Skip to content

Predisk ClamAV Scan 1755#398

Open
S-S-T wants to merge 20 commits intodevelopfrom
predisk-scanning-1755
Open

Predisk ClamAV Scan 1755#398
S-S-T wants to merge 20 commits intodevelopfrom
predisk-scanning-1755

Conversation

@S-S-T
Copy link
Contributor

@S-S-T S-S-T commented Mar 10, 2026
edited
Loading

Pre-Disk ClamAV Attachment Scanning Epic

Summary

Finalizes all back-end work for the pre-disk ClamAV attachment scanning epic, including Tickets #1751, #1752, #1753, and #1754 — all consolidated into this PR for #1755. This is the single source of truth for this epic.

  • Px deployments: attachments are scanned pre-disk in the Busboy stream before any filesystem or MongoDB writes.
  • Non-Px deployments: scans are safely skipped; attachments are passed directly to storeAttachmentContent().
  • All acceptance criteria from Krista and Story 0 lifecycle are satisfied.
  • There is NO front-end/UI messaging included in this PR (that will be delivered in the next ticket, #1756)

Key Features & Behavior

ClamAV Scan

  • Pre-disk scanning occurs in the Busboy stream for Px deployments.
  • Infected files (e.g., eicar.txt) are rejected with a clear error message.
  • Clean files pass successfully.
  • Non-Px deployments skip scanning safely.

Attachment Lifecycle

  • Fully respects the Story 0 attachment lifecycle.
  • Pre-disk scan occurs before filesystem writes and MongoDB commits.
  • Handles partial attachments correctly: incomplete uploads trigger proper rejection/error reporting.

Front-End

  • Page updates automatically; no manual refresh required.
  • Users see only success or failure of the attachment; no ClamAV internal messages are exposed.

Pre-Testing / Local Setup

AWS SSO Login and ClamAV Forwarding

To run the pre-disk ClamAV scan process, ensure the following is in place:

  1. Add the ClamAV environment variable to docker-compose.yml just under SFTP_PLUGIN_CONFIG_SALT (around line 38):

CLAM_AV_URL: tcp://clamav:3310

  1. AWS SSO Login
    • You must have an AWS account for magegov.
    • Open a terminal and run:
      aws sso login --profile magegov
  • Follow the web page flow, including two-factor authentication (Authy, DUO, etc.).
  1. Forward to the PX ClamAV server:
    kubectl port-forward svc/clamav 3310:3310 -n clamav
  • You should see output like:
Forwarding from 127.0.0.1:3310 -> 3310
Forwarding from [::1]:3310 -> 3310
  • Leave this terminal window running while testing.

Testing

  • Verify that EICAR.txt is rejected.
  • Verify multiple clean files (PNG, text) are accepted.
  • Confirm Px/non-Px behavior matches configuration.
  • End-to-end attachment lifecycle can be verified.

Conclusion

This PR includes, consolidates and proves all back-end work for the pre-disk ClamAV attachment scanning epic.

Sanford Schaffer added 20 commits February 19, 2026 06:47
commence with epic and add some comments for plan-of-clam-scan..
1f02610
flesh out clamav handling, new md document in service dir under docs-…
4ec0180 
…attachments, configure node debugger, etc..
updating the logging for controller and clamav files..
6ad56ef
stable pix clamav server association has been made, files are being s…
ad7d172 
…canned and cleanly running thru clamav with no errors..
code clean-up for 1752 wiring up clamav-pix server and testing both g…
034fd5d 
…ood and bad attachments..
fixing the front-end to show images after clamav save...
73d5605
add guard to keep session open after bad-virus-type file is attached,…
8d8b4ac 
… and code clean-up..
more code clean-up..
7cac693
updating multi-file checking for clean and virulent files, and gracef…
d176986 
…ully resolve failures in clamav instead of crashing..
prevent mage from crashing-stopping when a virulent bad file is uploa…
ab1b21c 
…ded, need to keep app afloat, this finishes 1753 ticket..
create clam-av-url variable for docker compose yml file, and filter i…
ceb996b 
…s in clamav-ts file..
create clam-av-url variable for docker compose yml file, and filter i…
ab2f83c 
…s in clamav-ts file..
Update new branch with all attachemnt work... Merge branch 'attach-sc…
a16ed1c 
…an-pix-1754' into attach-scan-pix-1755
add partial pushes and consoles for both clean and dirty uploads, bac…
82bd7e9 
…kend still needs touch ups as it hangs..
integrate pre-scan clamav for png, txt, and eicar files..
a15d4e4
add multi-file ClamAV scanning with proper virus detection and storage..
28f7606
try to address upload hangs until refresh..
9fde736
corrected backend messaging and added filestream-resume func to web-ts..
9a21382
remove dead-wood imports and test multiple files both clean and dirty…
c34e7bc 
…, all good so far...
code clean up and log removals..
a5cdf62
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@S-S-T