feat: introduce active threat protection

[insertish]

Configure some sort of anti-malware service that autumn can call out to for non-media files.

[insertish]

This looks promising, auto-updating ClamAV in a Docker container: https://github.com/rordi/docker-antivirus

• doesn't seem to be a network service?
• alternatively, autumn could write to said directory, and poll for ok / nok results

Doesn't seem to work?

On to the next one...

[insertish]

Next best thing is probably just using ClamAV directly, but this will have a heavy memory footprint (not sure if we have space for this).

https://hub.docker.com/r/clamav/clamav

Ok this isn't great already, would have to somehow load the container up, with signatures, and only then call ClamAV.

It may be worth therefore to just make a separate service that pulls recently uploaded files from S3 (OR a task in the file server that does additional processing on the file after it is uploaded).

ClamAV also definitely won't detect everything, I'm fairly certain both of these files are malware but one of them comes back as "OK":

[insertish]

Alternatively, use clamav bindings directly in Autumn:

clamav crate: https://docs.rs/clamav/latest/clamav/engine/struct.Engine.html#method.scan_file (this creates additional issues with linking ☹️)

clamav-client (run clamd in container): https://crates.io/crates/clamav-client

[insertish]

ClamAV client is really promising, it lets you just stream the file over the network by default.

This would be paired with a clamd container.

[insertish]

Forked clamav-client for dealing with buffers directly, also opened a PR to upstream my changes if they're interested, https://github.com/toblux/rust-clamav-client/pull/1.

[insertish]