From 51eefb68d58a68fcffc61e9d3893769f21a50236 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Fri, 17 Sep 2021 16:43:32 +0100 Subject: [PATCH] [Feature] Antivirus: Allow to set fake eicar patterns for testing AV engines --- src/plugins/lua/antivirus.lua | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/src/plugins/lua/antivirus.lua b/src/plugins/lua/antivirus.lua index 56bd4b520..2ad5dc029 100644 --- a/src/plugins/lua/antivirus.lua +++ b/src/plugins/lua/antivirus.lua @@ -16,6 +16,7 @@ limitations under the License. local rspamd_logger = require "rspamd_logger" local lua_util = require "lua_util" +local rspamd_util = require "rspamd_util" local lua_redis = require "lua_redis" local fun = require "fun" local lua_antivirus = require("lua_scanners").filter('antivirus') @@ -63,12 +64,19 @@ antivirus { } # `whitelist` points to a map of IP addresses. Mail from these addresses is not scanned. whitelist = "/etc/rspamd/antivirus.wl"; + # Replace content that exactly matches the following string to the EICAR pattern + # Useful for E2E testing when another party removes/blocks EICAR attachments + #eicar_fake_pattern = 'testpatterneicar'; } } ]]) return end +-- Encode as base32 in the source to avoid crappy stuff +local eicar_pattern = rspamd_util.decode_base32( + [[akp6woykfbonrepmwbzyfpbmibpone3mj3pgwbffzj9e1nfjdkorisckwkohrnfe1nt41y3jwk1cirjki4w4nkieuni4ndfjcktnn1yjmb1wn]] +) local function add_antivirus_rule(sym, opts) if not opts.type then @@ -135,7 +143,21 @@ local function add_antivirus_rule(sym, opts) fun.each(function(p) local content = p:get_content() - if content and #content > 0 then + local clen = #content + if content and clen > 0 then + if opts.eicar_fake_pattern then + if type(opts.eicar_fake_pattern) == 'string' then + -- Convert it to Rspamd text + local rspamd_text = require "rspamd_text" + opts.eicar_fake_pattern = rspamd_text.fromstring(opts.eicar_fake_pattern) + end + + if clen == #opts.eicar_fake_pattern and content == opts.eicar_fake_pattern then + rspamd_logger.infox(task, 'found eicar fake replacement part in the part (filename="%s")', + p:get_filename()) + content = eicar_pattern + end + end cfg.check(task, content, p:get_digest(), rule, p) end end, common.check_parts_match(task, rule)) -- 2.39.5