },
+            {
+                pattern: [0xfe, 0xed, 0xfa, 0xce],
+                description: 'Mach-O executable header (macOS)',
+                riskScore: 70,
+            },
+            {
+                pattern: [0xfe, 0xed, 0xfa, 0xcf],
+                description: 'Mach-O 64-bit executable (macOS)',
+                riskScore: 70,
+            },
+            // 脚本内容
+            {
+                pattern: '<script',
+                type: 'string',
+                description: 'Script tag detected',
+                riskScore: 40,
+            },
+            {
+                pattern: 'javascript:',
+                type: 'string',
+                description: 'JavaScript protocol',
+                riskScore: 50,
+            },
+            {
+                pattern: 'vbscript:',
+                type: 'string',
+                description: 'VBScript protocol',
+                riskScore: 50,
+            },
+            {
+                pattern: 'data:text/html',
+                type: 'string',
+                description: 'Data URI with HTML',
+                riskScore: 45,
+            },
+            // 宏病毒相关
+            {
+                pattern: 'vbaProject',
+                type: 'string',
+                description: 'VBA Project marker',
+                riskScore: 60,
+            },
+            {
+                pattern: 'Auto_Open',
+                type: 'string',
+                description: 'Auto-execute macro',
+                riskScore: 40,
+            },
+            {
+                pattern: 'Workbook_Open',
+                type: 'string',
+                description: 'Auto-execute macro',
+                riskScore: 40,
+            },
+            // 压缩炸弹检测
+            {
+                pattern: [0x50, 0x4b, 0x03, 0x04],
+                description: 'ZIP header',
+                checkRatio: true,
+                riskScore: 0, // 需要进一步检查压缩比
+            },
+        ];
+        this.options = Object.assign({ enabled: true, enableClamAV: false, clamavMode: 'local', clamavCommand: 'clamdscan', enableMultiEncoding: true, enableStructureAnalysis: true, riskThreshold: 50 }, options);
+        // 初始化并发控制参数
+        this.maxConcurrentScans = this.options.maxConcurrentScans || 5;
+        this.maxScanSize = this.options.maxScanSize || 10 * 1024 * 1024; // 默认 10MB
+        this.scanTimeout = this.options.scanTimeout || 60000; // 默认 60 秒
+        this.logger.debug(`MaliciousFileDetector initialized - maxConcurrent: ${this.maxConcurrentScans}, maxSize: ${this.maxScanSize}, timeout: ${this.scanTimeout}`);
+    }
+    /**
+     * 扫描文件（增强版 - 带并发控制和流式处理）
+     */
+    scanFile(filePath, buffer) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // 检查是否启用
+            if (this.options.enabled === false) {
+                this.logger.debug('Malicious detection is disabled');
+                return {
+                    safe: true,
+                    threats: [],
+                    riskScore: 0,
+                    isMalware: false,
+                };
+            }
+            // 如果没有文件路径且没有buffer，返回安全
+            if (!filePath && !buffer) {
+                this.logger.debug('No file path or buffer provided for scanning');
+                return {
+                    safe: true,
+                    threats: [],
+                    riskScore: 0,
+                    isMalware: false,
+                };
+            }
+            // 并发控制：等待直到有可用的扫描槽位
+            yield this.waitForScanSlot();
+            try {
+                // 增加活跃扫描计数
+                this.activeScanCount++;
+                this.logger.debug(`MaliciousFileDetector: Starting scan (${this.activeScanCount}/${this.maxConcurrentScans}): ${filePath || '(buffer)'}`);
+                // 设置超时保护
+                const scanPromise = this.performScan(filePath, buffer);
+                const timeoutPromise = new Promise((_, reject) => {
+                    setTimeout(() => {
+                        reject(new Error(`Scan timeout after ${this.scanTimeout}ms`));
+                    }, this.scanTimeout);
+                });
+                // 等待扫描完成或超时
+                return yield Promise.race([scanPromise, timeoutPromise]);
+            }
+            finally {
+                // 释放扫描槽位
+                this.activeScanCount--;
+                this.logger.debug(`MaliciousFileDetector: Scan completed (${this.activeScanCount}/${this.maxConcurrentScans})`);
+            }
+        });
+    }
+    /**
+     * 等待直到有可用的扫描槽位
+     */
+    waitForScanSlot() {
+        return __awaiter(this, void 0, void 0, function* () {
+            while (this.activeScanCount >= this.maxConcurrentScans) {
+                this.logger.debug(`MaliciousFileDetector: Waiting for scan slot (${this.activeScanCount}/${this.maxConcurrentScans})`);
+                // 等待 100ms 后重试
+                yield new Promise((resolve) => setTimeout(resolve, 100));
+            }
+        });
+    }
+    /**
+     * 执行实际的扫描操作
+     */
+    performScan(filePath, inputBuffer) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const threats = [];
