mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
15758 Commits
29 Branches
Tree: 883bd841dc
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '883bd841dc'
${ noResults }
rspamd/lualib/lua_scanners/common.lua

common.lua 14KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466 
  1. --[[

  2. Copyright (c) 2018, Vsevolod Stakhov <vsevolod@highsecure.ru>

  3. Copyright (c) 2019, Carsten Rosenberg <c.rosenberg@heinlein-support.de>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. --[[[

  19. -- @module lua_scanners_common

  20. -- This module contains common external scanners functions

  21. --]]

  22. 

  23. local rspamd_logger = require "rspamd_logger"

  24. local rspamd_regexp = require "rspamd_regexp"

  25. local lua_util = require "lua_util"

  26. local lua_redis = require "lua_redis"

  27. local fun = require "fun"

  28. 

  29. local exports = {}

  30. 

  31. local function log_clean(task, rule, msg)

  32. 

  33.   msg = msg or 'message or mime_part is clean'

  34. 

  35.   if rule.log_clean then

  36.     rspamd_logger.infox(task, '%s: %s', rule.log_prefix, msg)

  37.   else

  38.     lua_util.debugm(rule.name, task, '%s: %s', rule.log_prefix, msg)

  39.   end

  40. 

  41. end

  42. 

  43. local function match_patterns(default_sym, found, patterns, dyn_weight)

  44.   if type(patterns) ~= 'table' then return default_sym, dyn_weight end

  45.   if not patterns[1] then

  46.     for sym, pat in pairs(patterns) do

  47.       if pat:match(found) then

  48.         return sym, '1'

  49.       end

  50.     end

  51.     return default_sym, dyn_weight

  52.   else

  53.     for _, p in ipairs(patterns) do

  54.       for sym, pat in pairs(p) do

  55.         if pat:match(found) then

  56.           return sym, '1'

  57.         end

  58.       end

  59.     end

  60.     return default_sym, dyn_weight

  61.   end

  62. end

  63. 

  64. local function yield_result(task, rule, vname, dyn_weight, is_fail)

  65.   local all_whitelisted = true

  66.   local patterns

  67.   local symbol

  68.   local threat_table = {}

  69.   local threat_info

  70. 

  71.   -- This should be more generic

  72.   if not is_fail then

  73.     patterns = rule.patterns

  74.     symbol = rule.symbol

  75.     threat_info = rule.detection_category .. 'found'

  76.     if not dyn_weight then dyn_weight = 1.0 end

  77.   elseif is_fail == 'fail' then

  78.     patterns = rule.patterns_fail

  79.     symbol = rule.symbol_fail

  80.     threat_info = "FAILED with error"

  81.     dyn_weight = 0.0

  82.   elseif is_fail == 'encrypted' then

  83.     patterns = rule.patterns

  84.     symbol = rule.symbol_encrypted

  85.     threat_info = "Scan has returned that input was encrypted"

  86.     dyn_weight = 1.0

  87.   end

  88. 

  89.   if type(vname) == 'string' then

  90.     table.insert(threat_table, vname)

  91.   elseif type(vname) == 'table' then

  92.     threat_table = vname

  93.   end

  94. 

  95.   for _, tm in ipairs(threat_table) do

  96.     local symname, symscore = match_patterns(symbol, tm, patterns, dyn_weight)

  97.     if rule.whitelist and rule.whitelist:get_key(tm) then

  98.       rspamd_logger.infox(task, '%s: "%s" is in whitelist', rule.log_prefix, tm)

  99.     else

  100.       all_whitelisted = false

  101.       task:insert_result(symname, symscore, tm)

  102.       rspamd_logger.infox(task, '%s: result - %s: "%s - score: %s"',

  103.           rule.log_prefix, threat_info, tm, symscore)

  104.     end

  105.   end

  106. 

  107.   if rule.action and is_fail ~= 'fail' and not all_whitelisted then

  108.     threat_table = table.concat(threat_table, '; ')

  109.     task:set_pre_result(rule.action,

  110.         lua_util.template(rule.message or 'Rejected', {

  111.           SCANNER = rule.name,

  112.           VIRUS = threat_table,

  113.         }), rule.name)

  114.   end

  115. end

  116. 

  117. local function message_not_too_large(task, content, rule)

  118.   local max_size = tonumber(rule.max_size)

  119.   if not max_size then return true end

  120.   if #content > max_size then

  121.     rspamd_logger.infox(task, "skip %s check as it is too large: %s (%s is allowed)",

  122.         rule.log_prefix, #content, max_size)

  123.     return false

  124.   end

  125.   return true

  126. end

  127. 

