Merge pull request #264 from bcgov/feature/BCHEP-343-clamav-container

Feature/bchep 343 clamav container

Author: NavdeepKaur1811

.github/workflows/dev.yml

@@ -13,6 +13,7 @@ on:
       - public/**
       - spec/**
       - swagger/**
+      - docker/clamav/**
       - config.ru
       - Gemfile
       - Gemfile.lock

.github/workflows/publish-clamav.yml

@@ -0,0 +1,37 @@
+name: Build and Publish ClamAV Image
+
+on:
+  push:
+    branches:
+    - main
+    paths:
+    - .github/workflows/publish-clamav.yml
+    - clamav/**
+
+env:
+  GITHUB_REGISTRY: ghcr.io
+
+jobs:
+  build-push-clamav:
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+    - uses: hmarr/debug-action@f7318c783045ac39ed9bb497e22ce835fdafbfe6
+    - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
+
+    - name: Build and Push
+      uses: egose/actions/docker-build-push@46d589997e49cae4a8a3d06644ae8b04351a30f2
+      with:
+        registry-url: ${{ env.GITHUB_REGISTRY }}
+        registry-username: ${{ github.actor }}
+        registry-password: ${{ secrets.GITHUB_TOKEN }}
+        image-name: bcgov/hesp-clamav
+        docker-context: clamav
+        docker-file: clamav/Dockerfile
+        metadata-tags: |
+          type=ref,event=branch
+          type=sha,format=long,prefix=,suffix=

app/controllers/api/storage_controller.rb

@@ -7,6 +7,93 @@ def upload
     set_rack_response FileUploader.presign_response(:cache, request.env)
   end
 
+  def virus_scan
+    # Pre-upload virus scanning endpoint
+    unless ClamAvService.enabled?
+      render json: {
+               clean: true,
+               message: "Virus scanning disabled"
+             },
+             status: :ok
+      return
+    end
+
+    unless params[:file].present?
+      render json: { error: "File required for scanning" }, status: :bad_request
+      return
+    end
+
+    uploaded_file = params[:file]
+    temp_file = nil
+
+    begin
+      # Create temporary file from uploaded content
+      temp_file =
+        Tempfile.new(
+          [
+            "virus_scan",
+            File.extname(uploaded_file.original_filename || ".tmp")
+          ]
+        )
+      temp_file.binmode
+
+      # Copy file content to temp file
+      uploaded_file.rewind
+      IO.copy_stream(uploaded_file, temp_file)
+      temp_file.close
+
+      # Perform virus scan
+      scan_result = ClamAvService.scan_file(temp_file.path)
+
+      if scan_result[:status] == :infected
+        virus_name = scan_result[:virus_name] || "Unknown virus"
+        Rails.logger.warn "Pre-upload virus detected: #{virus_name} in file #{uploaded_file.original_filename}"
+
+        render json: {
+                 clean: false,
+                 virus_detected: true,
+                 virus_name: virus_name,
+                 message: "Virus detected: #{virus_name}. File upload blocked."
+               },
+               status: :unprocessable_entity
+      elsif scan_result[:status] == :error
+        Rails.logger.error "Virus scan error: #{scan_result[:message]}"
+
+        if Rails.env.production?
+          render json: {
+                   clean: false,
+                   scan_error: true,
+                   message:
+                     "File security scan failed. Please try again or contact support."
+                 },
+                 status: :unprocessable_entity
+        else
+          Rails.logger.warn "Allowing upload in development despite scan error"
+          render json: {
+                   clean: true,
+                   message:
+                     "File passed virus scan (development mode with scan error)"
+                 },
+                 status: :ok
+        end
+      else
+        Rails.logger.info "File passed pre-upload virus scan: #{uploaded_file.original_filename}"
+        render json: { clean: true, message: "File is clean" }, status: :ok
+      end
+    rescue => e
+      Rails.logger.error "Virus scan endpoint error: #{e.message}"
+      render json: {
+               clean: false,
+               scan_error: true,
+               message: "Scan failed: #{e.message}"
+             },
+             status: :internal_server_error
+    ensure
+      temp_file&.close
+      temp_file&.unlink
+    end
+  end
+
   AUTHORIZED_S3_MODELS = {
     "SupportingDocument" => SupportingDocument,
     "StepCode" => StepCode

app/frontend/utils/uploads.ts

@@ -7,8 +7,12 @@ import { getCsrfToken } from './utility-functions';
 const sleep = (delay: number) => new Promise((resolve) => setTimeout(resolve, delay));
 
 export const uploadFile = async (file: File, fileName: string, progressCallback?: (event: ProgressEvent) => void) => {
-  // Use direct upload with presigned URLs
-  console.log('Using direct upload with presigned URLs');
+  // Step 1: Pre-upload virus scanning
+  console.log('Performing virus scan before upload...');
+  await virusScanFile(file, fileName);
+
+  // Step 2: If virus scan passes, proceed with S3 upload
+  console.log('Virus scan passed, proceeding with S3 upload...');
   return await directUpload(file, fileName, progressCallback);
 };
 
