pompelmi 1.13.0 → 1.15.0

package/packages/nextjs/index.js

@@ -0,0 +1,130 @@
+'use strict';
+
+const { scanBuffer, Verdict } = require('pompelmi');
+
+/**
+ * Build a pompelmi scan options object from the plugin options,
+ * excluding non-scan keys.
+ */
+function buildScanOpts(options) {
+  const keys = ['host', 'port', 'socket', 'timeout', 'retries', 'retryDelay'];
+  const out = {};
+  for (const k of keys) {
+    if (options[k] !== undefined) out[k] = options[k];
+  }
+  return out;
+}
+
+/**
+ * Read a Request body as a Buffer.
+ * Supports Web API Request (App Router) and Node.js IncomingMessage (Pages Router).
+ */
+async function bodyBuffer(req) {
+  if (typeof req.arrayBuffer === 'function') {
+    // Web API Request (Next.js App Router)
+    const ab = await req.arrayBuffer();
+    return Buffer.from(ab);
+  }
+  // Node.js IncomingMessage (Pages Router)
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    req.on('data', c => chunks.push(c));
+    req.on('end', () => resolve(Buffer.concat(chunks)));
+    req.on('error', reject);
+  });
+}
+
+/**
+ * App Router wrapper (Next.js 13+).
+ *
+ * Wraps a route handler so that the raw request body is scanned before the
+ * handler runs. req.pompelmiVerdict is set to the scan verdict symbol.
+ * If the body is malicious a 400 JSON response is returned immediately.
+ *
+ * @param {Function} handler  - async (req, ctx) => Response
+ * @param {object}   options  - ScanOptions (host, port, socket, …)
+ * @returns {Function} Next.js App Router handler
+ *
+ * @example
+ * // app/api/upload/route.js
+ * import { withPompelmi } from '@pompelmi/nextjs'
+ *
+ * export const POST = withPompelmi(async (req) => {
+ *   return Response.json({ ok: true })
+ * }, { host: 'localhost', port: 3310 })
+ */
+function withPompelmi(handler, options = {}) {
+  const scanOpts = buildScanOpts(options);
+
+  return async function pompelmiHandler(req, ctx) {
+    let buf;
+    try {
+      buf = await bodyBuffer(req);
+    } catch (_) {
+      return new Response(JSON.stringify({ error: 'Failed to read request body' }), {
+        status: 400,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    }
+
+    const verdict = await scanBuffer(buf, scanOpts);
+
+    if (verdict === Verdict.Malicious) {
+      return new Response(JSON.stringify({ error: 'Malicious file detected' }), {
+        status: 400,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    }
+
+    // Attach verdict so the handler can inspect it if needed
+    req.pompelmiVerdict = verdict;
+    return handler(req, ctx);
+  };
+}
+
+/**
+ * Pages Router wrapper (Next.js ≤ 12 / Pages API routes).
+ *
+ * Wraps a Next.js API handler so that the raw request body is scanned before
+ * the handler runs. req.pompelmiVerdict is set to the scan verdict symbol.
+ * If the body is malicious a 400 JSON response is sent immediately.
+ *
+ * @param {Function} handler  - (req, res) => void | Promise<void>
+ * @param {object}   options  - ScanOptions (host, port, socket, …)
+ * @returns {Function} Next.js Pages API handler
+ *
+ * @example
+ * // pages/api/upload.js
+ * import { withPompelmiHandler } from '@pompelmi/nextjs'
+ *
+ * async function handler(req, res) {
+ *   res.json({ ok: true })
+ * }
+ *
+ * export default withPompelmiHandler(handler, { host: 'localhost', port: 3310 })
+ */
+function withPompelmiHandler(handler, options = {}) {
+  const scanOpts = buildScanOpts(options);
+
+  return async function pompelmiPagesHandler(req, res) {
+    let buf;
+    try {
+      buf = await bodyBuffer(req);
+    } catch (_) {
+      res.status(400).json({ error: 'Failed to read request body' });
+      return;
+    }
+
+    const verdict = await scanBuffer(buf, scanOpts);
+
+    if (verdict === Verdict.Malicious) {
+      res.status(400).json({ error: 'Malicious file detected' });
+      return;
+    }
+
+    req.pompelmiVerdict = verdict;
+    return handler(req, res);
+  };
+}
+
+module.exports = { withPompelmi, withPompelmiHandler, Verdict };

