mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19111 Commits
28 Branches
Tree: c20ae890aa
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c20ae890aa'
${ noResults }
rspamd/lualib/lua_scanners/common.lua

common.lua 17KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530 
  1. --[[

  2. Copyright (c) 2018, Vsevolod Stakhov <vsevolod@highsecure.ru>

  3. Copyright (c) 2019, Carsten Rosenberg <c.rosenberg@heinlein-support.de>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. --[[[

  19. -- @module lua_scanners_common

  20. -- This module contains common external scanners functions

  21. --]]

  22. 

  23. local rspamd_logger = require "rspamd_logger"

  24. local rspamd_regexp = require "rspamd_regexp"

  25. local lua_util = require "lua_util"

  26. local lua_redis = require "lua_redis"

  27. local lua_magic_types = require "lua_magic/types"

  28. local fun = require "fun"

  29. 

  30. local exports = {}

  31. 

  32. local function log_clean(task, rule, msg)

  33. 

  34.   msg = msg or 'message or mime_part is clean'

  35. 

  36.   if rule.log_clean then

  37.     rspamd_logger.infox(task, '%s: %s', rule.log_prefix, msg)

  38.   else

  39.     lua_util.debugm(rule.name, task, '%s: %s', rule.log_prefix, msg)

  40.   end

  41. 

  42. end

  43. 

  44. local function match_patterns(default_sym, found, patterns, dyn_weight)

  45.   if type(patterns) ~= 'table' then return default_sym, dyn_weight end

  46.   if not patterns[1] then

  47.     for sym, pat in pairs(patterns) do

  48.       if pat:match(found) then

  49.         return sym, '1'

  50.       end

  51.     end

  52.     return default_sym, dyn_weight

  53.   else

  54.     for _, p in ipairs(patterns) do

  55.       for sym, pat in pairs(p) do

  56.         if pat:match(found) then

  57.           return sym, '1'

  58.         end

  59.       end

  60.     end

  61.     return default_sym, dyn_weight

  62.   end

  63. end

  64. 

  65. local function yield_result(task, rule, vname, dyn_weight, is_fail, maybe_part)

  66.   local all_whitelisted = true

  67.   local patterns

  68.   local symbol

  69.   local threat_table

  70.   local threat_info

  71.   local flags

  72. 

  73.   if type(vname) == 'string' then

  74.     threat_table = {vname}

  75.   elseif type(vname) == 'table' then

  76.     threat_table = vname

  77.   end

  78. 

  79. 

  80.   -- This should be more generic

  81.   if not is_fail then

  82.     patterns = rule.patterns

  83.     symbol = rule.symbol

  84.     threat_info = rule.detection_category .. 'found'

  85.     if not dyn_weight then dyn_weight = 1.0 end

  86.   elseif is_fail == 'fail' then

  87.     patterns = rule.patterns_fail

  88.     symbol = rule.symbol_fail

  89.     threat_info = "FAILED with error"

  90.     dyn_weight = 0.0

  91.   elseif is_fail == 'encrypted' then

  92.     patterns = rule.patterns

  93.     symbol = rule.symbol_encrypted

  94.     threat_info = "Scan has returned that input was encrypted"

  95.     dyn_weight = 1.0

  96.   elseif is_fail == 'macro' then

  97.     patterns = rule.patterns

  98.     symbol = rule.symbol_macro

  99.     threat_info = "Scan has returned that input contains macros"

  100.     dyn_weight = 1.0

  101.   end

  102. 

  103. 

  104.   for _, tm in ipairs(threat_table) do

  105.     local symname, symscore = match_patterns(symbol, tm, patterns, dyn_weight)

  106.     if rule.whitelist and rule.whitelist:get_key(tm) then

  107.       rspamd_logger.infox(task, '%s: "%s" is in whitelist', rule.log_prefix, tm)

  108.     else

  109.       all_whitelisted = false

  110.       rspamd_logger.infox(task, '%s: result - %s: "%s - score: %s"',

  111.           rule.log_prefix, threat_info, tm, symscore)

  112. 

