Scan files with clamdscan #77

Merged
Anna Sirota merged 17 commits from scan-file into main 2024-04-12 19:11:30 +02:00
Owner

What this does

Internally

  • scans each newly created file with clamavd client (requires clamavd daemon running);
  • saves the result as a FileValidation record;

clamdscan is called in a background task, so no scanning will happen unless ./manage.py process_tasks is running.

In the admin

  • shows all scan results in the files.File admin;
  • allows filtering "OK" and "not OK" files in the admin as marked by the result of the scan;
  • allows manually triggering the scan for selected files with admin action;

In the front-end

  • displays an alert to moderators and to staff accounts with "view File" (files.view_file) permission;
  • additionally, displays a link to the File admin page for staff accounts with relevant permissions (being in moderators group is not enough).

Screenshots

Scan statuses in admin's list of files:

3

2

Scan results inlined in File's admin:

4

Custom action in the admin

2222

Warning shown to staff accounts with a "view File" permission:

1

Flag in the approval queue

Also only shown to staff accounts with a "view File" permission

1111

TODO

  • run in a background task
  • show a visually alarming flag in the approval queue, when scanner finds something
  • playbooks for configuring clamavd
### What this does #### Internally * scans each newly created file with clamavd client (requires clamavd daemon running); * saves the result as a `FileValidation` record; `clamdscan` is called in a background task, so no scanning will happen unless `./manage.py process_tasks` is running. #### In the admin * shows all scan results in the `files.File` admin; * allows filtering "OK" and "not OK" files in the admin as marked by the result of the scan; * allows manually triggering the scan for selected files with admin action; #### In the front-end * displays an alert to moderators and to staff accounts with "view File" (`files.view_file`) permission; * additionally, displays a link to the `File` admin page for staff accounts with relevant permissions (being in moderators group is not enough). ### Screenshots #### Scan statuses in admin's list of files: ![3](https://projects.blender.org/attachments/efa61313-f5df-4b7e-ab70-8365d1a11938) ![2](https://projects.blender.org/attachments/d8a03f82-bc10-4568-a4e1-352928e05317) #### Scan results inlined in File's admin: ![4](https://projects.blender.org/attachments/ff4adc4b-43d7-4004-ba31-9676770e4c4b) #### Custom action in the admin ![2222](https://projects.blender.org/attachments/c0b4dec5-aef2-4b0f-824b-4ec30fc87ad2) #### Warning shown to staff accounts with a "view File" permission: ![1](https://projects.blender.org/attachments/8acc4b25-edd9-4380-9e18-e1ff8fce8790) #### Flag in the approval queue Also only shown to staff accounts with a "view File" permission ![1111](https://projects.blender.org/attachments/5b2db65d-4066-42f0-9c40-be0b03c5f39b) #### TODO - [x] run in a background task - [x] show a visually alarming flag in the approval queue, when scanner finds something - [x] playbooks for configuring clamavd
Anna Sirota added 1 commit 2024-04-11 19:31:37 +02:00
Anna Sirota added the
Type
Enhancement
label 2024-04-11 19:32:55 +02:00
Anna Sirota added 1 commit 2024-04-12 12:27:44 +02:00
Anna Sirota added 1 commit 2024-04-12 12:30:21 +02:00
Anna Sirota added 3 commits 2024-04-12 14:25:23 +02:00
Use
    ./ansible.sh -i environments/staging install.yaml --diff --tags=deps
    ./ansible.sh -i environments/production install.yaml --diff --tags=deps

to install these on staging/production.
Anna Sirota added 3 commits 2024-04-12 17:53:15 +02:00
Anna Sirota changed title from WIP: Scan a file with clamdscan to Scan a file with clamdscan 2024-04-12 17:53:42 +02:00
Anna Sirota added 1 commit 2024-04-12 17:54:30 +02:00
Anna Sirota added 1 commit 2024-04-12 17:58:47 +02:00
Anna Sirota added 1 commit 2024-04-12 18:07:02 +02:00
Anna Sirota added 1 commit 2024-04-12 18:15:06 +02:00
Anna Sirota added 1 commit 2024-04-12 18:27:41 +02:00
Anna Sirota added 1 commit 2024-04-12 18:52:11 +02:00
Anna Sirota changed title from Scan a file with clamdscan to Scan files with clamdscan 2024-04-12 18:54:03 +02:00
Anna Sirota added 1 commit 2024-04-12 19:01:33 +02:00
Anna Sirota added 1 commit 2024-04-12 19:04:14 +02:00
Oleg-Komarov approved these changes 2024-04-12 19:09:01 +02:00
Dismissed
Oleg-Komarov approved these changes 2024-04-12 19:09:41 +02:00
Anna Sirota merged commit 57e3530cd5 into main 2024-04-12 19:11:30 +02:00
Anna Sirota deleted branch scan-file 2024-04-12 19:11:40 +02:00
Sign in to join this conversation.
No reviewers
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: infrastructure/extensions-website#77
No description provided.