Add a warning for ClamAV connection failures before saving

Implement a new backend endpoint to test ClamAV configuration and add frontend logic to warn users if the connection fails before saving, including EICAR test file detection in backend tests.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 1117a91e-7ac6-4005-bde2-487c64d5789f
Replit-Commit-Checkpoint-Type: intermediate_checkpoint
Replit-Commit-Event-Id: 53245065-701d-4a45-bb81-0897def75eff
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/afc5b6d1-cfc6-4564-802f-661c3d73f96b/1117a91e-7ac6-4005-bde2-487c64d5789f/LKYJprC

Author: manfredsteger

client/src/components/admin/settings/SecuritySettingsPanel.tsx

@@ -282,6 +282,9 @@ export function SecuritySettingsPanel({ onBack }: { onBack: () => void }) {
   const [clamavTimeout, setClamavTimeout] = useState(30);
   const [clamavMaxFileSize, setClamavMaxFileSize] = useState(25);
   const [clamavTestResult, setClamavTestResult] = useState<ClamAVTestResult | null>(null);
+  const [showClamavWarning, setShowClamavWarning] = useState(false);
+  const [pendingClamavSave, setPendingClamavSave] = useState<Partial<ClamAVConfig> | null>(null);
+  const [isTesting, setIsTesting] = useState(false);
 
   const [showScanLogs, setShowScanLogs] = useState(false);
   const [scanLogFilter, setScanLogFilter] = useState<string>('all');
@@ -344,14 +347,53 @@ export function SecuritySettingsPanel({ onBack }: { onBack: () => void }) {
     }
   });
 
-  const handleSaveClamav = () => {
-    saveClamavMutation.mutate({
+  const handleSaveClamav = async () => {
+    const configData = {
       enabled: clamavEnabled,
       host: clamavHost,
       port: clamavPort,
       timeout: clamavTimeout * 1000,
       maxFileSize: clamavMaxFileSize * 1024 * 1024,
-    });
+    };
+
+    if (clamavEnabled) {
+      setIsTesting(true);
+      try {
+        const response = await apiRequest('POST', '/api/v1/admin/clamav/test-config', {
+          host: clamavHost,
+          port: clamavPort,
+          timeout: clamavTimeout * 1000,
+        });
+        const result = await response.json() as ClamAVTestResult;
+        if (!result.success) {
+          setPendingClamavSave(configData);
+          setShowClamavWarning(true);
+          setIsTesting(false);
+          return;
+        }
+      } catch {
+        setPendingClamavSave(configData);
+        setShowClamavWarning(true);
+        setIsTesting(false);
+        return;
+      }
+      setIsTesting(false);
+    }
+
+    saveClamavMutation.mutate(configData);
+  };
+
+  const handleForceSaveClamav = () => {
+    if (pendingClamavSave) {
+      saveClamavMutation.mutate(pendingClamavSave);
+    }
+    setShowClamavWarning(false);
+    setPendingClamavSave(null);
+  };
+
+  const handleCancelClamavSave = () => {
+    setShowClamavWarning(false);
+    setPendingClamavSave(null);
   };
 
   const [deprovisionEnabled, setDeprovisionEnabled] = useState(false);
@@ -716,8 +758,8 @@ export function SecuritySettingsPanel({ onBack }: { onBack: () => void }) {
                   {testClamavMutation.isPending ? <><Loader2 className="w-4 h-4 mr-2 animate-spin" />{t('admin.security.testing')}</> : <><RefreshCw className="w-4 h-4 mr-2" />{t('admin.security.testConnection')}</>}
                 </Button>
 
-                <Button onClick={handleSaveClamav} disabled={saveClamavMutation.isPending} className="polly-button-primary" data-testid="button-save-clamav">
-                  {saveClamavMutation.isPending ? <><Loader2 className="w-4 h-4 mr-2 animate-spin" />{t('common.saving')}</> : t('admin.security.saveClamav')}
+                <Button onClick={handleSaveClamav} disabled={saveClamavMutation.isPending || isTesting} className="polly-button-primary" data-testid="button-save-clamav">
+                  {(saveClamavMutation.isPending || isTesting) ? <><Loader2 className="w-4 h-4 mr-2 animate-spin" />{isTesting ? t('admin.security.testingBeforeSave') : t('common.saving')}</> : t('admin.security.saveClamav')}
                 </Button>
               </div>
 