  113.       if maybe_part and rule.show_attachments and maybe_part:get_filename() then

  114.         local fname = maybe_part:get_filename()

  115.         task:insert_result(symname, symscore, string.format("%s|%s",

  116.             tm, fname))

  117.       else

  118.         task:insert_result(symname, symscore, tm)

  119.       end

  120. 

  121.     end

  122.   end

  123. 

  124.   if rule.action and is_fail ~= 'fail' and not all_whitelisted then

  125.     threat_table = table.concat(threat_table, '; ')

  126.     if rule.action ~= 'reject' then

  127.       flags = 'least'

  128.     end

  129.     task:set_pre_result(rule.action,

  130.         lua_util.template(rule.message or 'Rejected', {

  131.           SCANNER = rule.name,

  132.           VIRUS = threat_table,

  133.         }), rule.name, nil, nil, flags)

  134.   end

  135. end

  136. 

  137. local function message_not_too_large(task, content, rule)

  138.   local max_size = tonumber(rule.max_size)

  139.   if not max_size then return true end

  140.   if #content > max_size then

  141.     rspamd_logger.infox(task, "skip %s check as it is too large: %s (%s is allowed)",

  142.         rule.log_prefix, #content, max_size)

  143.     return false

  144.   end

  145.   return true

  146. end

  147. 

  148. local function message_not_too_small(task, content, rule)

  149.   local min_size = tonumber(rule.min_size)

  150.   if not min_size then return true end

  151.   if #content < min_size then

  152.     rspamd_logger.infox(task, "skip %s check as it is too small: %s (%s is allowed)",

  153.         rule.log_prefix, #content, min_size)

  154.     return false

  155.   end

  156.   return true

  157. end

  158. 

  159. local function message_min_words(task, rule)

  160.   if rule.text_part_min_words and tonumber(rule.text_part_min_words) > 0 then

  161.     local text_part_above_limit = false

  162.     local text_parts = task:get_text_parts()

  163. 

  164.     local filter_func = function(p)

  165.       return p:get_words_count() >= tonumber(rule.text_part_min_words)

  166.     end

  167. 

  168.     fun.each(function(p)

  169.       text_part_above_limit = true

  170.     end, fun.filter(filter_func, text_parts))

  171. 

  172.     if not text_part_above_limit then

  173.       rspamd_logger.infox(task, '%s: #words in all text parts is below text_part_min_words limit: %s',

  174.         rule.log_prefix, rule.text_part_min_words)

  175.     end

  176. 

  177.     return text_part_above_limit

  178.   else

  179.     return true

  180.   end

  181. end

  182. 

  183. local function dynamic_scan(task, rule)

  184.   if rule.dynamic_scan then

  185.     if rule.action ~= 'reject' then

  186.       local metric_result = task:get_metric_score('default')

  187.       local metric_action = task:get_metric_action('default')

  188.       local has_pre_result = task:has_pre_result()

  189.       -- ToDo: needed?

  190.       -- Sometimes leads to FPs

  191.       --if rule.symbol_type == 'postfilter' and metric_action == 'reject' then

  192.       --  rspamd_logger.infox(task, '%s: aborting: %s', rule.log_prefix, "result is already reject")

  193.       --  return false

  194.       --elseif metric_result[1] > metric_result[2]*2 then

  195.       if metric_result[1] > metric_result[2]*2 then

  196.         rspamd_logger.infox(task, '%s: aborting: %s', rule.log_prefix, 'score > 2 * reject_level: ' .. metric_result[1])

  197.         return false

  198.       elseif has_pre_result and metric_action == 'reject' then

  199.         rspamd_logger.infox(task, '%s: aborting: %s', rule.log_prefix, 'pre_result reject is set')

  200.         return false

  201.       else

  202.         return true, 'undecided'

  203.       end

  204.     else

  205.       return true, 'dynamic_scan is not possible with config `action=reject;`'

  206.     end

  207.   else

  208.     return true

  209.   end

  210. end

  211. 

  212. local function need_check(task, content, rule, digest, fn, maybe_part)

  213. 

  214.   local uncached = true

  215.   local key = digest

  216. 

  217.   local function redis_av_cb(err, data)

  218.     if data and type(data) == 'string' then

  219.       -- Cached

  220.       data = lua_util.str_split(data, '\t')

  221.       local threat_string = lua_util.str_split(data[1], '\v')

  222.       local score = data[2] or rule.default_score

  223. 

