benzino77 / clamav-rest-api

ClamAV REST API. Scan files using simple POST request.
MIT License
127 stars 44 forks source link

Why forcing filenames to have APP_FORM_KEY name ? #28

Open fl0ppy-d1sk opened 2 years ago

fl0ppy-d1sk commented 2 years ago

Hello @benzino77,

I was wondering if there is any specific reason to only scan files with APP_FORM_KEY name ?

There is a use case of your project where we could use it to scan uploaded files to a web (HTTP) app. A reverse proxy can intercept the request and send it back to the CRA if there is at least one uploaded file. But then we need to edit the requests on the fly to replace filenames with APP_FORM_KEY (that will consume resources on the reverse proxy). A pragmatic way of doing it would be to copy (or even better stream) the client request directly to CRA.

Something like that should do the trick :

for (file in req.files) {
    ...
    const r = await scanFile(req.files[file], av);
    ...
}

Let me know what you think.

benzino77 commented 2 years ago

Well, to tell the truth I can't remember what was the reason .... ;) Make a PR with that change so we can work on it together.

Using reverse proxy in front of CRA is rather better idea than direct requests. You probably will have more than one instance of CRA in your production environment so you will need balancer in front of it (in k8s you will have deployment with many replicas, service "above" it and ingress at the highest level) anyway.