+            let riskScore = 0;
+            const details = {};
+            try {
+                let scanBuffer;
+                let fileSize;
+                if (inputBuffer) {
+                    // Use provided buffer directly
+                    scanBuffer = inputBuffer;
+                    fileSize = inputBuffer.length;
+                    this.logger.debug(`MaliciousFileDetector: Using provided buffer - size: ${fileSize}`);
+                }
+                else if (filePath) {
+                    // Read file from disk
+                    const stats = yield fs.stat(filePath);
+                    fileSize = stats.size;
+                    this.logger.debug(`MaliciousFileDetector: File stats - size: ${stats.size}`);
+                    // Skip malicious file detection for very small files (< 100 bytes)
+                    // These are usually test placeholders or empty files
+                    if (fileSize < 100) {
+                        this.logger.debug(`MaliciousFileDetector: Skipping scan for very small file (${fileSize} bytes)`);
+                        return {
+                            safe: true,
+                            threats: [],
+                            riskScore: 0,
+                            isMalware: false,
+                        };
+                    }
+                    // 使用流式处理读取文件（防止大文件占用过多内存）
+                    scanBuffer = yield this.readFileStream(filePath, stats.size);
+                    this.logger.debug(`MaliciousFileDetector: File read successfully, buffer size: ${scanBuffer.length}`);
+                }
+                else {
+                    // No input provided
+                    return {
+                        safe: true,
+                        threats: [],
+                        riskScore: 0,
+                        isMalware: false,
+                    };
+                }
+                // Skip malicious file detection for very small buffers (< 100 bytes)
+                if (scanBuffer.length < 100) {
+                    this.logger.debug(`MaliciousFileDetector: Skipping scan for very small buffer (${scanBuffer.length} bytes)`);
+                    return {
+                        safe: true,
+                        threats: [],
+                        riskScore: 0,
+                        isMalware: false,
+                    };
+                }
+                // 1. 检查可疑签名
+                for (const signature of this.suspiciousSignatures) {
+                    if (this.checkSignature(scanBuffer, signature)) {
+                        threats.push(signature.description);
+                        riskScore += signature.riskScore;
+                        this.logger.debug(`MaliciousFileDetector: Found suspicious signature: ${signature.description}, risk: ${signature.riskScore}`);
+                        // 如果需要检查压缩比
+                        if (signature.checkRatio && filePath) {
+                            const ratio = yield this.checkCompressionRatio(filePath, scanBuffer);
+                            if (ratio > 100) {
+                                threats.push('Suspicious compression ratio (possible zip bomb)');
+                                riskScore += 50;
+                                this.logger.debug(`MaliciousFileDetector: Found suspicious compression ratio: ${ratio}`);
+                            }
+                        }
+                    }
+                }
+                // 2. 多编码检测（新增）
+                if (this.options.enableMultiEncoding) {
+                    const encodingResult = this.detectMultiEncodingThreats(scanBuffer);
+                    if (encodingResult.threats.length > 0) {
+                        threats.push(...encodingResult.threats);
+                        riskScore += encodingResult.riskScore;
+                        details.encodingThreats = encodingResult.threats;
+                        this.logger.debug(`MaliciousFileDetector: Multi-encoding threats found: ${encodingResult.threats.join(', ')}, risk: ${encodingResult.riskScore}`);
+                    }
+                }
+                // 3. 文件结构分析（新增）
+                if (this.options.enableStructureAnalysis) {
+                    const structureResult = yield this.analyzeFileStructure(filePath, scanBuffer);
+                    if (structureResult.anomalies.length > 0) {
+                        threats.push(...structureResult.anomalies);
+                        riskScore += structureResult.riskScore;
+                        details.structureAnalysis = structureResult;
+                        this.logger.debug(`MaliciousFileDetector: Structure analysis threats found: ${structureResult.anomalies.join(', ')}, risk: ${structureResult.riskScore}`);
+                    }
+                }
+                // 4. ClamAV扫描（新增，可选）
+                if (this.options.enableClamAV && filePath) {
+                    const clamavResult = yield this.scanWithClamAV(filePath);
+                    details.clamavResult = clamavResult;
