From cccf6dfc7a3d453220ddf57e50692475e5a869a6 Mon Sep 17 00:00:00 2001 From: Lennart Dohmann Date: Fri, 3 May 2024 09:58:54 +0200 Subject: [PATCH 1/2] Implement API changes of major gdata/vaas 8.0.0 and add PUP verdict --- composer.json | 2 +- lib/BackgroundJobs/ScanJob.php | 5 ++-- lib/BackgroundJobs/TagUnscannedJob.php | 5 ++-- lib/Service/TagService.php | 7 ++++-- lib/Service/VerdictService.php | 32 ++++++-------------------- 5 files changed, 19 insertions(+), 32 deletions(-) diff --git a/composer.json b/composer.json index 1f62ffa9..3d024c09 100644 --- a/composer.json +++ b/composer.json @@ -9,7 +9,7 @@ } ], "require": { - "gdata/vaas": "^7.2.3" + "gdata/vaas": "^8.0.0" }, "require-dev": { "nextcloud/ocp": "dev-stable28", diff --git a/lib/BackgroundJobs/ScanJob.php b/lib/BackgroundJobs/ScanJob.php index 3255c088..0c39a5bd 100644 --- a/lib/BackgroundJobs/ScanJob.php +++ b/lib/BackgroundJobs/ScanJob.php @@ -49,12 +49,13 @@ protected function run($argument): void } $maliciousTag = $this->tagService->getTag(TagService::MALICIOUS); + $pupTag = $this->tagService->getTag(TagService::PUP); $cleanTag = $this->tagService->getTag(TagService::CLEAN); $unscannedTag = $this->tagService->getTag(TagService::UNSCANNED); if ($unscannedTagIsDisabled) { if ($autoScanOnlyNewFiles) { - $excludedTagIds = [$unscannedTag->getId(), $maliciousTag->getId(), $cleanTag->getId()]; + $excludedTagIds = [$unscannedTag->getId(), $maliciousTag->getId(), $cleanTag->getId(), $pupTag->getId()]; } else { $excludedTagIds = [$unscannedTag->getId()]; } @@ -63,7 +64,7 @@ protected function run($argument): void if ($autoScanOnlyNewFiles) { $fileIds = $this->tagService->getFileIdsWithTag(TagService::UNSCANNED, $quantity, 0); } else { - $fileIds = $this->tagService->getRandomTaggedFileIds([$maliciousTag->getId(), $cleanTag->getId(), $unscannedTag->getId()], $quantity, $unscannedTag); + $fileIds = $this->tagService->getRandomTaggedFileIds([$maliciousTag->getId(), $cleanTag->getId(), $unscannedTag->getId(), $pupTag->getId()], $quantity, $unscannedTag); } } diff --git a/lib/BackgroundJobs/TagUnscannedJob.php b/lib/BackgroundJobs/TagUnscannedJob.php index a7d6ec68..c2466053 100644 --- a/lib/BackgroundJobs/TagUnscannedJob.php +++ b/lib/BackgroundJobs/TagUnscannedJob.php @@ -42,9 +42,10 @@ protected function run($argument): void $unscannedTag = $this->tagService->getTag(TagService::UNSCANNED); $maliciousTag = $this->tagService->getTag(TagService::MALICIOUS); + $pupTag = $this->tagService->getTag(TagService::PUP); $cleanTag = $this->tagService->getTag(TagService::CLEAN); - $excludedTagIds = [$unscannedTag->getId(), $maliciousTag->getId(), $cleanTag->getId()]; + $excludedTagIds = [$unscannedTag->getId(), $maliciousTag->getId(), $cleanTag->getId(), $pupTag->getId()]; $fileIds = $this->tagService->getFileIdsWithoutTags($excludedTagIds, 1000); @@ -53,7 +54,7 @@ protected function run($argument): void } foreach ($fileIds as $fileId) { - if ($this->tagService->hasCleanOrMaliciousTag($fileId)) { + if ($this->tagService->hasCleanMaliciousOrPupTag($fileId)) { continue; } $this->tagService->setTag($fileId, TagService::UNSCANNED); diff --git a/lib/Service/TagService.php b/lib/Service/TagService.php index 0e2653d0..2b9a0022 100644 --- a/lib/Service/TagService.php +++ b/lib/Service/TagService.php @@ -15,6 +15,7 @@ class TagService { public const CLEAN = 'Clean'; public const MALICIOUS = 'Malicious'; + public const PUP = 'Pup'; public const UNSCANNED = 'Unscanned'; private ISystemTagManager $tagService; @@ -86,10 +87,11 @@ public function removeTagFromFile(string $tagName, int $fileId): bool * @param int $fileId * @return bool */ - public function hasCleanOrMaliciousTag(int $fileId): bool + public function hasCleanMaliciousOrPupTag(int $fileId): bool { if ($this->tagMapper->haveTag([$fileId], 