  224.       if threat_string[1] ~= 'OK' then

  225.         if threat_string[1] == 'MACRO' then

  226.           yield_result(task, rule, 'File contains macros',

  227.               0.0, 'macro', maybe_part)

  228.         elseif threat_string[1] == 'ENCRYPTED' then

  229.           yield_result(task, rule, 'File is encrypted',

  230.               0.0, 'encrypted', maybe_part)

  231.         else

  232.           lua_util.debugm(rule.name, task, '%s: got cached threat result for %s: %s - score: %s',

  233.               rule.log_prefix, key, threat_string[1], score)

  234.           yield_result(task, rule, threat_string, score, false, maybe_part)

  235.         end

  236. 

  237.       else

  238.         lua_util.debugm(rule.name, task, '%s: got cached negative result for %s: %s',

  239.           rule.log_prefix, key, threat_string[1])

  240.       end

  241.       uncached = false

  242.     else

  243.       if err then

  244.         rspamd_logger.errx(task, 'got error checking cache: %s', err)

  245.       end

  246.     end

  247. 

  248.     local f_message_not_too_large = message_not_too_large(task, content, rule)

  249.     local f_message_not_too_small = message_not_too_small(task, content, rule)

  250.     local f_message_min_words = message_min_words(task, rule)

  251.     local f_dynamic_scan = dynamic_scan(task, rule)

  252. 

  253.     if uncached and

  254.       f_message_not_too_large and

  255.       f_message_not_too_small and

  256.       f_message_min_words and

  257.       f_dynamic_scan then

  258. 

  259.       fn()

  260. 

  261.     end

  262. 

  263.   end

  264. 

  265.   if rule.redis_params and not rule.no_cache then

  266. 

  267.     key = rule.prefix .. key

  268. 

  269.     if lua_redis.redis_make_request(task,

  270.         rule.redis_params, -- connect params

  271.         key, -- hash key

  272.         false, -- is write

  273.         redis_av_cb, --callback

  274.         'GET', -- command

  275.         {key} -- arguments)

  276.     ) then

  277.       return true

  278.     end

  279.   end

  280. 

  281.   return false

  282. 

  283. end

  284. 

  285. local function save_cache(task, digest, rule, to_save, dyn_weight, maybe_part)

  286.   local key = digest

  287.   if not dyn_weight then dyn_weight = 1.0 end

  288. 

  289.   local function redis_set_cb(err)

  290.     -- Do nothing

  291.     if err then

  292.       rspamd_logger.errx(task, 'failed to save %s cache for %s -> "%s": %s',

  293.           rule.detection_category, to_save, key, err)

  294.     else

  295.       lua_util.debugm(rule.name, task, '%s: saved cached result for %s: %s - score %s - ttl %s',

  296.         rule.log_prefix, key, to_save, dyn_weight, rule.cache_expire)

  297.     end

  298.   end

  299. 

  300.   if type(to_save) == 'table' then

  301.     to_save = table.concat(to_save, '\v')

  302.   end

  303. 

  304.   local value_tbl = {to_save, dyn_weight}

  305.   if maybe_part and rule.show_attachments and maybe_part:get_filename() then

  306.     local fname = maybe_part:get_filename()

  307.     table.insert(value_tbl, fname)

  308.   end

  309.   local value = table.concat(value_tbl, '\t')

  310. 

  311.   if rule.redis_params and rule.prefix then

  312.     key = rule.prefix .. key

  313. 

  314.     lua_redis.redis_make_request(task,

  315.         rule.redis_params, -- connect params

  316.         key, -- hash key

  317.         true, -- is write

  318.         redis_set_cb, --callback

  319.         'SETEX', -- command

  320.         { key, rule.cache_expire or 0, value }

  321.     )

  322.   end

  323. 

  324.   return false

  325. end

  326. 