+                    if (clamavResult.infected) {
+                        threats.push(`Virus detected: ${clamavResult.virusName}`);
+                        riskScore += 100; // 直接判定为恶意
+                        this.logger.debug(`MaliciousFileDetector: ClamAV detected virus: ${clamavResult.virusName}`);
+                    }
+                }
+                // 5. 检查文件名
+                if (filePath) {
+                    const fileName = path.basename(filePath);
+                    if (this.hasSuspiciousName(fileName)) {
+                        threats.push('Suspicious filename pattern');
+                        riskScore += 20;
+                        this.logger.debug(`MaliciousFileDetector: Suspicious filename pattern detected: ${fileName}`);
+                    }
+                    // 6. 检查双扩展名
+                    if (this.hasDoubleExtension(fileName)) {
+                        threats.push('Double extension detected');
+                        riskScore += 30;
+                        this.logger.debug(`MaliciousFileDetector: Double extension detected: ${fileName}`);
+                    }
+                    // 7. 检查隐藏扩展名技巧
+                    if (this.hasHiddenExtension(fileName)) {
+                        threats.push('Hidden extension trick detected');
+                        riskScore += 40;
+                        this.logger.debug(`MaliciousFileDetector: Hidden extension trick detected: ${fileName}`);
+                    }
+                }
+                // 8. 检查文件大小异常
+                if (fileSize > 500 * 1024 * 1024) {
+                    // 大于500MB
+                    threats.push('Unusually large file size');
+                    riskScore += 15;
+                    this.logger.debug(`MaliciousFileDetector: Unusually large file size: ${fileSize}`);
+                }
+                // 9. 动态阈值调整（小文件更宽松）
+                let threshold = this.options.riskThreshold || 50;
+                if (fileSize < 1024) {
+                    // 小于1KB的文件，提高阈值（减少误报）
+                    threshold = Math.max(threshold, 80);
+                    this.logger.debug(`MaliciousFileDetector: Using increased threshold for small file (${fileSize} bytes): ${threshold}`);
+                }
+                else if (fileSize < 10 * 1024) {
+                    // 小于10KB的文件，适当提高阈值
+                    threshold = Math.max(threshold, 65);
+                    this.logger.debug(`MaliciousFileDetector: Using increased threshold for medium-small file (${fileSize} bytes): ${threshold}`);
+                }
+                const isSafe = riskScore < threshold;
+                this.logger.debug(`MaliciousFileDetector: Final result - safe: ${isSafe}, riskScore: ${riskScore}, threshold: ${threshold}, threats: ${threats.join(', ')}`);
+                return {
+                    safe: isSafe,
+                    threats,
+                    riskScore: Math.min(riskScore, 100),
+                    isMalware: riskScore >= 70,
+                    details: Object.keys(details).length > 0 ? details : undefined,
+                };
+            }
+            catch (error) {
+                this.logger.error(`Error scanning file: ${error.message}`);
+                return {
+                    safe: false,
+                    threats: ['Unable to scan file: ' + error.message],
+                    riskScore: 100,
+                    isMalware: true,
+                };
+            }
+        });
+    }
+    /**
+     * 使用流式处理读取文件（防止大文件占用过多内存）
+     */
+    readFileStream(filePath, fileSize) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // 限制读取大小
+            const readSize = Math.min(fileSize, this.maxScanSize);
+            // 如果文件较小，直接读取
+            if (fileSize <= 1024 * 1024) {
+                // 1MB 以下直接读取
+                return fs.readFile(filePath);
+            }
+            // 大文件使用流式处理
+            return new Promise((resolve, reject) => {
+                const chunks = [];
+                let totalRead = 0;
+                const stream = fs.createReadStream(filePath, {
+                    highWaterMark: 64 * 1024, // 每次读取 64KB
+                    end: readSize - 1, // 只读取前 N 字节
+                });
+                stream.on('data', (chunk) => {
+                    chunks.push(chunk);
+                    totalRead += chunk.length;
+                    // 额外的安全检查：如果超过限制，立即停止
+                    if (totalRead > this.maxScanSize) {
+                        stream.destroy();
+                        reject(new Error(`File size exceeds scan limit: ${this.maxScanSize}`));
+                    }
+                });
+                stream.on('end', () => {
+                    const buffer = Buffer.concat(chunks);
+                    this.logger.debug(`Read ${buffer.length} bytes from ${filePath} using stream`);
+                    resolve(buffer);
+                });
+                stream.on('error', (error) => {
+                    reject(error);
+                });
+            });
+        });
+    }
+    /**
+     * 检查签名
+     */
+    checkSignature(buffer, signature) {