@@ -268,3 +272,40 @@ export const persistFileUpload = async (
     throw error;
   }
 };
+
+// Virus scanning function - scans file before S3 upload
+export const virusScanFile = async (file: File, fileName: string): Promise<void> => {
+  try {
+    console.log(`Scanning file for viruses: ${fileName}`);
+
+    const formData = new FormData();
+    formData.append('file', file);
+
+    const response = await fetch('/api/storage/s3/virus_scan', {
+      method: 'POST',
+      body: formData,
+      headers: {
+        'X-CSRF-Token': getCsrfToken(),
+      },
+    });
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => null);
+      const errorMessage = errorData?.message || errorData?.error || 'Virus scan failed';
+      throw new Error(`Virus scan failed: ${errorMessage}`);
+    }
+
+    const scanResult = await response.json();
+
+    if (!scanResult.clean) {
+      const virusName = scanResult.virus_name || 'Unknown virus';
+      const message = scanResult.message || `Virus detected: ${virusName}`;
+      throw new Error(`Upload blocked: ${message}`);
+    }
+
+    console.log(`File passed virus scan: ${fileName}`);
+  } catch (error) {
+    console.error('Virus scan error:', error);
+    throw error; // Re-throw to stop the upload process
+  }
+};

app/services/aws_credential_refresh_service.rb

@@ -196,7 +196,9 @@ def test_credentials(credentials = nil)
           access_key_id: test_creds[:access_key_id],
           secret_access_key: test_creds[:secret_access_key],
           session_token: test_creds[:session_token],
-          region: ENV["BCGOV_OBJECT_STORAGE_REGION"] || "ca-central-1"
+          region: ENV["BCGOV_OBJECT_STORAGE_REGION"] || "ca-central-1",
+          endpoint: ENV["BCGOV_OBJECT_STORAGE_ENDPOINT"],
+          force_path_style: true
         )
 
       # Test by listing bucket (minimal operation)

app/uploaders/file_uploader.rb

@@ -8,11 +8,11 @@ class FileUploader < Shrine
     validate_max_size Constants::Sizes::FILE_UPLOAD_MAX_SIZE * 1024 * 1024 # 100 MB to start
     # Could be images, excel files, bims, we do not have an exhaustive list right now.
 
-    # Immediate virus scanning validation with database storage
+    # Immediate virus scanning validation
     next unless file # Skip if no file attached
     next unless ClamAvService.enabled? # Skip if virus scanning disabled
 
-    Rails.logger.info "Performing immediate virus scan with database storage for: #{file.original_filename}"
+    Rails.logger.info "Performing immediate virus scan for: #{file.original_filename}"
 
     # Check if ClamAV service is reachable before proceeding
     unless ClamAvService.ping
@@ -66,6 +66,18 @@ class FileUploader < Shrine
           )
 
         Rails.logger.warn "Upload blocked - virus detected: #{virus_name} in file #{file.original_filename}"
+
+        # Immediately delete infected file from S3 cache
+        if file.respond_to?(:storage) && file.storage.is_a?(Shrine::Storage::S3)
+          begin
+            Rails.logger.warn "Deleting infected file from S3 cache: #{file.id}"
+            file.delete
+            Rails.logger.info "Successfully deleted infected file from S3 cache: #{file.id}"
+          rescue => delete_error
+            Rails.logger.error "Failed to delete infected file from S3 cache: #{delete_error.message}"
+          end
+        end
+
         errors << error_message
       elsif scan_result[:status] == :error
         Rails.logger.error "Virus scan error: #{scan_result[:message]}"
@@ -124,8 +136,6 @@ class FileUploader < Shrine
       temp_file&.unlink
     end
   end
-
-  # Store immediate virus scan results in database after promotion
   Attacher.promote_block do |attacher|
     # Store virus scan results immediately in database
     if attacher.record.respond_to?(:virus_scan_status) &&

clamav/Dockerfile

@@ -0,0 +1,6 @@
+# See https://hub.docker.com/r/clamav/clamav/tags
+FROM clamav/clamav:1.1
+
+# See https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.1/alpine/scripts/docker-entrypoint-unprivileged.sh
+COPY "./scripts/docker-entrypoint-unprivileged.sh" "/init"
+RUN chmod +x /init

