malcious detection

Admin9705 · Admin9705 · commit 218be9c8b0d7 · 2025-06-10T17:30:09.000-04:00
diff --git a/frontend/static/js/settings_forms.js b/frontend/static/js/settings_forms.js
@@ -1156,6 +1156,42 @@ const SettingsForms = {
                     </div>
                     <p class="setting-help">Time to wait between Swaparr processing cycles (default: 900 seconds / 15 minutes)</p>
                 </div>
+                
+                <div class="setting-item">
+                    <label for="swaparr_malicious_detection">
+                        <a href="https://plexguide.github.io/Huntarr.io/apps/swaparr.html#malicious-file-detection" class="info-icon" title="Enable malicious file detection" target="_blank" rel="noopener">
+                            <i class="fas fa-info-circle"></i>
+                        </a>
+                        Malicious File Detection:
+                    </label>
+                    <label class="toggle-switch" style="width:40px; height:20px; display:inline-block; position:relative;">
+                        <input type="checkbox" id="swaparr_malicious_detection" ${settings.malicious_file_detection === true ? 'checked' : ''}>
+                        <span class="toggle-slider" style="position:absolute; cursor:pointer; top:0; left:0; right:0; bottom:0; background-color:#3d4353; border-radius:20px; transition:0.4s;"></span>
+                    </label>
+                    <p class="setting-help">Automatically detect and immediately remove downloads with malicious file types</p>
+                </div>
+                
+                <div class="setting-item">
+                    <label for="swaparr_malicious_extensions">
+                        <a href="https://plexguide.github.io/Huntarr.io/apps/swaparr.html#malicious-extensions" class="info-icon" title="File extensions to consider malicious" target="_blank" rel="noopener">
+                            <i class="fas fa-info-circle"></i>
+                        </a>
+                        Malicious File Extensions:
+                    </label>
+                    <textarea id="swaparr_malicious_extensions" rows="3" placeholder="Enter file extensions separated by commas...">${(settings.malicious_extensions || ['.lnk', '.exe', '.bat', '.cmd', '.scr', '.zipx', '.jar', '.vbs']).join(', ')}</textarea>
+                    <p class="setting-help">File extensions to block (comma-separated). Examples: .lnk, .exe, .bat, .zipx</p>
+                </div>
+                
+                <div class="setting-item">
+                    <label for="swaparr_suspicious_patterns">
+                        <a href="https://plexguide.github.io/Huntarr.io/apps/swaparr.html#suspicious-patterns" class="info-icon" title="Suspicious filename patterns" target="_blank" rel="noopener">
+                            <i class="fas fa-info-circle"></i>
+                        </a>
+                        Suspicious Patterns:
+                    </label>
+                    <textarea id="swaparr_suspicious_patterns" rows="3" placeholder="Enter suspicious patterns separated by commas...">${(settings.suspicious_patterns || ['password.txt', 'readme.txt', 'install.exe', 'keygen', 'crack']).join(', ')}</textarea>
+                    <p class="setting-help">Filename patterns to block (comma-separated). Examples: password.txt, keygen, crack</p>
+                </div>
             </div>
             
 
@@ -1571,6 +1607,23 @@ const SettingsForms = {
                 settings.remove_from_client = getInputValue('#swaparr_remove_from_client', true);
                 settings.dry_run = getInputValue('#swaparr_dry_run', false);
                 settings.sleep_duration = getInputValue('#swaparr_sleep_duration', 900);
+                
+                // Malicious file detection settings
+                settings.malicious_file_detection = getInputValue('#swaparr_malicious_detection', false);
+                
+                // Parse malicious extensions (comma-separated)
+                const extensionsText = document.getElementById('swaparr_malicious_extensions')?.value || '';
+                settings.malicious_extensions = extensionsText
+                    .split(',')
+                    .map(ext => ext.trim())
+                    .filter(ext => ext.length > 0);
+                
+                // Parse suspicious patterns (comma-separated)
+                const patternsText = document.getElementById('swaparr_suspicious_patterns')?.value || '';
+                settings.suspicious_patterns = patternsText
+                    .split(',')
+                    .map(pattern => pattern.trim())
+                    .filter(pattern => pattern.length > 0);
             }
         }
         
diff --git a/src/primary/apps/swaparr/handler.py b/src/primary/apps/swaparr/handler.py
@@ -34,6 +34,7 @@
     'total_processed': 0,
     'strikes_added': 0,
     'downloads_removed': 0,
+    'malicious_removed': 0,
     'items_ignored': 0,
     'api_calls_made': 0,
     'errors_encountered': 0,
@@ -49,6 +50,7 @@ def reset_session_stats():
         'total_processed': 0,
         'strikes_added': 0,
         'downloads_removed': 0,
+        'malicious_removed': 0,
         'items_ignored': 0,
         'api_calls_made': 0,
         'errors_encountered': 0,
@@ -133,6 +135,39 @@ def generate_item_hash(item):
     hash_input = f"{item['name']}_{item['size']}"
     return hashlib.md5(hash_input.encode('utf-8')).hexdigest()
 
