Merge branch 'cherry-pick-041f2632-2' into 'master_8.0.x'

GiooDev · GiooDev · commit 805694b510c2 · 2025-07-24T11:18:47.000+02:00
CP V8.0 - Bug #14965: Properly handle 'Compressed file is too big to be processed' with scan-avast script. Bug #14965: Properly handle 'Compressed file is too big to be processed' with scan-avast script. * Check if mandatory SCAN_PARAMS are correctly set * Fix wrong return code if there is only 'Compressed file is too big to be processed' in first scan * Get expected return code during too big loop scan (ignore too big and decompression bomb) * Better handling reasons and statuses during scan See merge request vitam/vitam!10698 (cherry picked from commit 041f263) 38995ca Bug #14965: Properly handle 'Compressed file is too big to be processed' with scan-avast script. Co-authored-by: Julien Georges <julien.georges@culture.gouv.fr> See merge request vitam/vitam!10704
diff --git a/deployment/environments/antivirus/scan-avast.sh b/deployment/environments/antivirus/scan-avast.sh
@@ -32,23 +32,39 @@ custom_scan () {
   local FILE_TO_SCAN="$1"
 
   declare -A ignored_list
-  declare -A rejected_list
   declare -A too_big_files
+  declare -A rejected_list
   declare -A virus_detections
 
+  # Check if $SCAN_PARAMS contains the 'J' parameter (for JSON output)
+  if [[ "$SCAN_PARAMS" != *J* ]]; then
+    echo "ERROR: SCAN_PARAMS must contain the 'J' parameter for JSON output." |& tee -a ${WORKING_DIR}/scan.log
+    REASON="Scan not performed, wrong parameter for scan command !"
+    return $RET_FAILURE
+  fi
+
   scan $SCAN_PARAMS "$FILE_TO_SCAN" &>> ${WORKING_DIR}/scan.log
-  local ret_code=$?
   # The exit status is 0 if no infected files are found and 1 otherwise.
   # If an error occurred, the exit status is 2.
   # Infected status takes precedence over error status, thus a scan where some file could not be scanned and some infection was found returns 1.
-
-  # Properly handle REASON without -J param
-  if [[ $ret_code -eq 2 ]]; then
-    REASON="Rejected files found !"
-  elif [[ $ret_code -eq 1 ]]; then
-    REASON="Virus found !"
-    ret_code=$(($ret_code+1)) # Increase the return code to fit the expected Vitam's scan code
-  fi
+  case $? in
+    0)
+      REASON="No virus found."
+      ret_code=$RET_OK
+      ;;
+    1)
+      REASON="Virus found !"
+      ret_code=$RET_VIRUS_FOUND_NOTFIXED # Set to fit the expected Vitam's scan code
+      ;;
+    2)
+      REASON="Rejected files found !"
+      ret_code=$RET_VIRUS_FOUND_FIXED # Temporary set ret_code as fixed to allow custom analysis (we need to determine if the rejected files are too big or ignored patterns)
+      ;;
+    *)
+      REASON="Scan not performed, unknown error !"
+      ret_code=$RET_FAILURE
+      ;;
+  esac
 
   # Analyse JSON logs from scan
   while read -r line; do
@@ -57,6 +73,22 @@ custom_scan () {
 
     path=$(jq -r 'if .path[1] then .path[1] else .path[0] end // empty' <<< "$line")
 
+    # Handle warnings with classification
+    warning_str=$(jq -r '.warning_str // empty' <<< "$line")
+    if [[ -n "$path" && -n "$warning_str" ]]; then
+      if [[ -n "$IGNORED_PATTERN" && "$warning_str" =~ $IGNORED_PATTERN ]]; then
+        # First we catch the ignored patterns
+        ignored_list["$path"]="$warning_str"
+      elif [[ "$warning_str" == "Compressed file is too big to be processed" ]]; then
+        # Then we catch the too big files for individual scan (if not already ignored)
+        too_big_files["$path"]="$warning_str"
+      else
+        # Otherwise, it's a rejected pattern
+        rejected_list["$path"]="$warning_str"
+        ret_code=$RET_VIRUS_FOUND_NOTFIXED
+      fi
+    fi
+
     # Handle virus detections
     if jq -e '.virus? // empty' <<< "$line" > /dev/null; then
       # Without -i parameter to the SCAN_PARAMS, the searched field is .virus
@@ -69,24 +101,12 @@ custom_scan () {
     fi
     if [[ -n "$path" && -n "$virus" ]]; then
       virus_detections["$path"]="$virus"
-    fi
-
-    # Handle warnings with classification
-    warning_str=$(jq -r '.warning_str // empty' <<< "$line")
-    if [[ -n "$path" && -n "$warning_str" ]]; then
-      if [[ "$warning_str" == "Compressed file is too big to be processed" ]]; then
-        too_big_files["$path"]="$warning_str"
-      elif [[ -n "$IGNORED_PATTERN" && "$warning_str" =~ $IGNORED_PATTERN ]]; then
-        ignored_list["$path"]="$warning_str"
-      else
-        rejected_list["$path"]="$warning_str"
-      fi
+      ret_code=$RET_VIRUS_FOUND_NOTFIXED
     fi
   done < "${WORKING_DIR}/scan.log"
 