+        if (signature.type === 'string') {
+            const content = buffer.toString('ascii').toLowerCase();
+            return content.includes(signature.pattern.toLowerCase());
+        }
+        else {
+            return this.bufferContains(buffer, signature.pattern);
+        }
+    }
+    /**
+     * 缓冲区包含检查
+     */
+    bufferContains(buffer, pattern) {
+        for (let i = 0; i <= buffer.length - pattern.length; i++) {
+            let match = true;
+            for (let j = 0; j < pattern.length; j++) {
+                if (buffer[i + j] !== pattern[j]) {
+                    match = false;
+                    break;
+                }
+            }
+            if (match)
+                return true;
+        }
+        return false;
+    }
+    /**
+     * 检查压缩比（简单实现）
+     */
+    checkCompressionRatio(filePath, buffer) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // 简化版本：检查ZIP文件的压缩信息
+            // 完整实现需要解析ZIP结构
+            const compressedSize = (yield fs.stat(filePath)).size;
+            // 读取ZIP中央目录来估算未压缩大小
+            // 这里使用简单的启发式：如果文件很小但声称很大，可能是炸弹
+            if (compressedSize < 10 * 1024 && buffer.length < 10 * 1024) {
+                // 小于10KB的文件，假设正常
+                return 10;
+            }
+            // 保守估计：返回较低的比率避免误报
+            return 10;
+        });
+    }
+    /**
+     * 检查可疑文件名
+     */
+    hasSuspiciousName(fileName) {
+        const suspiciousPatterns = [
+            /\.exe$/i,
+            /\.scr$/i,
+            /\.bat$/i,
+            /\.cmd$/i,
+            /\.vbs$/i,
+            /\.js$/i,
+            /\.jar$/i,
+            /\.com$/i,
+            /\.pif$/i,
+            /\.application$/i,
+            /\.gadget$/i,
+            /\.msi$/i,
+            /\.msp$/i,
+            /\.cpl$/i,
+            /\.dll$/i,
+            /\.hta$/i,
+            /\.ws$/i,
+            /\.wsf$/i,
+        ];
+        return suspiciousPatterns.some((pattern) => pattern.test(fileName));
+    }
+    /**
+     * 检查双扩展名
+     */
+    hasDoubleExtension(fileName) {
+        // 例如: document.pdf.exe, photo.jpg.scr
+        const dangerousExtensions = [
+            '.exe',
+            '.scr',
+            '.bat',
+            '.cmd',
+            '.vbs',
+            '.com',
+        ];
+        const lowerName = fileName.toLowerCase();
+        const parts = lowerName.split('.');
+        if (parts.length < 3) {
+            return false;
+        }
+        // 检查倒数第二个扩展名是否是安全的，最后一个是危险的
+        const lastExt = '.' + parts[parts.length - 1];
+        const secondLastExt = '.' + parts[parts.length - 2];
+        const safeExtensions = [
+            '.jpg',
+            '.jpeg',
+            '.png',
+            '.gif',
+            '.pdf',
+            '.doc',
+            '.docx',
+            '.txt',
+        ];
+        return (safeExtensions.includes(secondLastExt) &&
+            dangerousExtensions.includes(lastExt));
+    }
+    /**
+     * 检查隐藏扩展名技巧
+     */
+    hasHiddenExtension(fileName) {
+        // 检查是否使用空格或特殊字符隐藏真实扩展名
+        // 例如: "document.pdf                    .exe"
+        // 检查文件名中是否有多个连续空格
+        if (/\s{5,}/.test(fileName)) {
+            return true;
+        }
+        // 检查是否使用了右到左覆盖字符 (RTLO attack)
+        // U+202E
+        if (fileName.includes('\u202E')) {
+            return true;
+        }
+        // 检查是否使用了零宽字符
+        if (/[\u200B-\u200D\uFEFF]/.test(fileName)) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * 多编码检测（新增）
+     * 通过多种编码方式解析文件内容，检测隐藏的恶意模式
+     */
+    detectMultiEncodingThreats(buffer) {
+        const threats = [];
+        let riskScore = 0;
+        // 遍历所有编码方式
+        for (const encoding of this.encodings) {
+            try {
+                let content;
+                // 特殊处理base64编码
+                if (encoding === 'base64') {
+                    // 尝试将buffer解码为base64
+                    const base64Pattern = /[A-Za-z0-9+/]{20,}={0,2}/g;
+                    const asciiContent = buffer.toString('ascii');
+                    const matches = asciiContent.match(base64Pattern);
+                    if (matches) {
+                        for (const match of matches) {
+                            try {
+                                const decoded = Buffer.from(match, 'base64').toString('utf8');
+                                content = decoded;
+                                // 检查解码后的内容
+                                for (const pattern of this.maliciousPatterns) {
+                                    if (pattern.pattern.test(content)) {
+                                        threats.push(`${pattern.description} (base64 encoded)`);
+                                        riskScore += pattern.riskScore;
+                                    }
+                                }
+                            }
+                            catch (_a) {
+                                // 解码失败，跳过
+                            }
+                        }
+                    }
+                    continue;
+                }
+                // 其他编码方式
+                content = buffer.toString(encoding).toLowerCase();