  128. local function message_not_too_small(task, content, rule)

  129.   local min_size = tonumber(rule.min_size)

  130.   if not min_size then return true end

  131.   if #content < min_size then

  132.     rspamd_logger.infox(task, "skip %s check as it is too small: %s (%s is allowed)",

  133.         rule.log_prefix, #content, min_size)

  134.     return false

  135.   end

  136.   return true

  137. end

  138. 

  139. local function message_min_words(task, rule)

  140.   if rule.text_part_min_words then

  141.     local text_parts_empty = false

  142.     local text_parts = task:get_text_parts()

  143. 

  144.     local filter_func = function(p)

  145.       return p:get_words_count() <= tonumber(rule.text_part_min_words)

  146.     end

  147. 

  148.     fun.each(function(p)

  149.       text_parts_empty = true

  150.       rspamd_logger.infox(task, '%s: #words is less then text_part_min_words: %s',

  151.         rule.log_prefix, rule.text_part_min_words)

  152.     end, fun.filter(filter_func, text_parts))

  153. 

  154.     return text_parts_empty

  155.   else

  156.     return true

  157.   end

  158. end

  159. 

  160. local function dynamic_scan(task, rule)

  161.   if rule.dynamic_scan then

  162.     if rule.action ~= 'reject' then

  163.       local metric_result = task:get_metric_score('default')

  164.       local metric_action = task:get_metric_action('default')

  165.       local has_pre_result = task:has_pre_result()

  166.       -- ToDo: needed?

  167.       -- Sometimes leads to FPs

  168.       --if rule.symbol_type == 'postfilter' and metric_action == 'reject' then

  169.       --  rspamd_logger.infox(task, '%s: aborting: %s', rule.log_prefix, "result is already reject")

  170.       --  return false

  171.       --elseif metric_result[1] > metric_result[2]*2 then

  172.       if metric_result[1] > metric_result[2]*2 then

  173.         rspamd_logger.infox(task, '%s: aborting: %s', rule.log_prefix, 'score > 2 * reject_level: ' .. metric_result[1])

  174.         return false

  175.       elseif has_pre_result and metric_action == 'reject' then

  176.         rspamd_logger.infox(task, '%s: aborting: %s', rule.log_prefix, 'pre_result reject is set')

  177.         return false

  178.       else

  179.         return true, 'undecided'

  180.       end

  181.     else

  182.       return true, 'dynamic_scan is not possible with config `action=reject;`'

  183.     end

  184.   else

  185.     return true

  186.   end

  187. end

  188. 

  189. local function need_check(task, content, rule, digest, fn)

  190. 

  191.   local uncached = true

  192.   local key = digest

  193. 

  194.   local function redis_av_cb(err, data)

  195.     if data and type(data) == 'string' then

  196.       -- Cached

  197.       data = lua_util.str_split(data, '\t')

  198.       local threat_string = lua_util.str_split(data[1], '\v')

  199.       local score = data[2] or rule.default_score

  200.       if threat_string[1] ~= 'OK' then

  201.         lua_util.debugm(rule.name, task, '%s: got cached threat result for %s: %s - score: %s',

  202.           rule.log_prefix, key, threat_string[1], score)

  203.         yield_result(task, rule, threat_string, score)

  204.       else

  205.         lua_util.debugm(rule.name, task, '%s: got cached negative result for %s: %s',

  206.           rule.log_prefix, key, threat_string[1])

  207.       end

  208.       uncached = false

  209.     else

  210.       if err then

  211.         rspamd_logger.errx(task, 'got error checking cache: %s', err)

  212.       end

  213.     end

  214. 

  215.     local f_message_not_too_large = message_not_too_large(task, content, rule) or true

  216.     local f_message_not_too_small = message_not_too_small(task, content, rule) or true

  217.     local f_message_min_words = message_min_words(task, rule) or true

  218.     local f_dynamic_scan = dynamic_scan(task, rule) or true

  219. 

  220.     if uncached and

  221.       f_message_not_too_large and

  222.       f_message_not_too_small and

  223.       f_message_min_words and

  224.       f_dynamic_scan then

  225. 

  226.       fn()

  227. 

  228.     end

  229. 

  230.   end

  231. 

  232.   if rule.redis_params then

  233. 

