feat(security): add ClamAV integration

Yelinz · Yelinz · commit 3b46d2a91138 · 2024-02-19T17:07:57.000+01:00
This adds django_clamd for AV scanning capabilites with ClamAV.
The scanning can be enabled through the settings.
diff --git a/README.md b/README.md
@@ -111,6 +111,13 @@ A list of configuration options which you need
     The development setup features a minio service, implementing the S3 protocol.
     To use SSE-C in development make sure to generate a certificate for the minio container and set `ALEXANDRIA_S3_VERIFY` to `false`.
 
+- ClamAV
+- `ALEXANDRIA_CLAMD_ENABLED`: Set this to `True` to enable ClamAV (virus scanner).
+- `ALEXANDRIA_CLAMD_SOCKET`: ClamAV socket
+- `ALEXANDRIA_CLAMD_USE_TCP`: Use TCP to connect to ClamAV service
+- `ALEXANDRIA_CLAMD_TCP_SOCKET`: ClamAV service socket
+- `ALEXANDRIA_CLAMD_TCP_ADDR`: ClamAV service address
+
 For development, you can also set the following environemnt variables to help you:
 
 - `ALEXANDRIA_DEV_AUTH_BACKEND`: Set this to "true" to enable a fake auth backend that simulates an authenticated user. Requires `DEBUG` to be set to `True` as well.
diff --git a/alexandria/conftest.py b/alexandria/conftest.py
@@ -44,6 +44,11 @@ def _make_clean_media_dir(settings):
     shutil.rmtree(test_media_root)
 
 
+@pytest.fixture(autouse=True)
+def mock_clamd(mocker):
+    mocker.patch("django_clamd.validators.validate_file_infection", return_value=None)
+
+
 @pytest.fixture
 def admin_groups():
     return ["admin"]
diff --git a/alexandria/core/serializers.py b/alexandria/core/serializers.py
@@ -2,6 +2,7 @@
 from django.contrib.auth.models import AnonymousUser
 from django.template.defaultfilters import slugify
 from django.utils import translation
+from django_clamd.validators import validate_file_infection
 from generic_permissions.validation import ValidatorMixin
 from generic_permissions.visibilities import (
     VisibilityResourceRelatedField,
@@ -231,6 +232,10 @@ def is_valid(self, *args, raise_exception=False, **kwargs):
             self._prepare_multipart()
         return super().is_valid(*args, raise_exception=raise_exception, **kwargs)
 
+    def validate_content(self, value):
+        validate_file_infection(value)
+        return value
+
     class Meta:
         model = models.File
         fields = BaseSerializer.Meta.fields + (
diff --git a/alexandria/settings/alexandria.py b/alexandria/settings/alexandria.py
@@ -160,3 +160,10 @@ def default(default_dev=env.NOTSET, default_prod=env.NOTSET):
 
 # Checksums
 ALEXANDRIA_ENABLE_CHECKSUM = env.bool("ALEXANDRIA_ENABLE_CHECKSUM", default=True)
+
+# Clamav service
+CLAMD_SOCKET = env.str("ALEXANDRIA_CLAMD_SOCKET", default="/var/run/clamav/clamd.ctl")
+CLAMD_USE_TCP = env.bool("ALEXANDRIA_CLAMD_USE_TCP", default=True)
+CLAMD_TCP_SOCKET = env.str("ALEXANDRIA_CLAMD_TCP_SOCKET", default=3310)
+CLAMD_TCP_ADDR = env.str("ALEXANDRIA_CLAMD_TCP_ADDR", default="localhost")
+CLAMD_ENABLED = env.bool("ALEXANDRIA_CLAMD_ENABLED", default=False)
diff --git a/alexandria/settings/django.py b/alexandria/settings/django.py
@@ -16,6 +16,7 @@
     "django.contrib.postgres",
     "localized_fields",
     "psqlextra",
+    "django_clamd",
     "django.contrib.contenttypes",
     "django.contrib.auth",
     "alexandria.core.apps.DefaultConfig",
diff --git a/docker-compose.override.yml b/docker-compose.override.yml
@@ -38,6 +38,7 @@ services:
       - DEBUG=true
       - ALEXANDRIA_DEV_AUTH_BACKEND=true
       - ALEXANDRIA_ALLOW_ANONYMOUS_WRITE=true
+      - ALEXANDRIA_CLAMD_ENABLED=false
 
   minio:
     environment:
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -17,23 +17,25 @@ exclude = ["alexandria/conftest.py", "alexandria/**/tests"]
 packages = [{ include = "alexandria" }]
 
 [tool.poetry.dependencies]
-python = ">=3.8.1,<4.0"
+boto3 = { extras = ["s3"], version = "^1.29.7" }
 django = "~3.2"
+django-clamd = "^0.4.0"
 django-environ = ">=0.9.0,<0.12.0"
 django-filter = ">=22.1,<24.0"
+django-generic-api-permissions = "^0.4.2"
 django-localized-fields = "^6.6"
+django-storages = { extras = ["s3"], version = "^1.14.2" }
 djangorestframework = "^3.13.0"
 djangorestframework-jsonapi = ">=5.0.0,<7.0.0"
 minio = "^7.1.14"
 mozilla-django-oidc = ">=2,<5"
 preview-generator = "^0.29"
+psutil = "^5.9.8"
 psycopg2-binary = "~2.9"
+python = ">=3.8.1,<4.0"
 requests = "^2.31.0"
-uwsgi = "^2.0.20"
-django-generic-api-permissions = "^0.4.2"
-django-storages = { extras = ['s3'], version = "^1.14.2" }
-boto3 = "^1.29.7"
 tqdm = "^4.66.1"
+uwsgi = "^2.0.20"
 
 [tool.poetry.group.dev.dependencies]
 black = "24.2.0"
@@ -64,7 +66,6 @@ python-semantic-release = "7.33.3"
 requests-mock = "1.11.0"
 syrupy = "4.6.1"
 werkzeug = "3.0.1"
-psutil = "^5.9.8"
 
 [tool.isort]
 skip = ["migrations"]