+def check_for_malicious_files(item, settings):
+    """Check if download contains malicious file types"""
+    if not settings.get('malicious_file_detection', False):
+        return False, None
+    
+    # Use user-defined malicious extensions from settings
+    malicious_extensions = settings.get('malicious_extensions', [
+        '.lnk', '.exe', '.bat', '.cmd', '.scr', '.pif', '.com', 
+        '.zipx', '.jar', '.vbs', '.js', '.jse', '.wsf', '.wsh'
+    ])
+    
+    # Use user-defined suspicious patterns from settings
+    suspicious_patterns = settings.get('suspicious_patterns', [
+        'password.txt', 'readme.txt', 'install.exe', 'setup.exe',
+        'keygen', 'crack', 'patch.exe', 'activator'
+    ])
+    
+    item_name = item.get('name', '').lower()
+    
+    # Check for malicious extensions in the title/name
+    for ext in malicious_extensions:
+        if ext.lower() in item_name:
+            swaparr_logger.warning(f"Malicious file detected in '{item_name}': contains {ext}")
+            return True, f"Contains malicious file type: {ext}"
+    
+    # Check for suspicious patterns
+    for pattern in suspicious_patterns:
+        if pattern.lower() in item_name:
+            swaparr_logger.warning(f"Suspicious content detected in '{item_name}': contains {pattern}")
+            return True, f"Contains suspicious content: {pattern}"
+    
+    return False, None
+
 def parse_time_string_to_seconds(time_string):
     """Parse a time string like '2h', '30m', '1d' to seconds"""
     if not time_string:
@@ -444,6 +479,35 @@ def process_stalled_downloads(app_name, instance_name, instance_data, settings):
                     item_state = "Monitoring (Queued)"
                     continue
             
+            # Check for malicious files FIRST - immediate removal without strikes
+            is_malicious, malicious_reason = check_for_malicious_files(item, settings)
+            if is_malicious:
+                swaparr_logger.error(f"MALICIOUS CONTENT DETECTED: {item['name']} - {malicious_reason}")
+                
+                if not settings.get("dry_run", False):
+                    if delete_download(app_name, instance_data["api_url"], instance_data["api_key"], item["id"], True):
+                        swaparr_logger.info(f"Successfully removed malicious download: {item['name']}")
+                        
+                        # Mark as removed to prevent reappearance
+                        removed_items[item_hash] = {
+                            "name": item["name"],
+                            "removed_time": datetime.utcnow().isoformat(),
+                            "reason": f"Malicious: {malicious_reason}",
+                            "size": item["size"]
+                        }
+                        save_removed_items(app_name, removed_items)
+                        
+                        item_state = f"REMOVED (Malicious: {malicious_reason})"
+                        
+                        # Track malicious removal statistics
+                        SWAPARR_STATS['malicious_removed'] = SWAPARR_STATS.get('malicious_removed', 0) + 1
+                        increment_swaparr_stat("malicious_removals", 1)
+                else:
+                    swaparr_logger.info(f"DRY RUN: Would remove malicious download: {item['name']} - {malicious_reason}")
+                    item_state = f"Would Remove (Malicious: {malicious_reason})"
+                
+                continue  # Skip to next item - don't process further
+            
             # Initialize strike count if not already in strike data
             if item_id not in strike_data:
                 strike_data[item_id] = {
diff --git a/src/primary/default_configs/swaparr.json b/src/primary/default_configs/swaparr.json
@@ -5,5 +5,8 @@
   "ignore_above_size": "25GB",
   "remove_from_client": true,
   "dry_run": false,
-  "sleep_duration": 900
+  "sleep_duration": 900,
+  "malicious_file_detection": false,
+  "malicious_extensions": [".lnk", ".exe", ".bat", ".cmd", ".scr", ".pif", ".com", ".zipx", ".jar", ".vbs", ".js", ".jse", ".wsf", ".wsh"],
+  "suspicious_patterns": ["password.txt", "readme.txt", "install.exe", "setup.exe", "keygen", "crack", "patch.exe", "activator"]
 } 
