kobaltz / clamby Goto Github PK

https://rubygems.org/gems/clamby/versions/1.6.9 and 52b6ff4 are out, but there's no tag/release/etc.

As a result, Dependabot can't show the changes

Impact: this looks slightly like a dodgy release by a malicious actor who has potentially compromised your rubygems account.
As clamby is used for AV scanning, it's a plausible target.
The reality is it's a non issue, but it seems alarming at first glance!

I am running an attache image server inside a container managed by dokku, I have added clamby to attache, and on my development machine (not dokku, just running the apps) it works fine... On my server it does not. It complains that every upload is a virus. I know this is likely a dokku/server problem rather than a clamby problem, but I wondered whether anyone might have an idea of what the problem could be?

clamby configuration:

# setup clamby
Clamby.configure({
                  :check => false,
                  :daemonize => true,
                  :error_clamscan_missing => false,
                  :error_file_missing => false,
                  :error_file_virus => true
                })

then just after upload:

          # check if free from viruses with clamby
          unless Clamby.safe?(path_of(cachekey))
            File.delete(path_of(cachekey))
            # raise virus-found error 
            raise 'Upload infected with a virus - rejected.'
          end

the error I get back is:
VIRUS DETECTED on 2017-09-22 15:22:59 +0000: /tmp/076/6B2/attache.myserver.com%2F7f%2F9c%2Fa8%2F4d%2Ff1%2F80%2Fe1%2F84%2F94%2F2c%2Fd0%2F98%2Fe3%2F35%2F68%2F1d%2Ftest-pic.jpeg

so am I right in assuming that the file is being scanned and giving a false positive? Or could the real error be masked here? I am thinking it seems like the latter as the file is definitely virus free...

As I say, I know this is unlikely a clamby issue, but I was hoping you might be able to point me in the direction of what the real error might be (as it certainly looks as though clamav is running fine, and the file is found and scanned) - or at least if I might get this error even if the real problem is not that a virus has been found (maybe the file is not being scanned or not found or something)?

Thanks,

J

This problem is related to #31. For me, #31 didn't solve the problem. Clamsy and clamdscan worked fine local and with files I had put myself on the server in /tmp. But not with tempfiles created by ActiveStorage, like /tmp/RackMultipart20210304-544254-1q5vwnm.jpg.

We use clamsy in daemon mode, like "/usr/sbin/clamd -c /etc/clamd.d/scan.conf" as user 'clamscan'.

The problem was in the file permissions: RackMultipart... had 600, while the files I had put in this directory had 644. So the clamsy user had no access to the tempfile that was created by the application user.

My solution is to change attributes temporarily before the virusscan was done in the code:

if File.exist?(attachable.tempfile.path)
          # Temporarily change permissions, so the daemon has access. If not, it always returns false positive for any file.
          File.chmod(0644, attachable.tempfile.path)
          record.errors.add(attribute, :may_be_infected, file: attachable.original_filename) if Clamby.virus?(attachable.tempfile.path)
          File.chmod(0600, attachable.tempfile.path)
        end

So, for me, this problem is solved, but maybe a better solution could be found.

Great gem @kobaltz thanks!

I've got a requirement to display the type of virus that has been detected. I've already written the changes needed to add this to clamby but thought I'd check if that would be something you'd be interested in merging before creating the PR.

Basically just modifying the Command class, specifically the .scan and #run methods to parse the console output and include the parsed virus type when raising the VirusDetected error. My change swaps out the system call with a Open3 library function call to peek at the output and error streams.

Thoughts?

I'm not certain if this is a repeat of #9

I configured Clamby with ClamAV in a local environment, and didn't experience any issues.

However, when attempting to configure Clamby and ClamAV in a production environment, I'm experiencing an issue where the Clamby#safe? method returns false for all files and Clamby#virus? method returns true for all files.

My production environment is running Ubuntu 16.05.5 LTS, and ClamAV, clamd, and freshclam have been installed and configured properly, to my knowledge.

irb(main):001:0> Clamby::Command.clamscan_version
ClamAV 0.102.1
=> true

$ ps aux | grep clamd
clamav   26428  3.3 21.3 1073956 864960 ?      Ssl  16:06   1:13 /usr/sbin/clamd --foreground=true

Per ClamAV documentation, clamd is running under the "clamav" user. I'm not sure if this is how the daemon should be configured to work with Clamby or not.

/config/initializers/clamby.rb

Clamby.configure({
  :check => false,
  :daemonize => true,
  :error_clamscan_missing => false,
  :error_file_missing => false,
  :error_file_virus => false,
  :fdpass => true
})

When I check any file, even files contained in my Rails application, Clamby returns that all are viruses:

Example:

irb(main):001:0> test_path = "#{Rails.root}/README.md"
=> "/home/deploy/rails_app/README.md"
irb(main):002:0> Clamby.safe?(test_path)
=> false
irb(main):003:0> Clamby.virus?(test_path)
=> true

Additionally, clamd.conf and freshclam.conf have been configured properly:

clamd.conf
# Comment or remove the line below.
# Example
...
# TCP port address.
# Default: no
TCPSocket 3310

freshclam.conf
# Comment or remove the line below.
# Example

freshclam is also properly configured and updated:

$ freshclam
ClamAV update process started at Thu Dec 12 16:50:23 2019
daily.cld database is up to date (version: 25661, sigs: 2046351, f-level: 63, builder: raynman)
main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)

Any help would be appreciated, as I'm not sure what's going wrong here between the various components involved.

Thanks.

We are integrating this gem to another framework and we would like to do the version check during the application's startup process.

Currently this gem does it with the clamscan executable even when the daemonize configuration option is set to true. The check could also be done using the clamdscan executable:
https://linux.die.net/man/1/clamdscan

It is just a minor annoyance as this only happens once in the startup process of the application but would save few seconds of execution time during the startup. Would be nice change from our perspective if it doesn't pose any possible issues in the existing applications using this gem.