package/packages/nextjs/package.json

@@ -0,0 +1,39 @@
+{
+  "name": "@pompelmi/nextjs",
+  "version": "1.0.0",
+  "description": "Next.js middleware for pompelmi — in-process ClamAV virus scanning with zero extra dependencies",
+  "license": "ISC",
+  "author": "pompelmi contributors",
+  "homepage": "https://pompelmi.app",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/pompelmi/pompelmi.git",
+    "directory": "packages/nextjs"
+  },
+  "keywords": [
+    "nextjs",
+    "next",
+    "clamav",
+    "antivirus",
+    "virus-scan",
+    "malware",
+    "file-upload",
+    "security",
+    "pompelmi",
+    "app-router",
+    "pages-router"
+  ],
+  "main": "./index.js",
+  "types": "./index.d.ts",
+  "scripts": {
+    "test": "node --test test/index.test.js"
+  },
+  "peerDependencies": {
+    "next": ">=13",
+    "pompelmi": ">=1.13.0"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
+    "access": "public"
+  }
+}

package/packages/testing/README.md

@@ -0,0 +1,126 @@
+# @pompelmi/testing
+
+Mock utilities for unit-testing applications that use [pompelmi](https://pompelmi.app).
+
+Compatible with **Jest**, **Vitest**, and the **Node.js built-in test runner**.
+
+## Installation
+
+```bash
+npm install --save-dev @pompelmi/testing pompelmi
+```
+
+## Usage
+
+### `mockClean()` / `mockInfected()` / `mockScanError()`
+
+```js
+const { mockClean, mockInfected, mockScanError, Verdict } = require('@pompelmi/testing')
+
+it('passes clean files through', async () => {
+  const scanner = mockClean()
+  const result = await scanner.scanBuffer(Buffer.from('hello'))
+  assert.equal(result, Verdict.Clean)
+})
+
+it('rejects infected files', async () => {
+  const scanner = mockInfected('Win.Malware.Test')
+  const result = await scanner.scanBuffer(Buffer.from('eicar'))
+  assert.equal(result, Verdict.Malicious)
+  assert.equal(scanner.virusName, 'Win.Malware.Test')
+})
+
+it('handles scan errors', async () => {
+  const scanner = mockScanError()
+  const result = await scanner.scanBuffer(Buffer.from('data'))
+  assert.equal(result, Verdict.ScanError)
+})
+```
+
+### `createMockScanner(defaultVerdict)`
+
+Creates a scanner that resolves every scan call to the given verdict.
+
+```js
+const { createMockScanner, Verdict } = require('@pompelmi/testing')
+
+const scanner = createMockScanner(Verdict.Malicious)
+// scanner.scan(), scanner.scanBuffer(), scanner.scanStream() all → Verdict.Malicious
+```
+
+### `withMockedPompelmi(verdict, fn)`
+
+Convenience wrapper that creates the mock and passes it to your test function.
+
+```js
+const { withMockedPompelmi, Verdict } = require('@pompelmi/testing')
+
+it('rejects infected files', () =>
+  withMockedPompelmi(Verdict.Malicious, async (scanner) => {
+    const result = await scanner.scanBuffer(Buffer.from('eicar'))
+    assert.equal(result, Verdict.Malicious)
+  })
+)
+```
+
+## Jest Example
+
+```js
+import { mockInfected, Verdict } from '@pompelmi/testing'
+
+// Manually inject the mock scanner into a module under test
+jest.mock('pompelmi', () => mockInfected('Eicar'))
+
+test('upload handler rejects infected files', async () => {
+  const { handleUpload } = await import('./upload-handler')
+  const response = await handleUpload(evilBuffer)
+  expect(response.status).toBe(422)
+})
+```
+
+## Vitest Example
+
+```ts
+import { mockClean, Verdict } from '@pompelmi/testing'
+import { vi, it, expect } from 'vitest'
+
+vi.mock('pompelmi', () => mockClean())
+
+it('allows clean files', async () => {
+  const { handleUpload } = await import('./upload-handler')
+  const res = await handleUpload(cleanBuffer)
+  expect(res.status).toBe(200)
+})
+```
+
+## Node.js built-in test runner
+
+```js
+const { describe, it } = require('node:test')
+const assert = require('node:assert/strict')
+const { mockInfected, Verdict } = require('@pompelmi/testing')
+
+describe('upload handler', () => {
+  it('rejects infected files', async () => {
+    const scanner = mockInfected('Win.Malware.Agent')
+    const result = await scanner.scanBuffer(Buffer.from('eicar'))
+    assert.equal(result, Verdict.Malicious)
+    assert.equal(scanner.virusName, 'Win.Malware.Agent')
+  })
+})
+```
+
+## API
+
+| Export | Description |
+|--------|-------------|
+| `createMockScanner(verdict)` | Returns a mock scanner that resolves to `verdict` |
+| `mockClean()` | Shorthand for `createMockScanner(Verdict.Clean)` |
+| `mockInfected(virusName?)` | Shorthand for `createMockScanner(Verdict.Malicious)` |
+| `mockScanError()` | Shorthand for `createMockScanner(Verdict.ScanError)` |
+| `withMockedPompelmi(verdict, fn)` | Runs `fn` with a mock scanner, returns a Promise |
+| `Verdict` | Re-exported from `pompelmi` |
+
+## License
+
+ISC — see root [LICENSE](../../LICENSE).

