Parallelize block list scanning. Add mime type check for secret (#1575)

detection.

Author: janbro

server/src/main/java/org/eclipse/openvsx/scanning/BlocklistCheckService.java

@@ -19,13 +19,17 @@
 import org.eclipse.openvsx.util.TempFile;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.core.annotation.Order;
+import org.springframework.core.task.AsyncTaskExecutor;
 import org.springframework.stereotype.Service;
 
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.*;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipException;
 import java.util.zip.ZipFile;
@@ -52,15 +56,18 @@ public class BlocklistCheckService implements PublishCheck {
     private final BlocklistCheckConfig config;
     private final ExtensionScanConfig scanConfig;
     private final FileDecisionRepository fileDecisionRepository;
+    private final AsyncTaskExecutor taskExecutor;
 
     public BlocklistCheckService(
             BlocklistCheckConfig config,
             ExtensionScanConfig scanConfig,
-            FileDecisionRepository fileDecisionRepository
+            FileDecisionRepository fileDecisionRepository,
+            @Qualifier("applicationTaskExecutor") AsyncTaskExecutor taskExecutor
     ) {
         this.config = config;
         this.scanConfig = scanConfig;
         this.fileDecisionRepository = fileDecisionRepository;
+        this.taskExecutor = taskExecutor;
     }
 
     @Override
@@ -121,7 +128,8 @@ public Result check(Context context) {
      * Check extension files against the blocklist.
      */
     private List<BlockedFileInfo> checkForBlockedFiles(TempFile extensionFile) {
-        Map<String, String> fileHashes = new LinkedHashMap<>();
+        // Thread-safe map for parallel hashing: hash -> filePath
+        Map<String, String> fileHashes = new ConcurrentHashMap<>();
 
         try (ZipFile zipFile = new ZipFile(extensionFile.getPath().toFile())) {
             List<? extends ZipEntry> entries = Collections.list(zipFile.entries());
@@ -132,33 +140,30 @@ private List<BlockedFileInfo> checkForBlockedFiles(TempFile extensionFile) {
                     scanConfig.getMaxArchiveSizeBytes()
             );
 
-            int filesHashed = 0;
-            int filesSkipped = 0;
-
-            for (ZipEntry entry : entries) {
-                if (entry.isDirectory()) {
-                    continue;
-                }
-
-                String filePath = entry.getName();
-
-                if (!ArchiveUtil.isSafePath(filePath)) {
-                    logger.debug("Skipping unsafe path: {}", filePath);
-                    filesSkipped++;
-                    continue;
-                }
-
-                try {
-                    String hash = computeHash(zipFile, entry);
-                    fileHashes.put(hash, filePath);
-                    filesHashed++;
-                } catch (IOException e) {
-                    logger.warn("Failed to hash file {}: {}", filePath, e.getMessage());
-                    filesSkipped++;
-                }
+            var hashableEntries = entries.stream()
+                    .filter(entry -> !entry.isDirectory())
+                    .filter(entry -> ArchiveUtil.isSafePath(entry.getName()))
+                    .toList();
+
+            List<CompletableFuture<Void>> futures = new ArrayList<>(hashableEntries.size());
+            
+            for (ZipEntry entry : hashableEntries) {
+                CompletableFuture<Void> future = CompletableFuture.runAsync(() -> {
+                    try {
+                        String hash = computeHash(zipFile, entry);
+                        fileHashes.put(hash, entry.getName());
+                    } catch (IOException e) {
+                        logger.warn("Failed to hash file {}: {}", entry.getName(), e.getMessage());
+                    }
+                }, taskExecutor);
+                futures.add(future);
             }
 
-            logger.debug("Blocklist check: hashed {} files, skipped {}", filesHashed, filesSkipped);
+            // Wait for all hashing to complete (non-blocking wait)
+            CompletableFuture.allOf(futures.toArray(new CompletableFuture[0])).join();
+
+            logger.debug("Blocklist check: hashed {} files, skipped {}", 
+                    fileHashes.size(), entries.size() - hashableEntries.size());
 
         } catch (ZipException e) {
             logger.error("Failed to open extension file as zip: {}", e.getMessage());

server/src/main/java/org/eclipse/openvsx/scanning/SecretCheckService.java

@@ -27,8 +27,7 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.Future;
+import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipException;
@@ -122,81 +121,77 @@ public PublishCheck.Result check(PublishCheck.Context context) {
      * Callers should check {@link #isEnabled()} before invoking this method.
      */
     private SecretDetector.Result scanForSecrets(@NotNull TempFile extensionFile) {
-        // Use thread-safe collection for parallel processing
+        // Thread-safe collection for parallel processing
         List<SecretDetector.Finding> findings = Collections.synchronizedList(new ArrayList<>());
-        AtomicInteger findingsCount = new AtomicInteger(0); // Cap findings to protect memory
+        AtomicInteger findingsCount = new AtomicInteger(0);
 
         try (ZipFile zipFile = new ZipFile(extensionFile.getPath().toFile())) {
             List<? extends ZipEntry> entries = Collections.list(zipFile.entries());
             ArchiveUtil.enforceArchiveLimits(entries, scanConfig.getMaxEntryCount(), scanConfig.getMaxArchiveSizeBytes());
 
