-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.go
More file actions
200 lines (167 loc) · 5.44 KB
/
main.go
File metadata and controls
200 lines (167 loc) · 5.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
package main
import (
"encoding/json"
"io"
"log"
"net/http"
"os"
"time"
)
// ScanResponse is the JSON response for scan requests
type ScanResponse struct {
Status string `json:"status"` // "clean", "infected", "error"
Threats []Threat `json:"threats"` // List of detected threats
ScannedFiles int `json:"scanned_files"` // Number of files scanned
ScanTimeMs int64 `json:"scan_time_ms"` // Scan duration in milliseconds
Error string `json:"error,omitempty"`
}
// Threat represents a detected virus/malware
type Threat struct {
Name string `json:"name"` // Virus/malware name
File string `json:"file"` // File path within archive
FileHash string `json:"file_hash,omitempty"` // SHA256 hash of infected file
Severity string `json:"severity"` // Always "critical" for malware
}
// HealthResponse for health check endpoint
type HealthResponse struct {
Status string `json:"status"`
ClamAVVersion string `json:"clamav_version,omitempty"`
DBVersion string `json:"db_version,omitempty"`
}
// Global scanner instance
var scanner *Scanner
// Global config instance
var config *Config
func main() {
// Load configuration from environment variables
config = LoadConfig()
// Log configuration on startup
log.Printf("ClamAV REST server starting...")
config.LogConfig()
// Initialize scanner with configuration
scanner = NewScanner(config)
// Set up routes
mux := http.NewServeMux()
mux.HandleFunc("/health", healthHandler)
mux.HandleFunc("/scan", scanHandler)
// Configure server with timeouts to prevent slow-loris attacks
// and connection exhaustion
server := &http.Server{
Addr: ":" + config.Port,
Handler: mux,
ReadTimeout: config.ReadTimeout,
WriteTimeout: config.WriteTimeout,
IdleTimeout: config.IdleTimeout,
}
log.Printf("Listening on port %s", config.Port)
if err := server.ListenAndServe(); err != nil {
log.Fatalf("Server failed to start: %v", err)
}
}
// healthHandler returns service health status.
// Returns 503 Service Unavailable if clamd is not running.
func healthHandler(w http.ResponseWriter, r *http.Request) {
version, dbVersion, err := scanner.GetVersion()
w.Header().Set("Content-Type", "application/json")
if err != nil {
// clamd is unavailable - return 503 so Kubernetes knows we're unhealthy
w.WriteHeader(http.StatusServiceUnavailable)
json.NewEncoder(w).Encode(HealthResponse{
Status: "unhealthy",
ClamAVVersion: "",
DBVersion: "",
})
return
}
json.NewEncoder(w).Encode(HealthResponse{
Status: "ok",
ClamAVVersion: version,
DBVersion: dbVersion,
})
}
// scanHandler handles file upload and scanning
func scanHandler(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
startTime := time.Now()
// Parse multipart form with configured size limit
if err := r.ParseMultipartForm(config.MaxUploadSize); err != nil {
// Log full error internally, return generic message to client
log.Printf("Failed to parse multipart form: %v", err)
sendError(w, "Invalid request format")
return
}
file, header, err := r.FormFile("file")
if err != nil {
log.Printf("No file in request: %v", err)
sendError(w, "No file provided in request")
return
}
defer file.Close()
// Sanitize filename for logging (remove control characters, limit length)
safeFilename := sanitizeFilename(header.Filename)
log.Printf("Received file: %s (%d bytes)", safeFilename, header.Size)
tempFile, err := os.CreateTemp("", "clamav-scan-*")
if err != nil {
log.Printf("Failed to create temp file: %v", err)
sendError(w, "Server error during file processing")
return
}
defer os.Remove(tempFile.Name())
defer tempFile.Close()
if _, err := io.Copy(tempFile, file); err != nil {
log.Printf("Failed to write temp file: %v", err)
sendError(w, "Server error during file processing")
return
}
tempFile.Close()
result, err := scanner.ScanFile(tempFile.Name())
if err != nil {
log.Printf("Scan failed for %s: %v", safeFilename, err)
sendError(w, "Scan operation failed")
return
}
status := "clean"
if len(result.Threats) > 0 {
status = "infected"
}
response := ScanResponse{
Status: status,
Threats: result.Threats,
ScannedFiles: result.ScannedFiles,
ScanTimeMs: time.Since(startTime).Milliseconds(),
}
log.Printf("Scan completed: %s - %s (%d threats, %d files, %dms)",
safeFilename, status, len(result.Threats), result.ScannedFiles, response.ScanTimeMs)
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(response)
}
// sendError sends an error response to the client.
// Note: message should be a generic, sanitized string - do not include internal errors.
func sendError(w http.ResponseWriter, message string) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusInternalServerError)
json.NewEncoder(w).Encode(ScanResponse{
Status: "error",
Error: message,
})
}
// sanitizeFilename removes control characters and limits length for safe logging.
func sanitizeFilename(filename string) string {
// Limit length to prevent log flooding
const maxLen = 100
if len(filename) > maxLen {
filename = filename[:maxLen] + "..."
}
var result []rune
for _, r := range filename {
if r < 32 || r == 127 {
result = append(result, '_')
} else {
result = append(result, r)
}
}
return string(result)
}