clamav/scripts/docker-entrypoint-unprivileged.sh

@@ -0,0 +1,73 @@
+#!/sbin/tini /bin/sh
+# shellcheck shell=sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# Copyright (C) 2021 Olliver Schinagl <oliver@schinagl.nl>
+# Copyright (C) 2021-2022 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+#
+# A beginning user should be able to docker run image bash (or sh) without
+# needing to learn about --entrypoint
+# https://github.com/docker-library/official-images#consistency
+
+set -eu
+
+# run command if it is not starting with a "-" and is an executable in PATH
+if [ "${#}" -gt 0 ] &&
+    [ "${1#-}" = "${1}" ] &&
+    command -v "${1}" >"/dev/null" 2>&1; then
+    # Ensure healthcheck always passes
+    CLAMAV_NO_CLAMD="true" exec "${@}"
+else
+    if [ "${#}" -ge 1 ] &&
+        [ "${1#-}" != "${1}" ]; then
+        # If an argument starts with "-" pass it to clamd specifically
+        exec clamd "${@}"
+    fi
+    # else default to running clamav's servers
+
+    # Ensure we have some virus data, otherwise clamd refuses to start
+    if [ ! -f "/var/lib/clamav/main.cvd" ]; then
+        echo "Updating initial database"
+        freshclam --foreground --stdout
+    fi
+
+    if [ "${CLAMAV_NO_FRESHCLAMD:-false}" != "true" ]; then
+        echo "Starting Freshclamd"
+        freshclam \
+            --checks="${FRESHCLAM_CHECKS:-1}" \
+            --daemon \
+            --foreground \
+            --stdout \
+            --user="clamav" \
+            &
+    fi
+
+    if [ "${CLAMAV_NO_CLAMD:-false}" != "true" ]; then
+        echo "Starting ClamAV"
+        if [ -S "/tmp/clamd.sock" ]; then
+            unlink "/tmp/clamd.sock"
+        fi
+        clamd --foreground &
+        while [ ! -S "/tmp/clamd.sock" ]; do
+            if [ "${_timeout:=0}" -gt "${CLAMD_STARTUP_TIMEOUT:=1800}" ]; then
+                echo
+                echo "Failed to start clamd"
+                exit 1
+            fi
+            printf "\r%s" "Socket for clamd not found yet, retrying (${_timeout}/${CLAMD_STARTUP_TIMEOUT}) ..."
+            sleep 1
+            _timeout="$((_timeout + 1))"
+        done
+        echo "socket found, clamd started."
+    fi
+
+    if [ "${CLAMAV_NO_MILTERD:-true}" != "true" ]; then
+        echo "Starting clamav milterd"
+        clamav-milter &
+    fi
+
+    # Wait forever (or until canceled)
+    exec tail -f "/dev/null"
+fi
+
+exit 0

config/locales/en.yml

@@ -751,10 +751,13 @@ en:
     application_metrics_csv_headers: 'Jurisdiction,Permit type,Work type,First Nations,In draft,In inbox,Average days before first submit,Average days before latest submit'
   file_upload:
     virus_scan:
-      virus_detected: 'File upload blocked: Virus detected (%{virus_name}). Please scan your file with antivirus software before uploading.'
+      virus_detected: 'File upload failed: The file appears to be corrupted or contains suspicious content. Please try a different file or contact support if you believe this is an error.'
       scan_error_production: 'File upload temporarily unavailable due to security scanning issues. Please try again later.'
-      scan_error_development: 'File upload allowed despite scan error in development mode.'
-      unknown_virus: 'Unknown virus'
+      scan_error_development: 'File upload allowed despite scan error in development mode.'  
+      service_unavailable: 'Virus scanning service unavailable'
+      scan_timeout_production: 'File upload failed due to timeout. Please try again or contact support.'
+      scan_timeout_development: 'File upload timeout in development mode.'
+      unknown_virus: 'Unknown issue'
   audit_log:
     created_record: 'Record created'
     created_with_field: 'Created with %{field}: %{value}'

config/routes.rb

@@ -256,6 +256,7 @@
     post "tags/search", to: "tags#index", as: :tags_search
 
     get "storage/s3" => "storage#upload" # use a storage controller instead of shrine mount since we want api authentication before being able to access
+    post "storage/s3/virus_scan" => "storage#virus_scan" # Pre-upload virus scanning
     get "storage/s3/download" => "storage#download"
     delete "storage/s3/delete" => "storage#delete"