@@ -889,6 +931,29 @@ export function SecuritySettingsPanel({ onBack }: { onBack: () => void }) {
           )}
         </CardContent>
       </Card>
+
+      <AlertDialog open={showClamavWarning} onOpenChange={setShowClamavWarning}>
+        <AlertDialogContent>
+          <AlertDialogHeader>
+            <AlertDialogTitle className="flex items-center gap-2">
+              <AlertTriangle className="w-5 h-5 text-amber-500" />
+              {t('admin.security.clamavWarningTitle')}
+            </AlertDialogTitle>
+            <AlertDialogDescription className="space-y-2">
+              <p>{t('admin.security.clamavWarningDescription')}</p>
+              <p className="font-medium text-destructive">{t('admin.security.clamavWarningConsequence')}</p>
+            </AlertDialogDescription>
+          </AlertDialogHeader>
+          <AlertDialogFooter>
+            <AlertDialogCancel onClick={handleCancelClamavSave}>
+              {t('admin.security.clamavWarningCancel')}
+            </AlertDialogCancel>
+            <AlertDialogAction onClick={handleForceSaveClamav} className="bg-amber-600 hover:bg-amber-700">
+              {t('admin.security.clamavWarningProceed')}
+            </AlertDialogAction>
+          </AlertDialogFooter>
+        </AlertDialogContent>
+      </AlertDialog>
     </div>
   );
 }

client/src/locales/de.json

@@ -171,6 +171,12 @@
         "testConnection": "Verbindung testen",
         "testing": "Teste...",
         "saveClamav": "ClamAV speichern",
+        "clamavWarningTitle": "ClamAV-Verbindung fehlgeschlagen",
+        "clamavWarningDescription": "Die Verbindung zum ClamAV-Virenscanner konnte nicht hergestellt werden. Wenn Sie den Scanner trotzdem aktivieren, werden alle Datei-Uploads aus Sicherheitsgründen blockiert (Fail-Secure-Prinzip).",
+        "clamavWarningConsequence": "Achtung: Kein Benutzer wird Bilder oder Dateien hochladen können, solange der Scanner aktiviert, aber nicht erreichbar ist!",
+        "clamavWarningCancel": "Abbrechen und korrigieren",
+        "clamavWarningProceed": "Trotzdem aktivieren",
+        "testingBeforeSave": "Verbindung wird geprüft...",
         "dataRetentionDescription": "Konfigurieren Sie die automatische Bereinigung alter Daten getrennt nach Benutzertyp (DSGVO Art. 5)",
         "guestUsers": "Gastnutzer",
         "anonymous": "Anonym",

client/src/locales/en.json

@@ -171,6 +171,12 @@
         "testConnection": "Test connection",
         "testing": "Testing...",
         "saveClamav": "Save ClamAV",
+        "clamavWarningTitle": "ClamAV Connection Failed",
+        "clamavWarningDescription": "The connection to the ClamAV virus scanner could not be established. If you enable the scanner anyway, all file uploads will be blocked for security reasons (fail-secure principle).",
+        "clamavWarningConsequence": "Warning: No user will be able to upload images or files as long as the scanner is enabled but unreachable!",
+        "clamavWarningCancel": "Cancel and correct",
+        "clamavWarningProceed": "Enable anyway",
+        "testingBeforeSave": "Testing connection...",
         "dataRetentionDescription": "Configure automatic cleanup of old data by user type (GDPR Art. 5)",
         "guestUsers": "Guest Users",
         "anonymous": "Anonymous",

server/routes/admin.ts

@@ -501,6 +501,24 @@ router.post('/clamav/test', requireAdmin, async (req, res) => {
   }
 });
 
+router.post('/clamav/test-config', requireAdmin, async (req, res) => {
+  try {
+    const { host, port, timeout } = req.body;
+    if (!host || !port) {
+      return res.status(400).json({ success: false, message: 'Host and port are required' });
+    }
+    const result = await clamavService.testConnectionWithConfig(
+      host,
+      parseInt(port, 10) || 3310,
+      parseInt(timeout, 10) || 30000
+    );
+    res.json(result);
+  } catch (error) {
+    console.error('Error testing ClamAV config:', error);
+    res.status(500).json({ success: false, message: 'Internal error' });
+  }
+});
+
 router.get('/clamav/scan-logs', requireAdmin, async (req, res) => {
   try {
     const { limit, offset, status, startDate, endDate } = req.query;

server/services/clamavService.ts

@@ -98,6 +98,10 @@ export class ClamAVService {
       return { success: false, message: 'ClamAV is disabled' };
     }
 