'files', $this->getTag(self::CLEAN)->getId()) || - $this->tagMapper->haveTag([$fileId], 'files', $this->getTag(self::MALICIOUS)->getId())) { + $this->tagMapper->haveTag([$fileId], 'files', $this->getTag(self::MALICIOUS)->getId()) || + $this->tagMapper->haveTag([$fileId], 'files', $this->getTag(self::PUP)->getId())) { return true; } return false; @@ -181,6 +183,7 @@ public function resetAllTags(): void $this->removeTag(self::CLEAN); $this->removeTag(self::MALICIOUS); $this->removeTag(self::UNSCANNED); + $this->removeTag(self::PUP); $this->logger->info("All tags removed"); } } diff --git a/lib/Service/VerdictService.php b/lib/Service/VerdictService.php index 7ed749e6..b9fa4dac 100644 --- a/lib/Service/VerdictService.php +++ b/lib/Service/VerdictService.php @@ -114,34 +114,13 @@ public function scanFileById(int $fileId): VaasVerdict $this->vaas->Connect($this->authenticator->getToken()); $verdict = $this->vaas->ForFile($filePath); - $detections = $verdict->Detections; - $sha256 = $verdict->Sha256; - if (!empty($verdict->LibMagic)) { - $mimeType = $verdict->LibMagic->mime_type; - $fileType = $verdict->LibMagic->file_type; - } else { - $mimeType = "None"; - $fileType = "None"; - } - if (empty($detections)) { - $detections = "None"; - } else { - $detections = implode(", ", $detections); - } - if (empty($mimeType)) { - $mimeType = "None"; - } - if (empty($fileType)) { - $fileType = "None"; - } - if (empty($sha256)) { - $sha256 = "None"; - } - - $this->logger->info("VaaS scan result for " . $node->getName() . " (" . $fileId . "): Detections: " . $detections . ", Mime type: " . $mimeType . ", File type: " . $fileType . ", SHA256: " . $sha256); + $this->logger->info("VaaS scan result for " . $node->getName() . " (" . $fileId . "): Verdict: " + . $verdict->Verdict->value . ", Detection: " . $verdict->Detection . ", SHA256: " . $verdict->Sha256 . + ", FileType: " . $verdict->FileType . ", MimeType: " . $verdict->MimeType . ", UUID: " . $verdict->Guid); $this->tagService->removeTagFromFile(TagService::CLEAN, $fileId); $this->tagService->removeTagFromFile(TagService::MALICIOUS, $fileId); + $this->tagService->removeTagFromFile(TagService::PUP, $fileId); $this->tagService->removeTagFromFile(TagService::UNSCANNED, $fileId); switch ($verdict->Verdict->value) { @@ -156,6 +135,9 @@ public function scanFileById(int $fileId): VaasVerdict } catch (Exception) { } break; + case TagService::PUP: + $this->tagService->setTag($fileId, TagService::PUP); + break; default: $this->tagService->setTag($fileId, TagService::UNSCANNED); break; From 35c3d8deb0e3ddfb6afb132bac8ec77581d72112 Mon Sep 17 00:00:00 2001 From: Lennart Dohmann Date: Fri, 3 May 2024 10:06:33 +0200 Subject: [PATCH 2/2] Make background jobs time sensitive * Background jobs should not only run in maintenance window --- lib/BackgroundJobs/ScanJob.php | 2 +- lib/BackgroundJobs/TagUnscannedJob.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/BackgroundJobs/ScanJob.php b/lib/BackgroundJobs/ScanJob.php index 0c39a5bd..0d721ada 100644 --- a/lib/BackgroundJobs/ScanJob.php +++ b/lib/BackgroundJobs/ScanJob.php @@ -27,7 +27,7 @@ public function __construct(ITimeFactory $time, TagService $tagService, VerdictS $this->setInterval(5 * 60); $this->setAllowParallelRuns(false); - $this->setTimeSensitivity(self::TIME_INSENSITIVE); + $this->setTimeSensitivity(self::TIME_SENSITIVE); } /** diff --git a/lib/BackgroundJobs/TagUnscannedJob.php b/lib/BackgroundJobs/TagUnscannedJob.php index c2466053..6eff4ae9 100644 --- a/lib/BackgroundJobs/TagUnscannedJob.php +++ b/lib/BackgroundJobs/TagUnscannedJob.php @@ -24,7 +24,7 @@ public function __construct(ITimeFactory $time, IConfig $appConfig, TagService $ $this->setInterval(5 * 60); $this->setAllowParallelRuns(false); - $this->setTimeSensitivity(self::TIME_INSENSITIVE); + $this->setTimeSensitivity(self::TIME_SENSITIVE); } /**