+                // 检查所有恶意模式
+                for (const pattern of this.maliciousPatterns) {
+                    if (pattern.pattern.test(content)) {
+                        const threatDesc = encoding === 'utf8'
+                            ? pattern.description
+                            : `${pattern.description} (${encoding} encoding)`;
+                        // 避免重复添加相同威胁
+                        if (!threats.includes(threatDesc)) {
+                            threats.push(threatDesc);
+                            riskScore += pattern.riskScore;
+                        }
+                    }
+                }
+            }
+            catch (error) {
+                // 编码转换失败，跳过该编码
+            }
+        }
+        return { threats, riskScore };
+    }
+    /**
+     * 文件结构分析（新增）
+     * 分析文件的深层结构，检测异常特征
+     */
+    analyzeFileStructure(filePath, buffer) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const anomalies = [];
+            let riskScore = 0;
+            const characteristics = {};
+            // 1. 检测嵌套压缩文件
+            const hasNestedArchive = this.detectNestedArchive(buffer);
+            if (hasNestedArchive) {
+                anomalies.push('Nested archive detected');
+                riskScore += 35;
+                characteristics.hasNestedArchive = true;
+            }
+            // 2. 检测可执行内容
+            const hasExecutable = this.detectExecutableContent(buffer);
+            if (hasExecutable) {
+                anomalies.push('Executable content detected');
+                riskScore += 60;
+                characteristics.hasExecutableContent = true;
+            }
+            // 3. 检测Office宏
+            const hasMacros = this.detectOfficeMacros(buffer);
+            if (hasMacros) {
+                anomalies.push('Office macros detected');
+                riskScore += 50;
+                characteristics.hasMacros = true;
+            }
+            // 4. 计算文件熵值（检测加密/混淆）
+            const entropy = this.calculateEntropy(buffer);
+            characteristics.entropy = entropy;
+            if (entropy > 7.5) {
+                // 高熵值可能表示加密或压缩
+                anomalies.push('High entropy detected (possible encryption/obfuscation)');
+                riskScore += 30;
+            }
+            // 5. 检测多态性（文件头与内容不匹配）
+            const hasPolymorphism = yield this.detectPolymorphism(buffer);
+            if (hasPolymorphism) {
+                anomalies.push('Polymorphic file structure detected');
+                riskScore += 45;
+            }
+            return {
+                anomalies,
+                riskScore,
+                characteristics,
+            };
+        });
+    }
+    /**
+     * ClamAV病毒扫描（增强版 - 支持本地/远程）
+     */
+    scanWithClamAV(filePath) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (this.options.clamavMode === 'remote') {
+                return this.scanWithRemoteClamAV(filePath);
+            }
+            else {
+                return this.scanWithLocalClamAV(filePath);
+            }
+        });
+    }
+    /**
+     * 本地ClamAV扫描（增强安全性）
+     */
+    scanWithLocalClamAV(filePath) {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                // 1. 验证 ClamAV 命令（仅允许白名单命令）
+                this.validateClamAVCommand();
+                // 2. 验证文件路径安全性
+                this.validateFilePath(filePath);
+                // 3. 验证文件存在且可读
+                const absoluteFilePath = path.resolve(filePath);
+                if (!fs.existsSync(absoluteFilePath)) {
+                    throw new Error(`File does not exist: ${filePath}`);
+                }
+                // 使用 spawn 和参数数组，避免命令注入
+                const { spawn } = yield Promise.resolve().then(() => require('child_process'));
+                return new Promise((resolve, reject) => {
+                    const args = ['--no-summary', absoluteFilePath];
+                    // 使用安全选项启动进程
+                    const child = spawn(this.options.clamavCommand, args, {
+                        timeout: 30000, // 进程级超时
+                        windowsHide: true, // Windows 下隐藏窗口
+                        shell: false, // 禁用 shell，防止 shell 注入
+                    });
+                    let stdout = '';
+                    let stderr = '';
+                    let killed = false;
+                    // 限制输出大小，防止内存溢出
+                    const MAX_OUTPUT_SIZE = 1024 * 1024; // 1MB
+                    child.stdout.on('data', (data) => {
+                        if (stdout.length + data.length > MAX_OUTPUT_SIZE) {
+                            this.logger.warn('ClamAV output size exceeded limit');
+                            child.kill('SIGKILL');
+                            killed = true;
+                            reject(new Error('ClamAV output size exceeded limit'));
+                            return;
+                        }
+                        stdout += data.toString();
+                    });
+                    child.stderr.on('data', (data) => {
+                        if (stderr.length + data.length > MAX_OUTPUT_SIZE) {