package/packages/testing/index.d.ts

@@ -0,0 +1,44 @@
+
+export interface MockScanner {
+  Verdict: { readonly Clean: symbol; readonly Malicious: symbol; readonly ScanError: symbol };
+  scan(filePath: string): Promise<symbol>;
+  scanBuffer(buffer: Buffer | Uint8Array): Promise<symbol>;
+  scanStream(stream: NodeJS.ReadableStream): Promise<symbol>;
+  scanS3(opts: Record<string, unknown>): Promise<symbol>;
+  /** The verdict this scanner always resolves to */
+  _verdict: symbol;
+  /** Virus name label — only present on mockInfected() scanners */
+  virusName?: string;
+}
+
+/**
+ * Creates a mock pompelmi scanner where every scan method resolves to
+ * `defaultVerdict`.
+ */
+export function createMockScanner(defaultVerdict: symbol): MockScanner;
+
+/** Returns a mock scanner that always resolves to Verdict.Clean */
+export function mockClean(): MockScanner;
+
+/**
+ * Returns a mock scanner that always resolves to Verdict.Malicious.
+ * The `virusName` is stored as `scanner.virusName` for test assertions.
+ */
+export function mockInfected(virusName?: string): MockScanner;
+
+/** Returns a mock scanner that always resolves to Verdict.ScanError */
+export function mockScanError(): MockScanner;
+
+/**
+ * Wraps a test function with a mock scanner.
+ * The scanner is passed as the first argument to `fn`.
+ *
+ * @example
+ * await withMockedPompelmi(Verdict.Malicious, async (scanner) => {
+ *   const result = await scanner.scanBuffer(buffer)
+ *   expect(result).toBe(Verdict.Malicious)
+ * })
+ */
+export function withMockedPompelmi(verdict: symbol, fn: (scanner: MockScanner) => unknown): Promise<void>;
+
+export { Verdict } from 'pompelmi';

package/packages/testing/index.js

@@ -0,0 +1,82 @@
+'use strict';
+
+const { Verdict } = require('pompelmi');
+
+/**
+ * Creates a mock pompelmi scanner where all scan methods resolve to
+ * the given verdict.
+ *
+ * @param {symbol} defaultVerdict - One of Verdict.Clean, Verdict.Malicious, or Verdict.ScanError.
+ * @returns {{ scan, scanBuffer, scanStream, Verdict }}
+ */
+function createMockScanner(defaultVerdict) {
+  if (defaultVerdict !== Verdict.Clean &&
+      defaultVerdict !== Verdict.Malicious &&
+      defaultVerdict !== Verdict.ScanError) {
+    throw new TypeError('defaultVerdict must be one of Verdict.Clean, Verdict.Malicious, or Verdict.ScanError');
+  }
+
+  return {
+    Verdict,
+    scan:        () => Promise.resolve(defaultVerdict),
+    scanBuffer:  () => Promise.resolve(defaultVerdict),
+    scanStream:  () => Promise.resolve(defaultVerdict),
+    scanS3:      () => Promise.resolve(defaultVerdict),
+    _verdict: defaultVerdict,
+  };
+}
+
+/**
+ * Shorthand: returns a mock scanner that always resolves to Verdict.Clean.
+ */
+function mockClean() {
+  return createMockScanner(Verdict.Clean);
+}
+
+/**
+ * Shorthand: returns a mock scanner that always resolves to Verdict.Malicious.
+ * The virusName parameter is stored on the scanner for inspection in tests.
+ *
+ * @param {string} [virusName='Win.Malware.Test'] - Virus name label (stored as scanner.virusName).
+ */
+function mockInfected(virusName) {
+  const scanner = createMockScanner(Verdict.Malicious);
+  scanner.virusName = virusName || 'Win.Malware.Test';
+  return scanner;
+}
+
+/**
+ * Shorthand: returns a mock scanner that always resolves to Verdict.ScanError.
+ */
+function mockScanError() {
+  return createMockScanner(Verdict.ScanError);
+}
+
+/**
+ * Wraps a test function with a mocked pompelmi scanner.
+ * The scanner is passed as the first argument to fn.
+ *
+ * This is a lightweight helper — for full module-level mocking in Jest/Vitest,
+ * use jest.mock() / vi.mock() directly.
+ *
+ * @param {symbol}   verdict - Verdict to mock.
+ * @param {Function} fn      - Test function that receives the mock scanner.
+ * @returns {Promise}
+ */
+function withMockedPompelmi(verdict, fn) {
+  const scanner = createMockScanner(verdict);
+  try {
+    return Promise.resolve(fn(scanner));
+  } catch (err) {
+    return Promise.reject(err);
+  }
+}
+
+module.exports = {
+  createMockScanner,
+  mockClean,
+  mockInfected,
+  mockScanError,
+  withMockedPompelmi,
+  Verdict,
+};

