search

cap-js / attachments

The @cap-js/attachments package is a CDS plugin that provides out-of-the box asset storage and handling by using an aspect Attachments. It also provides a CAP-level, easy to use integration of the SAP Object Store.
Apache License 2.0
12 stars 4 forks source link

Attachments should not be set to scanning when malware scanning is disabled #76

Closed Rediate15 closed 1 month ago

Rediate15 commented 3 months ago

After uploading a new attachment, its status should never be set to scanning when malware scanning is disabled. An unaware user would not know that it is disabled and as such would be mislead by the status "Scanning". The attachment should therefor always be in Scan Status "Unscanned" if malware scanning is disabled.

With that an attachment should be downloadable if malware scanning is disabled an scan status is set to "Unscanned"

/lib/malwareScanner.js

async function scanRequest(Attachments, key) {
  const scanEnabled = cds.env.requires?.attachments?.scan ?? true
  const AttachmentsSrv = await cds.connect.to("attachments")

  let draftEntity, activeEntity
  if (Attachments.isDraft) {
    draftEntity = Attachments
    activeEntity = Attachments.actives
  } else {
    activeEntity = Attachments
  }

  let currEntity = draftEntity == undefined ? activeEntity : draftEntity

  await updateStatus(AttachmentsSrv, key, "Scanning", currEntity, draftEntity, activeEntity)

  if (!scanEnabled) {
    setTimeout(async () => {
      DEBUG?.('Malware scanning is disabled. Setting scan status to Clean.')
      await updateStatus(AttachmentsSrv, key, "Clean", currEntity, draftEntity, activeEntity)
    }, 5000)

    return
  }
  ...
muskansethi1 commented 1 month ago

Hi @Rediate15,

We don't anymore mock the Malware scanning except when in development profile from version 1.1.5. The status will be set to Unscanned in such cases. Furthermore, if the scanning is disabled and status is Unscanned, the file can be accessed now.

Let me know if the issue still persists.

Best Regards, Muskan