  327. local function create_regex_table(patterns)

  328.   local regex_table = {}

  329.   if patterns[1] then

  330.     for i, p in ipairs(patterns) do

  331.       if type(p) == 'table' then

  332.         local new_set = {}

  333.         for k, v in pairs(p) do

  334.           new_set[k] = rspamd_regexp.create_cached(v)

  335.         end

  336.         regex_table[i] = new_set

  337.       else

  338.         regex_table[i] = {}

  339.       end

  340.     end

  341.   else

  342.     for k, v in pairs(patterns) do

  343.       regex_table[k] = rspamd_regexp.create_cached(v)

  344.     end

  345.   end

  346.   return regex_table

  347. end

  348. 

  349. local function match_filter(task, rule, found, patterns, pat_type)

  350.   if type(patterns) ~= 'table' or not found then

  351.     return false

  352.   end

  353.   if not patterns[1] then

  354.     for _, pat in pairs(patterns) do

  355.       if pat_type == 'ext' and tostring(pat) == tostring(found) then

  356.         return true

  357.       elseif pat_type == 'regex' and pat:match(found) then

  358.         return true

  359.       end

  360.     end

  361.     return false

  362.   else

  363.     for _, p in ipairs(patterns) do

  364.       for _, pat in ipairs(p) do

  365.         if pat_type == 'ext' and tostring(pat) == tostring(found) then

  366.           return true

  367.         elseif pat_type == 'regex' and pat:match(found) then

  368.           return true

  369.         end

  370.       end

  371.     end

  372.     return false

  373.   end

  374. end

  375. 

  376. -- borrowed from mime_types.lua

  377. -- ext is the last extension, LOWERCASED

  378. -- ext2 is the one before last extension LOWERCASED

  379. local function gen_extension(fname)

  380.   local filename_parts = lua_util.str_split(fname, '.')

  381. 

  382.   local ext = {}

  383.   for n = 1, 2 do

  384.       ext[n] = #filename_parts > n and string.lower(filename_parts[#filename_parts + 1 - n]) or nil

  385.   end

  386.   return ext[1],ext[2],filename_parts

  387. end

  388. 

  389. local function check_parts_match(task, rule)

  390. 

  391.   local filter_func = function(p)

  392.     local mtype,msubtype = p:get_type()

  393.     local detected_ext = p:get_detected_ext()

  394.     local fname = p:get_filename()

  395.     local ext, ext2

  396. 

  397.     if rule.scan_all_mime_parts == false then

  398.     -- check file extension and filename regex matching

  399.       --lua_util.debugm(rule.name, task, '%s: filename: |%s|%s|', rule.log_prefix, fname)

  400.       if fname ~= nil then

  401.         ext,ext2 = gen_extension(fname)

  402.         --lua_util.debugm(rule.name, task, '%s: extension, fname: |%s|%s|%s|', rule.log_prefix, ext, ext2, fname)

  403.         if match_filter(task, rule, ext, rule.mime_parts_filter_ext, 'ext')

  404.             or match_filter(task, rule, ext2, rule.mime_parts_filter_ext, 'ext') then

  405.           lua_util.debugm(rule.name, task, '%s: extension matched: |%s|%s|', rule.log_prefix, ext, ext2)

  406.           return true

  407.         elseif match_filter(task, rule, fname, rule.mime_parts_filter_regex, 'regex') then

  408.           lua_util.debugm(rule.name, task, '%s: filname regex matched', rule.log_prefix)

  409.           return true

  410.         end

  411.       end

  412.       -- check content type string regex matching

  413.       if mtype ~= nil and msubtype ~= nil then

  414.         local ct = string.format('%s/%s', mtype, msubtype):lower()

  415.         if match_filter(task, rule, ct, rule.mime_parts_filter_regex, 'regex') then

  416.           lua_util.debugm(rule.name, task, '%s: regex content-type: %s', rule.log_prefix, ct)

  417.           return true

  418.         end

  419.       end

  420.       -- check detected content type (libmagic) regex matching

  421.       if detected_ext then

  422.         local magic = lua_magic_types[detected_ext] or {}

  423.         if match_filter(task, rule, detected_ext, rule.mime_parts_filter_ext, 'ext') then

  424.           lua_util.debugm(rule.name, task, '%s: detected extension matched: |%s|', rule.log_prefix, detected_ext)

  425.           return true

  426.         elseif magic.ct and match_filter(task, rule, magic.ct, rule.mime_parts_filter_regex, 'regex') then