package/packages/testing/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "@pompelmi/testing",
+  "version": "1.0.0",
+  "description": "Mock utilities for unit-testing applications that use pompelmi — Jest, Vitest, and Node test runner",
+  "license": "ISC",
+  "author": "pompelmi contributors",
+  "homepage": "https://pompelmi.app",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/pompelmi/pompelmi.git",
+    "directory": "packages/testing"
+  },
+  "keywords": [
+    "pompelmi",
+    "testing",
+    "mock",
+    "jest",
+    "vitest",
+    "clamav",
+    "antivirus",
+    "unit-test"
+  ],
+  "main": "./index.js",
+  "types": "./index.d.ts",
+  "scripts": {
+    "test": "node --test test/index.test.js"
+  },
+  "peerDependencies": {
+    "pompelmi": ">=1.14.0"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
+    "access": "public"
+  }
+}

package/src/BufferScanner.js

@@ -3,6 +3,9 @@
 const net         = require('net');
 const { Verdict } = require('./verdicts.js');
 
+// net.createConnection is polyfilled by Bun — no code changes needed
+const isBun = typeof Bun !== 'undefined'; // eslint-disable-line no-unused-vars
+
 const CLAMD_INSTREAM = Buffer.from('zINSTREAM\0');
 const CHUNK_SIZE     = 64 * 1024;
 

package/src/ClamdScanner.js

@@ -4,6 +4,8 @@ const net            = require('net');
 const fs             = require('fs');
 const { Verdict }    = require('./verdicts.js');
 
+const isBun = typeof Bun !== 'undefined';
+
 // ClamAV INSTREAM protocol:
 //   1. Send "zINSTREAM\0"
 //   2. Send N chunks, each prefixed with a 4-byte big-endian length
@@ -63,24 +65,46 @@ function scanViaClamd(filePath, options = {}) {
             conn.on('data',  (chunk) => chunks.push(chunk));
             conn.on('end',   () => settle(resolve, parseClamdResponse(Buffer.concat(chunks))));
 
-            conn.on('connect', () => {
+            conn.on('connect', async () => {
                 conn.write(CLAMD_INSTREAM);
 
-                const fileStream = fs.createReadStream(filePath, { highWaterMark: CHUNK_SIZE });
-
-                fileStream.on('error', (err) => settle(reject, err));
-
-                fileStream.on('data', (chunk) => {
-                    const header = Buffer.allocUnsafe(4);
-                    header.writeUInt32BE(chunk.length, 0);
-                    conn.write(header);
-                    conn.write(chunk);
-                });
-
-                fileStream.on('end', () => {
+                if (isBun) {
+                    // Bun.file() is faster than fs.createReadStream on Bun
+                    let fileData;
+                    try {
+                        fileData = await Bun.file(filePath).bytes();
+                    } catch (err) {
+                        return settle(reject, err);
+                    }
+                    const buf = Buffer.from(fileData);
+                    let offset = 0;
+                    while (offset < buf.length) {
+                        const chunk  = buf.slice(offset, offset + CHUNK_SIZE);
+                        const header = Buffer.allocUnsafe(4);
+                        header.writeUInt32BE(chunk.length, 0);
+                        conn.write(header);
+                        conn.write(chunk);
+                        offset += chunk.length;
+                    }
                     conn.write(Buffer.alloc(4)); // terminating zero-length chunk
                     conn.end();
-                });
+                } else {
+                    const fileStream = fs.createReadStream(filePath, { highWaterMark: CHUNK_SIZE });
+
+                    fileStream.on('error', (err) => settle(reject, err));
+
+                    fileStream.on('data', (chunk) => {
+                        const header = Buffer.allocUnsafe(4);
+                        header.writeUInt32BE(chunk.length, 0);
+                        conn.write(header);
+                        conn.write(chunk);
+                    });
+
+                    fileStream.on('end', () => {
+                        conn.write(Buffer.alloc(4)); // terminating zero-length chunk
+                        conn.end();
+                    });
+                }
             });
         });
     }