+                            this.logger.warn('ClamAV error output size exceeded limit');
+                            child.kill('SIGKILL');
+                            killed = true;
+                            reject(new Error('ClamAV error output size exceeded limit'));
+                            return;
+                        }
+                        stderr += data.toString();
+                    });
+                    // 设置超时
+                    const timeout = setTimeout(() => {
+                        if (!killed && !child.killed) {
+                            this.logger.warn('ClamAV scan timeout, killing process');
+                            child.kill('SIGKILL');
+                            killed = true;
+                        }
+                    }, 30000);
+                    child.on('close', (code) => {
+                        clearTimeout(timeout);
+                        // 如果已经被 killed，不再处理
+                        if (killed) {
+                            return;
+                        }
+                        // ClamAV 退出码：0=无病毒, 1=发现病毒, 其他=错误
+                        if (code !== 0 && code !== 1) {
+                            reject(new Error(`ClamAV process exited with code ${code}: ${stderr}`));
+                            return;
+                        }
+                        // 解析ClamAV输出
+                        const output = stdout + stderr;
+                        if (output.includes('FOUND')) {
+                            // 提取病毒名称（限制长度）
+                            const match = output.match(/: ([^:]+) FOUND/);
+                            const virusName = match ? match[1].substring(0, 100) : 'Unknown';
+                            resolve({
+                                scanned: true,
+                                infected: true,
+                                virusName,
+                            });
+                        }
+                        else {
+                            resolve({
+                                scanned: true,
+                                infected: false,
+                            });
+                        }
+                    });
+                    child.on('error', (error) => {
+                        clearTimeout(timeout);
+                        if (!killed) {
+                            // 尝试清理进程
+                            try {
+                                if (!child.killed) {
+                                    child.kill('SIGKILL');
+                                }
+                            }
+                            catch (killError) {
+                                this.logger.error(`Failed to kill ClamAV process: ${killError.message}`);
+                            }
+                            reject(error);
+                        }
+                    });
+                });
+            }
+            catch (error) {
+                // ClamAV不可用或扫描失败
+                this.logger.warn(`Local ClamAV scan failed: ${error.message}`);
+                return {
+                    scanned: false,
+                    infected: false,
+                    error: error.message,
+                };
+            }
+        });
+    }
+    /**
+     * 验证 ClamAV 命令（仅允许白名单）
+     */
+    validateClamAVCommand() {
+        const allowedCommands = ['clamscan', 'clamdscan'];
+        const commandBasename = path.basename(this.options.clamavCommand);
+        if (!allowedCommands.includes(commandBasename)) {
+            throw new Error(`Invalid ClamAV command: ${commandBasename}. Allowed: ${allowedCommands.join(', ')}`);
+        }
+        // 检查命令路径不包含危险字符
+        const dangerousChars = [';', '&', '|', '$', '`', '\n', '\r'];
+        for (const char of dangerousChars) {
+            if (this.options.clamavCommand.includes(char)) {
+                throw new Error(`Dangerous character in ClamAV command path: ${char}`);
+            }
+        }
+    }
+    /**
+     * 验证文件路径，防止命令注入
+     */
+    validateFilePath(filePath) {
+        // 检查是否包含危险字符
+        const dangerousChars = [
+            '"',
+            "'",
+            '`',
+            ';',
+            '&',
+            '|',
+            '$',
+            '(',
+            ')',
+            '<',
+            '>',
+            '\n',
+            '\r',
+        ];
+        for (const char of dangerousChars) {
+            if (filePath.includes(char)) {
+                throw new Error(`Dangerous character detected in file path: ${char}`);
+            }
+        }
+        // 检查路径遍历
+        if (filePath.includes('..')) {
+            throw new Error('Path traversal not allowed in file path');
+        }
+        // 检查空字节注入
+        if (filePath.includes('\0')) {
+            throw new Error('Null byte detected in file path');
+        }
+        // 检查是否为绝对路径（根据业务需求决定是否允许）
+        if (path.isAbsolute(filePath)) {
+            // 可以根据需要抛出错误或允许
+            // throw new Error('Absolute paths not allowed');
+        }
+    }
+    /**
+     * 远程ClamAV扫描（通过ClamAV守护进程的网络接口）
+     */