+            // Filter to only scannable entries BEFORE creating tasks (optimization)
+            List<? extends ZipEntry> scannableEntries = entries.stream()
+                    .filter(entry -> !entry.isDirectory())
+                    .toList();
+            
             AtomicInteger filesScanned = new AtomicInteger(0);
             AtomicInteger filesSkipped = new AtomicInteger(0);
 
             long startTime = System.currentTimeMillis();
             long timeoutMillis = config.getTimeoutSeconds() * 1000L;
-            List<Future<?>> tasks = new ArrayList<>(entries.size());
 
-            try {
-                for (ZipEntry entry : entries) {
-                    tasks.add(taskExecutor.submit(() -> {
-                        if (System.currentTimeMillis() - startTime > timeoutMillis) {
-                            throw new SecretScanningTimeoutException("Secret detection timed out");
-                        }
-                        
-                        if (Thread.currentThread().isInterrupted()) {
-                            return null;
-                        }
-
-                        if (entry.isDirectory()) {
-                            return null;
-                        }
-                        
-                        String filePath = entry.getName();
-                        try {
-                            boolean scanned = fileContentScanner.scanFile(
-                                zipFile,
-                                entry,
-                                findings,
-                                startTime,
-                                timeoutMillis,
-                                findingsCount,
-                                this::recordFinding
-                            );
-                            if (scanned) {
-                                filesScanned.incrementAndGet();
-                            } else {
-                                filesSkipped.incrementAndGet();
-                            }
-                        } catch (SecretScanningTimeoutException | ScanCancelledException e) {
-                            throw e;
-                        } catch (Exception e) {
-                            logger.error("Failed to scan file {}: {}", filePath, e.getMessage());
-                        }
-                        return null;
-                    }));
-                }
-                
-                for (Future<?> task : tasks) {
+            // Submit all tasks and collect CompletableFutures
+            List<CompletableFuture<Void>> futures = new ArrayList<>(scannableEntries.size());
+            
+            for (ZipEntry entry : scannableEntries) {
+                CompletableFuture<Void> future = CompletableFuture.runAsync(() -> {
+                    // Check timeout at start of each task
+                    if (System.currentTimeMillis() - startTime > timeoutMillis) {
+                        throw new SecretScanningTimeoutException("Secret detection timed out");
+                    }
+                    
+                    if (Thread.currentThread().isInterrupted()) {
+                        return;
+                    }
+                    
+                    String filePath = entry.getName();
                     try {
-                        task.get();
-                    } catch (InterruptedException ie) {
-                        Thread.currentThread().interrupt();
-                        break;
-                    } catch (ExecutionException ee) {
-                        Throwable cause = ee.getCause();
-                        if (cause instanceof SecretScanningTimeoutException) {
-                            throw (SecretScanningTimeoutException) ee.getCause();
-                        } else if (cause instanceof ScanCancelledException) {
-                            break;
+                        boolean scanned = fileContentScanner.scanFile(
+                            zipFile,
+                            entry,
+                            findings,
+                            startTime,
+                            timeoutMillis,
+                            findingsCount,
+                            this::recordFinding
+                        );
+                        if (scanned) {
+                            filesScanned.incrementAndGet();
+                        } else {
+                            filesSkipped.incrementAndGet();
                         }
+                    } catch (SecretScanningTimeoutException | ScanCancelledException e) {
+                        throw e;
+                    } catch (Exception e) {
+                        logger.error("Failed to scan file {}: {}", filePath, e.getMessage());
+                        filesSkipped.incrementAndGet();
                     }
+                }, taskExecutor);
+                futures.add(future);
+            }
+            
+            // Wait for all tasks to complete (or fail)
+            try {
+                CompletableFuture.allOf(futures.toArray(new CompletableFuture[0])).join();
+            } catch (java.util.concurrent.CompletionException ce) {
+                Throwable cause = ce.getCause();
+                if (cause instanceof SecretScanningTimeoutException) {
+                    throw (SecretScanningTimeoutException) cause;
+                } else if (cause instanceof ScanCancelledException) {
+                    // Max findings reached - continue with what we have
+                    logger.debug("Scan cancelled early: {}", cause.getMessage());
                 }
-            } finally {
-                // Ensure we cancel any remaining tasks if the loop exits early
-                for (Future<?> f : tasks) {
-                    f.cancel(true);
-                }
+                // Other exceptions: log and continue
             }
 
             logger.debug("Secret scan complete: {} files scanned, {} files skipped, {} findings", 
@@ -214,7 +209,7 @@ private SecretDetector.Result scanForSecrets(@NotNull TempFile extensionFile) {
             logger.error("Failed to scan extension file: {}", e.getMessage());
             throw new SecretScanningException("Failed to scan extension file: " + e.getMessage(), e);
         } catch (SecretScanningException e) {
-            throw e;  // Re-throw already wrapped exceptions
+            throw e;
         } catch (Exception e) {
             logger.error("Failed to scan extension file: {}", e.getMessage());
             throw new SecretScanningException("Failed to scan extension file: " + e.getMessage(), e);