I thought I'd ask whether there is any reasoning behind this before suggesting any changes to the behavior. We would like to change this line to:

  new.run scan_executable, '--version'

Would you see any behavioral impacts of this change in the existing applications that are using this?

It would be handy if you could scan a Tempfile (child of File) object as it exists in memory.
irb> require 'tempfile'
file = Tempfile.open("/path/to/file/file.txt")
file.unlink
Clamby.safe?(file)

I realise this may be a limitation as clamscan but thought I would make the suggestion anyway.

Hi after including this gem, bundle and doing nothing else I am getting this error when I run "rails console" and it crash.

versions/2.6.5/lib/ruby/gems/2.6.0/gems/clamby-1.6.6/lib/clamby.rb:34:in `delete': can't modify frozen Hash (FrozenError)

MacOS Sig Sur (11.3)
Rails 5.2.5
ruby 2.6.5p114 (2019-10-01 revision 67812) [x86_64-darwin20]

Hello,

When calling Clamby.safe? with a file path which include the character ( or ) (my filename is filename(2021-10-01).pdf, it returns an error and does not test the file:

> Clamby.safe?(path)
ClamAV 0.103.2/26364/Thu Nov 25 09:20:31 2021
sh: 1: Syntax error: "(" unexpected
 => false

I am running it on a Ubuntu 20 server

Thank you!

I am planning to use clamav for scanning uploaded files and was planning to create a ruby wrapper for clamav command line utilities. On searching I found your gem.
So I just wanted to know is this production ready setup. I wanted to use this badly on my production servers.

Guys, I'm using Rails 4 with Ruby version 2.2.10 , I added the gem 'clamby' to my Gemfile
then installed the gem by used the command bundle install
and added the below configurations to my file /config/initializers/clamby.rb :

Clamby.configure({
  :check => false,
  :daemonize => true,
  :config_file => nil,
  :error_clamscan_missing => false,
  :error_clamscan_client_error => false,
  :error_file_missing => false,
  :error_file_virus => false,
  :fdpass => true,
  :stream => true,
  :output_level => 'medium', # one of 'off', 'low', 'medium', 'high'
  :executable_path_clamscan => 'clamscan',
  :executable_path_clamdscan => 'clamdscan',
  :executable_path_freshclam => 'freshclam'
})

but actually my application is dockerized so I defined clamav in my docker-compose.yml file as service

services:
  clamav:
    image: mkodockx/docker-clamav:alpine
    environment:
      MODE: av
    ulimits:
      stack: 1048576
    volumes:
      - conf:/etc/clamav
      - data:/var/lib/clamav

  freshclam:
    image: aschepis/freshclam
    environment:
      MODE: updater
    volumes:
      - conf:/etc/clamav
      - data:/var/lib/clamav

  clamav_milter:
    image: bastienf/clamav-milter
    environment:
      MODE: milter
    container_name: clamav_milter_1
    volumes:
      - conf:/etc/clamav

  clamav_daemon:
    image: oh22/clamav-daemon
    container_name: clamav_daemon_1
    volumes:
      - conf:/etc/clamav
app:
  links:
      - clamav:clamav
  depends_on:
      - clamav
      - freshclam
      - clamav_milter
      - clamav_daemon
volumes:
  conf:
  data:

but I tested the gem through rails c and found it catch any file as virus and not safe file!!

Clamby.safe?("#{Rails.root}/public/images/astm.txt")
=> false
Clamby.virus?("#{Rails.root}/public/images/astm.txt")
=> true

Also I tried all the configurations options but still facing the same case!
what I miss?!!

Thanks in advance for all of your work on the Clamby gem. In getting the Clamby gem to work, I ran across an issue that isn't specific to Clamby per se. But I imagine it affects a large number of Linux users who are trying to use Clamby. By default, clamdscan is limited by AppArmor in terms of what directories it can access. A rails project would typically be outside of these whitelisted directories (e.g. mine was in /var/www/....). So when I tried to have Clamby scan a file, I received a generic error of "Can't open file or directory ERROR". The ClamAV daemon runs as 'clamav', and that user could read the file fine. So it was rather perplexing. A brief mention of this gotcha in the README might save some time for future users.

Exceptions::VirusDetected errors are raised when attempting to run a daemonized scan while the daemon is not running. In this case, underlying scanner reports an error like:

ERROR: Could not lookup (...): Servname not supported for ai_socktype

Rather than reporting the error, the #virus? method reports a virus found VirusDetected. The README leads me to believe it should return nil:

If you use virus? to scan a file, it will return true if a virus was found, false if no virus was found, and nil if there was a problem finding the file or if there was a problem using clamscan

Is this the intended interface? I see a similar issue discussed in #9 but the false positive failure state seems taken for granted, there.

I see this behavior with the following configuration:

  Clamby.configure(                                                                                                                                                                                                                                                              
    check:  false,                                                                                                                                                                                                                      
    daemonize: true,                                                                                                                                                                                                                                                             
    error_clamscan_missing: true,                                                                                                                                                                                                                                                
    error_file_missing: true,                                                                                                                                                                                                                                                    
    error_file_virus: true,                                                                                                                                                                                                                                                      
    fdpass: true                                                                                                                                                                                                                                                                 
  ) 

Clamby makes system calls using string interpolation. This creates an attack vector for arbitrary code execution. They should be escaped properly.

Hello,

I am trying to scan before uploading a file, getting NameError (uninitialized constant Client::Clamby) error. I followed the same steps defined in the REDME file. It's working on my local machine(ubuntu 18.04) but not on production server(ubuntu 14.04)

Please help.
Thanks.