  234.     key = rule.prefix .. key

  235. 

  236.     if lua_redis.redis_make_request(task,

  237.         rule.redis_params, -- connect params

  238.         key, -- hash key

  239.         false, -- is write

  240.         redis_av_cb, --callback

  241.         'GET', -- command

  242.         {key} -- arguments)

  243.     ) then

  244.       return true

  245.     end

  246.   end

  247. 

  248.   return false

  249. 

  250. end

  251. 

  252. local function save_cache(task, digest, rule, to_save, dyn_weight)

  253.   local key = digest

  254.   if not dyn_weight then dyn_weight = 1.0 end

  255. 

  256.   local function redis_set_cb(err)

  257.     -- Do nothing

  258.     if err then

  259.       rspamd_logger.errx(task, 'failed to save %s cache for %s -> "%s": %s',

  260.           rule.detection_category, to_save, key, err)

  261.     else

  262.       lua_util.debugm(rule.name, task, '%s: saved cached result for %s: %s - score %s - ttl %s',

  263.         rule.log_prefix, key, to_save, dyn_weight, rule.cache_expire)

  264.     end

  265.   end

  266. 

  267.   if type(to_save) == 'table' then

  268.     to_save = table.concat(to_save, '\v')

  269.   end

  270. 

  271.   local value = table.concat({to_save, dyn_weight}, '\t')

  272. 

  273.   if rule.redis_params and rule.prefix then

  274.     key = rule.prefix .. key

  275. 

  276.     lua_redis.redis_make_request(task,

  277.         rule.redis_params, -- connect params

  278.         key, -- hash key

  279.         true, -- is write

  280.         redis_set_cb, --callback

  281.         'SETEX', -- command

  282.         { key, rule.cache_expire or 0, value }

  283.     )

  284.   end

  285. 

  286.   return false

  287. end

  288. 

  289. local function create_regex_table(patterns)

  290.   local regex_table = {}

  291.   if patterns[1] then

  292.     for i, p in ipairs(patterns) do

  293.       if type(p) == 'table' then

  294.         local new_set = {}

  295.         for k, v in pairs(p) do

  296.           new_set[k] = rspamd_regexp.create_cached(v)

  297.         end

  298.         regex_table[i] = new_set

  299.       else

  300.         regex_table[i] = {}

  301.       end

  302.     end

  303.   else

  304.     for k, v in pairs(patterns) do

  305.       regex_table[k] = rspamd_regexp.create_cached(v)

  306.     end

  307.   end

  308.   return regex_table

  309. end

  310. 

  311. local function match_filter(task, found, patterns)

  312.   if type(patterns) ~= 'table' then return false end

  313.   if not patterns[1] then

  314.     for _, pat in pairs(patterns) do

  315.       if pat:match(found) then

  316.         return true

  317.       end

  318.     end

  319.     return false

  320.   else

  321.     for _, p in ipairs(patterns) do

  322.       for _, pat in ipairs(p) do

  323.         if pat:match(found) then

  324.           return true

  325.         end

  326.       end

  327.     end

  328.     return false

  329.   end

  330. end

  331. 

  332. -- borrowed from mime_types.lua

  333. -- ext is the last extension, LOWERCASED

  334. -- ext2 is the one before last extension LOWERCASED

  335. local function gen_extension(fname)

  336.   local filename_parts = lua_util.str_split(fname, '.')

  337. 

  338.   local ext = {}

  339.   for n = 1, 2 do

  340.       ext[n] = #filename_parts > n and string.lower(filename_parts[#filename_parts + 1 - n]) or nil

  341.   end

  342.   return ext[1],ext[2],filename_parts

  343. end

  344. 

  345. local function check_parts_match(task, rule)

  346. 

  347.   local filter_func = function(p)

  348.     local mtype,msubtype = p:get_type()

  349.     local dmtype,dmsubtype = p:get_detected_type()

  350.     local fname = p:get_filename()

  351.     local ext, ext2

  352.     local extension_check = false

  353.     local content_type_check = false

  354.     local text_part_min_words_check = true

  355. 