server/src/main/java/org/eclipse/openvsx/scanning/SecretDetector.java

@@ -15,18 +15,18 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.tika.Tika;
 import org.eclipse.openvsx.util.ArchiveUtil;
 import org.eclipse.openvsx.util.SizeLimitInputStream;
 import jakarta.validation.constraints.NotNull;
 import javax.annotation.Nullable;
 
 import java.io.BufferedReader;
+import java.io.BufferedInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
-import java.util.ArrayList;
-import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -47,6 +47,10 @@ interface FindingRecorder {
     }
 
     private static final Logger logger = LoggerFactory.getLogger(SecretDetector.class);
+    
+    // Tika for content-based file type detection (thread-safe, reusable)
+    private static final Tika tika = new Tika();
+    
     private final AhoCorasick keywordMatcher;
     private final Map<String, List<SecretRule>> keywordToRules;
     private final List<SecretRule> rules;
@@ -55,6 +59,7 @@ interface FindingRecorder {
     private final AhoCorasick globalStopwordMatcher;
     private final AhoCorasick globalExcludedExtensionMatcher;
     private final AhoCorasick inlineSuppressionMatcher;
+    private final List<Pattern> skipMimeTypePatterns;
     private final EntropyCalculator entropyCalculator;
     private final long maxFileSizeBytes;
     private final int maxLineLength;
@@ -71,6 +76,7 @@ interface FindingRecorder {
                   @Nullable AhoCorasick stopwordMatcher,
                   @Nullable AhoCorasick excludedExtensionMatcher,
                   @Nullable AhoCorasick inlineSuppressionMatcher,
+                  @Nullable List<Pattern> skipMimeTypePatterns,
                   @NotNull EntropyCalculator entropyCalculator,
                   long maxFileSizeBytes,
                   int maxLineLength,
@@ -86,6 +92,7 @@ interface FindingRecorder {
         this.globalStopwordMatcher = stopwordMatcher;
         this.globalExcludedExtensionMatcher = excludedExtensionMatcher;
         this.inlineSuppressionMatcher = inlineSuppressionMatcher;
+        this.skipMimeTypePatterns = skipMimeTypePatterns != null ? skipMimeTypePatterns : List.of();
         this.entropyCalculator = entropyCalculator;
         this.maxFileSizeBytes = maxFileSizeBytes;
         this.maxLineLength = maxLineLength;
@@ -130,6 +137,11 @@ boolean scanFile(@NotNull ZipFile zipFile,
             return false;
         }
 
+        // Check if file should be skipped based on MIME type
+        if (shouldExcludeByMimeType(zipFile, entry)) {
+            return false;
+        }
+
         // Read the file line by line with a hard byte limit
         try (InputStream zipStream = zipFile.getInputStream(entry);
             // Use a limited stream since the entry header may not correctly reflect the file size
@@ -362,10 +374,52 @@ private boolean isAllowlistedContent(@NotNull String secretValue) {
 
         return false;
     }
-    
-    // ========================================================================
-    // RESULT TYPES
-    // ========================================================================
+
+    /**
+     * Check if file should be skipped based on MIME type detection using Apache Tika.
+     * 
+     * Uses Tika to detect MIME type from file content (magic bytes, structure, heuristics).
+     * This is more reliable than extension-based detection for files without extensions
+     * or with misleading extensions.
+     * 
+     * Skip patterns are configured via {@code allowlist.skip-mime-types} in the YAML config.
+     * Each pattern is a regex matched against the detected MIME type.
+     * 
+     * @return true if file should be skipped, false if it should be scanned
+     */
+    private boolean shouldExcludeByMimeType(@NotNull ZipFile zipFile, @NotNull ZipEntry entry) {
+        // If no skip patterns configured, don't skip any files based on MIME type
+        if (skipMimeTypePatterns.isEmpty()) {
+            return false;
+        }
+        
+        try (InputStream is = zipFile.getInputStream(entry);
+             BufferedInputStream bis = new BufferedInputStream(is)) {
+            
+            // Tika.detect() reads only the bytes needed for detection
+            String mimeType = tika.detect(bis, entry.getName());
+            
+            if (mimeType == null) {
+                return false;  // Unknown type, scan it to be safe
+            }
+            
+            // Check against configured skip patterns (regex)
+            for (Pattern pattern : skipMimeTypePatterns) {
+                if (pattern.matcher(mimeType).find()) {
+                    logger.debug("Skipping file (MIME {} matches pattern {}): {}", 
+                            mimeType, pattern.pattern(), entry.getName());
+                    return true;
+                }
+            }
+            
+            return false;
+            
+        } catch (IOException e) {
+            // If we can't detect type, don't skip - let the main scan handle errors
+            logger.debug("Could not detect file type for {}: {}", entry.getName(), e.getMessage());
+            return false;
+        }
+    }
 
     /**
      * Result of a secret scan. Immutable.