#197 Malware scan needed or need to restrict file types again

Open
opened 2 weeks ago by hw · 2 comments
hw commented 2 weeks ago

As we are now allowing all file types for release files and attachments (which makes sense for a code hosting platform, see issues #184 and #185), we are now experiencing the first bad guys uploading malware zips to attachments.

For now we have removed these manually (which will get tedious at some point and won’t scale).

We need some automatic facility to scan files in comment and release attachments. Possible options include freshclam/clamd/clamdscan or similar.

Contributions welcome.

As we are now allowing all file types for release files and attachments (which makes sense for a code hosting platform, see issues #184 and #185), we are now experiencing the first bad guys uploading malware zips to attachments. For now we have removed these manually (which will get tedious at some point and won't scale). We need some automatic facility to scan files in comment and release attachments. Possible options include freshclam/clamd/clamdscan or similar. Contributions welcome.
hw added the
enhancement
label 2 weeks ago
Masgalor commented 2 weeks ago

I guess it is not that complicated to run clamd and use either clamdscan over cronjobs or clamonacc to monitor the file storage. Both can be set up to autodelete malicious files.

But wouldnt it be necessary to notify the user whose files got deleted?
False positives might occur and it could be confusing to see a 404 when accessing an attachment.

However, may I ask how you discovered the previous malware uploads?

I guess it is not that complicated to run `clamd` and use either `clamdscan` over cronjobs or `clamonacc` to monitor the file storage. Both can be set up to autodelete malicious files. But wouldnt it be necessary to notify the user whose files got deleted? False positives might occur and it could be confusing to see a 404 when accessing an attachment. However, may I ask how you discovered the previous malware uploads?
hw commented 2 weeks ago
Owner

I guess it is not that complicated to run clamd and use either clamdscan over cronjobs or clamonacc to monitor the file storage. Both can be set up to autodelete malicious files.

Yes, such approaches would probably easiest to set up.

But wouldnt it be necessary to notify the user whose files got deleted?
False positives might occur and it could be confusing to see a 404 when accessing an attachment.

That’s the crux: a project implementing a virus- or malware scanner would surely want to allow such uploads, just the users should receive a warning and extra confirmation should be required. Automatic download by crawlers should be blocked.

Also it would be nice to have deep integration with gitea, so that repo owners can flag and moderate previously undetected blobs.

However, may I ask how you discovered the previous malware uploads?

We received a notice from search engine crawlers.

> I guess it is not that complicated to run `clamd` and use either `clamdscan` over cronjobs or `clamonacc` to monitor the file storage. Both can be set up to autodelete malicious files. > Yes, such approaches would probably easiest to set up. > But wouldnt it be necessary to notify the user whose files got deleted? > False positives might occur and it could be confusing to see a 404 when accessing an attachment. That's the crux: a project implementing a virus- or malware scanner would surely want to allow such uploads, just the users should receive a warning and extra confirmation should be required. Automatic download by crawlers should be blocked. Also it would be nice to have deep integration with gitea, so that repo owners can flag and moderate previously undetected blobs. > However, may I ask how you discovered the previous malware uploads? We received a notice from search engine crawlers.
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.