  427.           lua_util.debugm(rule.name, task, '%s: regex detected libmagic content-type: %s',

  428.               rule.log_prefix, magic.ct)

  429.           return true

  430.         end

  431.       end

  432.       -- check filenames in archives

  433.       if p:is_archive() then

  434.         local arch = p:get_archive()

  435.         local filelist = arch:get_files_full(1000)

  436.         for _,f in ipairs(filelist) do

  437.           ext,ext2 = gen_extension(f.name)

  438.           if match_filter(task, rule, ext, rule.mime_parts_filter_ext, 'ext')

  439.               or match_filter(task, rule, ext2, rule.mime_parts_filter_ext, 'ext') then

  440.             lua_util.debugm(rule.name, task, '%s: extension matched in archive: |%s|%s|', rule.log_prefix, ext, ext2)

  441.             --lua_util.debugm(rule.name, task, '%s: extension matched in archive: %s', rule.log_prefix, ext)

  442.             return true

  443.           elseif match_filter(task, rule, f.name, rule.mime_parts_filter_regex, 'regex') then

  444.             lua_util.debugm(rule.name, task, '%s: filename regex matched in archive', rule.log_prefix)

  445.             return true

  446.           end

  447.         end

  448.       end

  449.     end

  450. 

  451.     -- check text_part has more words than text_part_min_words_check

  452.     if rule.scan_text_mime and rule.text_part_min_words and p:is_text() and

  453.         p:get_words_count() >= tonumber(rule.text_part_min_words) then

  454.       return true

  455.     end

  456. 

  457.     if rule.scan_image_mime and p:is_image() then

  458.       return true

  459.     end

  460. 

  461.     if rule.scan_all_mime_parts ~= false then

  462.       local is_part_checkable = (p:is_attachment() and (not p:is_image() or rule.scan_image_mime))

  463.       if detected_ext then

  464.         -- We know what to scan!

  465.         local magic = lua_magic_types[detected_ext] or {}

  466. 

  467.         if magic.av_check ~= false or is_part_checkable then

  468.           return true

  469.         end

  470.       elseif is_part_checkable then

  471.         -- Just rely on attachment property

  472.         return true

  473.       end

  474.     end

  475. 

  476.     return false

  477.   end

  478. 

  479.   return fun.filter(filter_func, task:get_parts())

  480. end

  481. 

  482. local function check_metric_results(task, rule)

  483. 

  484.   if rule.action ~= 'reject' then

  485.     local metric_result = task:get_metric_score('default')

  486.     local metric_action = task:get_metric_action('default')

  487.     local has_pre_result = task:has_pre_result()

  488. 

  489.     if rule.symbol_type == 'postfilter' and metric_action == 'reject' then

  490.       return true, 'result is already reject'

  491.     elseif metric_result[1] > metric_result[2]*2 then

  492.       return true, 'score > 2 * reject_level: ' .. metric_result[1]

  493.     elseif has_pre_result and metric_action == 'reject' then

  494.       return true, 'pre_result reject is set'

  495.     else

  496.       return false, 'undecided'

  497.     end

  498.   else

  499.     return false, 'dynamic_scan is not possible with config `action=reject;`'

  500.   end

  501. end

  502. 

  503. exports.log_clean = log_clean

  504. exports.yield_result = yield_result

  505. exports.match_patterns = match_patterns

  506. exports.condition_check_and_continue = need_check

  507. exports.save_cache = save_cache

  508. exports.create_regex_table = create_regex_table

  509. exports.check_parts_match = check_parts_match

  510. exports.check_metric_results = check_metric_results

  511. 

  512. setmetatable(exports, {

  513.   __call = function(t, override)

  514.     for k, v in pairs(t) do

  515.       if _G[k] ~= nil then

  516.         local msg = 'function ' .. k .. ' already exists in global scope.'

  517.         if override then

  518.           _G[k] = v

  519.           print('WARNING: ' .. msg .. ' Overwritten.')

  520.         else

  521.           print('NOTICE: ' .. msg .. ' Skipped.')

  522.         end

  523.       else

  524.         _G[k] = v

  525.       end

  526.     end

  527.   end,

  528. })

  529. 

  530. return exports