  356.     if rule.scan_all_mime_parts == false then

  357.     -- check file extension and filename regex matching

  358.       if fname ~= nil then

  359.         ext,ext2 = gen_extension(fname)

  360.         if match_filter(task, ext, rule.mime_parts_filter_ext)

  361.           or match_filter(task, ext2, rule.mime_parts_filter_ext) then

  362.           lua_util.debugm(rule.name, task, '%s: extension matched: %s', rule.log_prefix, ext)

  363.           extension_check = true

  364.         end

  365.         if match_filter(task, fname, rule.mime_parts_filter_regex) then

  366.           content_type_check = true

  367.         end

  368.       end

  369.       -- check content type string regex matching

  370.       if mtype ~= nil and msubtype ~= nil then

  371.         local ct = string.format('%s/%s', mtype, msubtype):lower()

  372.         if match_filter(task, ct, rule.mime_parts_filter_regex) then

  373.           lua_util.debugm(rule.name, task, '%s: regex content-type: %s', rule.log_prefix, ct)

  374.           content_type_check = true

  375.         end

  376.       end

  377.       -- check detected content type (libmagic) regex matching

  378.       if dmtype ~= nil and dmsubtype ~= nil then

  379.         local ct = string.format('%s/%s', mtype, msubtype):lower()

  380.         if match_filter(task, ct, rule.mime_parts_filter_regex) then

  381.           lua_util.debugm(rule.name, task, '%s: regex detected libmagic content-type: %s', rule.log_prefix, ct)

  382.           content_type_check = true

  383.         end

  384.       end

  385.       -- check filenames in archives

  386.       if p:is_archive() then

  387.         local arch = p:get_archive()

  388.         local filelist = arch:get_files_full()

  389.         for _,f in ipairs(filelist) do

  390.           ext,ext2 = gen_extension(f.name)

  391.           if match_filter(task, ext, rule.mime_parts_filter_ext)

  392.             or match_filter(task, ext2, rule.mime_parts_filter_ext) then

  393.             lua_util.debugm(rule.name, task, '%s: extension matched in archive: %s', rule.log_prefix, ext)

  394.             extension_check = true

  395.           end

  396.           if match_filter(task, f.name, rule.mime_parts_filter_regex) then

  397.             content_type_check = true

  398.           end

  399.         end

  400.       end

  401.     end

  402. 

  403.     -- check text_part has more words than text_part_min_words_check

  404.     if rule.text_part_min_words and p:is_text() then

  405.       text_part_min_words_check = p:get_words_count() >= tonumber(rule.text_part_min_words)

  406.     end

  407. 

  408.     return (rule.scan_image_mime and p:is_image())

  409.         or (rule.scan_text_mime and text_part_min_words_check)

  410.         or (p:is_attachment() and rule.scan_all_mime_parts ~= false)

  411.         or extension_check

  412.         or content_type_check

  413.   end

  414. 

  415.   return fun.filter(filter_func, task:get_parts())

  416. end

  417. 

  418. local function check_metric_results(task, rule)

  419. 

  420.   if rule.action ~= 'reject' then

  421.     local metric_result = task:get_metric_score('default')

  422.     local metric_action = task:get_metric_action('default')

  423.     local has_pre_result = task:has_pre_result()

  424. 

  425.     if rule.symbol_type == 'postfilter' and metric_action == 'reject' then

  426.       return true, 'result is already reject'

  427.     elseif metric_result[1] > metric_result[2]*2 then

  428.       return true, 'score > 2 * reject_level: ' .. metric_result[1]

  429.     elseif has_pre_result and metric_action == 'reject' then

  430.       return true, 'pre_result reject is set'

  431.     else

  432.       return false, 'undecided'

  433.     end

  434.   else

  435.     return false, 'dynamic_scan is not possible with config `action=reject;`'

  436.   end

  437. end

  438. 

  439. exports.log_clean = log_clean

  440. exports.yield_result = yield_result

  441. exports.match_patterns = match_patterns

  442. exports.need_check = need_check

  443. exports.save_cache = save_cache

  444. exports.create_regex_table = create_regex_table

  445. exports.check_parts_match = check_parts_match

  446. exports.check_metric_results = check_metric_results

  447. 

  448. setmetatable(exports, {

  449.   __call = function(t, override)

  450.     for k, v in pairs(t) do

  451.       if _G[k] ~= nil then

  452.         local msg = 'function ' .. k .. ' already exists in global scope.'

  453.         if override then

  454.           _G[k] = v

  455.           print('WARNING: ' .. msg .. ' Overwritten.')

  456.         else

  457.           print('NOTICE: ' .. msg .. ' Skipped.')

  458.         end

  459.       else

  460.         _G[k] = v

  461.       end

  462.     end

  463.   end,

  464. })

  465. 

  466. return exports