+    return this.testConnectionWithConfig(config.host, config.port, config.timeout);
+  }
+
+  async testConnectionWithConfig(host: string, port: number, timeout: number): Promise<{ success: boolean; message: string; responseTime?: number; unavailable?: boolean }> {
     const startTime = Date.now();
 
     return new Promise((resolve) => {
@@ -111,14 +115,13 @@ export class ClamAVService {
         }
       };
 
-      client.setTimeout(config.timeout);
+      client.setTimeout(timeout);
 
       client.on('connect', () => {
         client.write('zPING\0');
       });
 
       client.on('data', (data) => {
-        // Remove null bytes and whitespace - ClamAV sends PONG\0
         const response = data.toString().replace(/\0/g, '').trim();
         cleanup();
         if (response === 'PONG') {
@@ -154,7 +157,7 @@ export class ClamAVService {
         });
       });
 
-      client.connect(config.port, config.host);
+      client.connect(port, host);
     });
   }
 

server/tests/services/clamavService.test.ts

@@ -207,6 +207,67 @@ describe('ClamAV Security - Fail-Secure Behavior', () => {
     });
   });
 
+  describe('EICAR Test Virus Detection', () => {
+    it('should block EICAR test file when scanner is enabled (fail-secure)', async () => {
+      await storage.setSetting({
+        key: 'clamav_config',
+        value: {
+          enabled: true,
+          host: '127.0.0.1',
+          port: 19999,
+          timeout: 2000,
+          maxFileSize: 25 * 1024 * 1024,
+        },
+      });
+
+      const { clamavService } = await import('../../services/clamavService');
+      clamavService.clearConfigCache();
+
+      const eicarSignature = 'X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*';
+      const eicarBuffer = Buffer.from(eicarSignature);
+      const result = await clamavService.scanBuffer(eicarBuffer, 'eicar.com.jpg');
+
+      expect(result.isClean).toBe(false);
+      expect(result.scannerUnavailable).toBe(true);
+    });
+
+    it('should allow EICAR test file when scanner is disabled', async () => {
+      await storage.setSetting({
+        key: 'clamav_config',
+        value: {
+          enabled: false,
+          host: 'localhost',
+          port: 3310,
+          timeout: 5000,
+          maxFileSize: 25 * 1024 * 1024,
+        },
+      });
+
+      const { ClamAVService } = await import('../../services/clamavService');
+      const testService = new ClamAVService();
+      (testService as any).configCache = null;
+      (testService as any).configCacheTime = 0;
+
+      const eicarSignature = 'X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*';
+      const eicarBuffer = Buffer.from(eicarSignature);
+      const result = await testService.scanBuffer(eicarBuffer, 'eicar.com.jpg');
+
+      expect(result.isClean).toBe(true);
+    });
+  });
+
+  describe('testConnectionWithConfig', () => {
+    it('should test connection with provided config (unreachable host)', async () => {
+      const { ClamAVService } = await import('../../services/clamavService');
+      const testService = new ClamAVService();
+
+      const result = await testService.testConnectionWithConfig('127.0.0.1', 19999, 2000);
+
+      expect(result.success).toBe(false);
+      expect(result.unavailable).toBe(true);
+    });
+  });
+
   describe('Admin API Endpoints', () => {
     it('should reject ClamAV scan-logs without auth', async () => {
       const response = await request(app).get('/api/v1/admin/clamav/scan-logs');
@@ -217,5 +278,10 @@ describe('ClamAV Security - Fail-Secure Behavior', () => {
       const response = await request(app).post('/api/v1/admin/clamav/test');
       expect(response.status).toBe(401);
     });
+
+    it('should reject ClamAV test-config without auth', async () => {
+      const response = await request(app).post('/api/v1/admin/clamav/test-config');
+      expect(response.status).toBe(401);
+    });
   });
 });