+    scanWithRemoteClamAV(filePath) {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                const { host, port, timeout = 30000 } = this.options.clamavRemote || {};
+                if (!host || !port) {
+                    throw new Error('Remote ClamAV host and port must be configured');
+                }
+                // 读取文件内容
+                const fileBuffer = yield fs.readFile(filePath);
+                // 使用Node.js net模块连接到ClamAV守护进程
+                const net = yield Promise.resolve().then(() => require('net'));
+                // 响应大小限制（1MB）
+                const MAX_RESPONSE_SIZE = 1024 * 1024;
+                return new Promise((resolve, reject) => {
+                    const client = new net.Socket();
+                    let response = '';
+                    let responseSize = 0;
+                    // 设置超时
+                    const timeoutId = setTimeout(() => {
+                        client.destroy();
+                        reject(new Error('Remote ClamAV scan timeout'));
+                    }, timeout);
+                    client.connect(port, host, () => {
+                        // 发送INSTREAM命令
+                        client.write('zINSTREAM\0');
+                        // 发送文件大小（4字节，网络字节序）
+                        const sizeBuffer = Buffer.alloc(4);
+                        sizeBuffer.writeUInt32BE(fileBuffer.length, 0);
+                        client.write(sizeBuffer);
+                        // 发送文件内容
+                        client.write(fileBuffer);
+                        // 发送结束标记（长度为0）
+                        const endBuffer = Buffer.alloc(4);
+                        endBuffer.writeUInt32BE(0, 0);
+                        client.write(endBuffer);
+                    });
+                    client.on('data', (data) => {
+                        responseSize += data.length;
+                        // 防止响应过大
+                        if (responseSize > MAX_RESPONSE_SIZE) {
+                            client.destroy();
+                            clearTimeout(timeoutId);
+                            this.logger.warn('Remote ClamAV response size exceeded limit');
+                            resolve({
+                                scanned: false,
+                                infected: false,
+                                error: 'Response size exceeded limit',
+                            });
+                            return;
+                        }
+                        response += data.toString('utf8', 0, Math.min(data.length, MAX_RESPONSE_SIZE - response.length));
+                    });
+                    client.on('end', () => {
+                        clearTimeout(timeoutId);
+                        // 验证响应格式
+                        if (!this.isValidClamAVResponse(response)) {
+                            this.logger.warn('Invalid ClamAV response format');
+                            resolve({
+                                scanned: false,
+                                infected: false,
+                                error: 'Invalid response format',
+                            });
+                            return;
+                        }
+                        // 解析响应
+                        if (response.includes('FOUND')) {
+                            const match = response.match(/stream: ([^\s]+) FOUND/);
+                            const virusName = match ? match[1] : 'Unknown';
+                            // 验证病毒名称格式
+                            if (!this.isValidVirusName(virusName)) {
+                                this.logger.warn('Invalid virus name format');
+                                resolve({
+                                    scanned: true,
+                                    infected: true,
+                                    virusName: 'Unknown',
+                                });
+                                return;
+                            }
+                            resolve({
+                                scanned: true,
+                                infected: true,
+                                virusName,
+                            });
+                        }
+                        else if (response.includes('OK')) {
+                            resolve({
+                                scanned: true,
+                                infected: false,
+                            });
+                        }
+                        else {
+                            resolve({
+                                scanned: false,
+                                infected: false,
+                                error: 'Unexpected response: ' + response.substring(0, 100),
+                            });
+                        }
+                    });
+                    client.on('error', (error) => {
+                        clearTimeout(timeoutId);
+                        this.logger.warn(`Remote ClamAV connection error: ${error.message}`);
+                        resolve({
+                            scanned: false,