   # --- Print summaries ---
   if (( ${#ignored_list[@]} > 0 )); then
-    ret_code=$RET_VIRUS_FOUND_FIXED
     REASON="${#ignored_list[@]} warnings found but ignored."
     echo "INFO: ${REASON}" |& tee -a ${WORKING_DIR}/scan.log
     for path in "${!ignored_list[@]}"; do
@@ -95,7 +115,6 @@ custom_scan () {
   fi
 
   if (( ${#rejected_list[@]} > 0 )); then
-    ret_code=$RET_VIRUS_FOUND_NOTFIXED
     REASON="${#rejected_list[@]} rejected files found !"
     echo "ERROR: ${REASON}" |& tee -a ${WORKING_DIR}/scan.log
     for path in "${!rejected_list[@]}"; do
@@ -104,7 +123,6 @@ custom_scan () {
   fi
 
   if (( ${#virus_detections[@]} > 0 )); then
-    ret_code=$RET_VIRUS_FOUND_NOTFIXED
     REASON="${#virus_detections[@]} Virus found !"
     echo "ERROR: $REASON" |& tee -a ${WORKING_DIR}/scan.log
     for path in "${!virus_detections[@]}"; do
@@ -113,15 +131,16 @@ custom_scan () {
   fi
 
   # Do not loop over big files if there are already detected errors
-  if [[ $ret_code -ne $RET_VIRUS_FOUND_NOTFIXED ]]; then
+  if [[ $ret_code -ne $RET_VIRUS_FOUND_NOTFIXED && $ret_code -ne $RET_FAILURE ]]; then
     if (( ${#too_big_files[@]} > 0 )); then
+      REASON="No virus found in too big file."
       echo "INFO: ${#too_big_files[@]} files could not be processed due to size." |& tee -a ${WORKING_DIR}/scan.log
       echo "INFO: Starting individual scan..." |& tee -a ${WORKING_DIR}/scan.log
       for path in "${!too_big_files[@]}"; do
         unzip_and_scan "$FILE_TO_SCAN" "$path"
-        # Exit loop if rc != 0
-        if [ $? -ne 0 ]; then
-          ret_code=$RET_VIRUS_FOUND_NOTFIXED
+        ret_code=$?
+        # Exit loop if virus found or impossible to extract
+        if [[ $ret_code -eq $RET_VIRUS_FOUND_NOTFIXED || $ret_code -eq $RET_FAILURE ]]; then
           break
         fi
       done
@@ -152,21 +171,33 @@ unzip_and_scan () {
     tar xvjf "$ARCHIVE" --directory "$TMP_FILE" |& tee -a ${WORKING_DIR}/scan.log #uncompress the entire archive
   else
     echo "ERROR: $ARCHIVE: mime-type $TYPE_SIP is not supported" |& tee -a ${WORKING_DIR}/scan.log
+    REASON="Unsupported big file type !"
     return $RET_FAILURE
   fi
 
   # Normal scan...
   scan $SCAN_PARAMS "$TMP_FILE" &>> ${WORKING_DIR}/scan.log
-  local RET=$? # return code of scan
+  local ret_scan=$? # return code of scan
 
   rm -f "$TMP_FILE"
 
-  if [ $RET != $RET_OK ]; then
-    REASON="Virus found !"
+  if [ $ret_scan -eq 1 ]; then
+    REASON="Virus found in too big file !"
     return $RET_VIRUS_FOUND_NOTFIXED
+  elif [ $ret_scan -eq 2 ]; then
+    # Read the last line from the scan log
+    last_line=$(tail -n 1 "${WORKING_DIR}/scan.log")
+    if echo "$last_line" | grep -q -E "The file is a decompression bomb|Compressed file is too big to be processed"; then
+      REASON="Ignored pattern found in too big file !"
+      return $RET_VIRUS_FOUND_FIXED
+    else
+      REASON="Rejected pattern found in too big file !"
+      return $RET_VIRUS_FOUND_NOTFIXED
+    fi
   fi
 
-  return $RET
+  # Otherwise, return OK
+  return $RET_OK
 }
 
 ################################################################################
@@ -194,8 +225,9 @@ else # one argument, let's go
     echo "DEBUG: SIP_size: $FILE_SIZE; SIP_format: $TYPE_SIP; sha256sum: $FILE_SUM" |& tee -a ${WORKING_DIR}/scan.log
 
     if grep -Fxq "$FILE_SUM" /etc/avast/whitelist; then
-      echo "File whitelisted, escape scanning..." |& tee -a ${WORKING_DIR}/scan.log
-      RET=0
+      REASON="File whitelisted, escape scanning..."
+      echo "INFO: $REASON" |& tee -a ${WORKING_DIR}/scan.log
+      RET=$RET_VIRUS_FOUND_FIXED
     else
       custom_scan "$SIP"
       RET=$? # return code of scan
@@ -210,7 +242,9 @@ else # one argument, let's go
     elif [ $RET == $RET_VIRUS_FOUND_NOTFIXED ]; then
       RET_MSG="[KO: $REASON]"
     elif [ $RET == $RET_FAILURE ]; then
-      RET_MSG="[ERROR: Scan not performed.]"
+      RET_MSG="[ERROR: $REASON]"
+    else
+      RET_MSG="[ERROR: Unknown return code !]"
     fi
 
     END_TIME=$(date +%s)