+                            infected: false,
+                            error: error.message,
+                        });
+                    });
+                });
+            }
+            catch (error) {
+                this.logger.warn(`Remote ClamAV scan failed: ${error.message}`);
+                return {
+                    scanned: false,
+                    infected: false,
+                    error: error.message,
+                };
+            }
+        });
+    }
+    /**
+     * 验证 ClamAV 响应格式
+     */
+    isValidClamAVResponse(response) {
+        if (!response || typeof response !== 'string') {
+            return false;
+        }
+        // ClamAV 响应应该包含 'stream:' 关键字
+        // 和 'FOUND' 或 'OK' 等状态
+        const validPatterns = [
+            /^stream: .+ FOUND$/m,
+            /^stream: OK$/m,
+            /^stream: .+ ERROR$/m,
+        ];
+        return validPatterns.some((pattern) => pattern.test(response));
+    }
+    /**
+     * 验证病毒名称格式
+     */
+    isValidVirusName(name) {
+        if (!name || typeof name !== 'string') {
+            return false;
+        }
+        // 病毒名称应该只包含字母、数字、连字符、下划线和点
+        // 长度不超过 100 字符
+        return /^[a-zA-Z0-9._-]{1,100}$/.test(name);
+    }
+    /**
+     * 检测嵌套压缩文件
+     */
+    detectNestedArchive(buffer) {
+        const archiveSignatures = [
+            { pattern: [0x50, 0x4b, 0x03, 0x04], name: 'ZIP' },
+            { pattern: [0x52, 0x61, 0x72, 0x21], name: 'RAR' },
+            { pattern: [0x1f, 0x8b], name: 'GZIP' },
+            { pattern: [0x42, 0x5a, 0x68], name: 'BZIP2' },
+            { pattern: [0x37, 0x7a, 0xbc, 0xaf], name: '7Z' },
+        ];
+        // 检测每个签名出现的次数
+        for (const sig of archiveSignatures) {
+            let occurrences = 0;
+            let offset = 0;
+            // 查找所有出现位置
+            while (offset < buffer.length) {
+                const index = this.bufferIndexOf(buffer, sig.pattern, offset);
+                if (index === -1)
+                    break;
+                occurrences++;
+                offset = index + sig.pattern.length;
+                // 如果同一个签名出现多次，可能是嵌套
+                if (occurrences > 1) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+    /**
+     * 检测可执行内容
+     */
+    detectExecutableContent(buffer) {
+        const executableSignatures = [
+            [0x4d, 0x5a], // PE (Windows)
+            [0x7f, 0x45, 0x4c, 0x46], // ELF (Linux)
+            [0xfe, 0xed, 0xfa, 0xce], // Mach-O (macOS)
+            [0xfe, 0xed, 0xfa, 0xcf], // Mach-O 64-bit
+            [0xca, 0xfe, 0xba, 0xbe], // Java class
+        ];
+        return executableSignatures.some((sig) => this.bufferContains(buffer, sig));
+    }
+    /**
+     * 检测Office宏
+     */
+    detectOfficeMacros(buffer) {
+        const macroIndicators = [
+            'vbaProject.bin',
+            'VBA',
+            'AutoOpen',
+            'Auto_Open',
+            'Workbook_Open',
+            'Document_Open',
+            'AutoExec',
+        ];
+        const content = buffer.toString('ascii').toLowerCase();
+        return macroIndicators.some((indicator) => content.includes(indicator.toLowerCase()));
+    }
+    /**
+     * 计算Shannon熵值
+     * 用于检测加密或高度压缩的内容
+     */
+    calculateEntropy(buffer) {
+        const freq = new Map();
+        // 统计字节频率
+        for (let i = 0; i < buffer.length; i++) {
+            const byte = buffer[i];
+            freq.set(byte, (freq.get(byte) || 0) + 1);
+        }
+        // 计算熵值
+        let entropy = 0;
+        const len = buffer.length;
+        for (const count of freq.values()) {
+            const p = count / len;
+            entropy -= p * Math.log2(p);
+        }
+        return entropy;
+    }
+    /**
+     * 检测多态性（文件类型伪装）
+     */
+    detectPolymorphism(buffer) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // 简化实现：检查文件头是否与内容一致
+            // 例如：声称是图片但包含可执行代码
+            const isImage = this.bufferContains(buffer, [0xff, 0xd8, 0xff]) || // JPEG
+                this.bufferContains(buffer, [0x89, 0x50, 0x4e, 0x47]); // PNG
+            if (isImage && this.detectExecutableContent(buffer)) {
+                return true; // 图片中嵌入了可执行代码
+            }
+            return false;
+        });
+    }
+    /**
+     * 在buffer中查找pattern的位置
+     */
+    bufferIndexOf(buffer, pattern, startOffset = 0) {
+        for (let i = startOffset; i <= buffer.length - pattern.length; i++) {
+            let match = true;
+            for (let j = 0; j < pattern.length; j++) {
+                if (buffer[i + j] !== pattern[j]) {
+                    match = false;
+                    break;
+                }
+            }
+            if (match)
+                return i;
+        }
+        return -1;
+    }
+};
+exports.MaliciousFileDetector = MaliciousFileDetector;
+exports.MaliciousFileDetector = MaliciousFileDetector = MaliciousFileDetector_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Optional)()),
+    __param(0, (0, common_1.Inject)('MALICIOUS_DETECTOR_OPTIONS')),
+    __metadata("design:paramtypes", [Object])
+], MaliciousFileDetector);