Initial commit

.gitignore

@@ -0,0 +1,33 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/test/tmp/
+/test/version_tmp/
+/tmp/
+/log/
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalisation:
+/.bundle/
+/lib/bundler/man/
+
+## Misc
+Gemfile.lock
+gemfiles/*.lock
+.ruby-version
+.ruby-gemset
+.rvmrc

Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Daisuke Taniwaki
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,58 @@
+# rack-secure-upload
+
+Upload files securely
+
+## Installation
+
+Add the rack-secure-upload gem to your Gemfile.
+
+```ruby
+gem "rack-secure-upload"
+```
+
+And run `bundle install`.
+
+### Rack App
+
+```ruby
+require 'rack-secure-upload'
+use Rack::SecureUpload::Middleware, :fsecure
+run MyApp
+```
+
+### Rails App
+
+In `config/application.rb`
+
+```ruby
+module MyApp
+  class Application < Rails::Application
+    config.middleware.use Rack::DevMark::Middleware, :fsecure
+  end 
+end
+```
+
+## AntiVirus Softwares
+
+### F-Secure
+
+1. Get [license](http://www.f-secure.com/en/web/business_global/trial)
+2. Install the package
+
+```bash
+wget http://download.f-secure.com/webclub/f-secure-linux-security-10.00.60.tar.gz
+tar xvzf f-secure-linux-security-10.00.60.tar.gz
+sudo ./f-secure-linux-security-10.00.60/f-secure-linux-security-10.00.60
+```
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new [Pull Request](../../pull/new/master)
+
+## Copyright
+
+Copyright (c) 2014 Daisuke Taniwaki. See [LICENSE](LICENSE) for details.

Rakefile

@@ -0,0 +1,8 @@
+require "bundler/gem_tasks"
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+end
+task :default => :spec

lib/rack-secure-upload.rb

@@ -0,0 +1 @@
+require 'rack/secure_upload'

lib/rack/secure_upload.rb

@@ -0,0 +1,11 @@
+require "logger"
+require "rack/secure_upload/errors"
+require "rack/secure_upload/middleware"
+
+module Rack
+  module SecureUpload
+    def self.logger
+      @logger ||= ::Logger.new($stderr)
+    end
+  end
+end

lib/rack/secure_upload/errors.rb

@@ -0,0 +1,6 @@
+module Rack
+  module SecureUpload
+    class RuntimeError < ::RuntimeError; end
+    class InsecureFileError < RuntimeError; end
+  end
+end

lib/rack/secure_upload/middleware.rb

@@ -0,0 +1,40 @@
+require 'rack'
+require 'rack/secure_upload/utility'
+require 'rack/secure_upload/scanner'
+
+module Rack
+  module SecureUpload
+    class Middleware
+      include Utility
+
+      def initialize(app, scanners)
+        @app = app
+        @scanners = [scanners].flatten.map { |scanner| scanner.is_a?(Symbol) ? Rack::SecureUpload::Scanner.const_get(camelize(scanner.to_s)).new : scanner }
+      end
+
+      def call(env)
+        params = Rack::Multipart.parse_multipart(env)
+        if params && !params.empty?
+          traverse(params) do |value|
+            next unless [Tempfile, File].any?{ |klass| value.is_a?(klass) }
+            scan value.path
+          end
+        end
+
+        @app.call(env)
+      end
+
+      private
+
+      def scan(path)
+        secure = @scanners.any? do |scanner|
+          unless res = scanner.scan(path)
+            Rack::SecureUpload.logger.warn "#{scanner} found an insecure file: #{path}"
+          end
+          res
+        end
+        raise InsecureFileError, "The uploaded file \"#{path}\" is insecure!" unless secure
+      end
+    end
+  end
+end

lib/rack/secure_upload/scanner.rb

@@ -0,0 +1,10 @@
+module Rack
+  module SecureUpload
+    module Scanner
+    end
+  end
+end
+
+Dir[File.join(File.dirname(__FILE__), 'scanner', '*.rb')].each do |f|
+  require f
+end

lib/rack/secure_upload/scanner/base.rb

@@ -0,0 +1,30 @@
+require 'rack/secure_upload/errors'
+
+module Rack
+  module SecureUpload
+    module Scanner
+      class Base
+        attr_reader :options, :logger
+
+        def initialize(options = {})
+          raise RuntimeError, 'Abstract class can not be instantiated' if self.class == Rack::SecureUpload::Scanner::Base
+          @options = default_options.merge(options)
+        end
+
+        def scan(path)
+          # Scan the file here
+        end
+
+        def logger
+          options[:logger] || Rack::SecureUpload.logger
+        end
+
+        private
+
+        def default_options
+          {}
+        end
+      end
+    end
+  end
+end

lib/rack/secure_upload/scanner/fsecure.rb

@@ -0,0 +1,47 @@
+require 'cocaine'
+require 'rack/secure_upload/errors'
+
+module Rack
+  module SecureUpload
+    module Scanner
+      class Fsecure < Base
+        def scan(path)
+          now_umask = ::File.umask(0)
+
+          lock do
+            output = command.run(path: path)
+            logger.info output
+          end
+
+          ::File.exist?(path)
+        ensure
+          ::File.umask(now_umask)
+        end
+
+        private
+
+        def lock
+          ::File.open(options[:lockfile_path], 'w', 0666) do |f|
+            f.flock(::File::LOCK_EX)
+            begin
+              yield
+            ensure
+              f.flock(::File::LOCK_UN)
+            end
+          end
+        end
+
+        def command
+          Cocaine::CommandLine.new(options[:bin_path], "--auto --virus-action1=remove :path")
+        end
+
+        def default_options
+          {
+            :bin_path => "/usr/bin/fsav",
+            :lockfile_path => "/tmp/fsav_lock"
+          }
+        end
+      end
+    end
+  end
+end

lib/rack/secure_upload/utility.rb

@@ -0,0 +1,20 @@
+module Rack
+  module SecureUpload
+    module Utility
+      def traverse(value, &block)
+        if value.is_a?(Hash)
+          value.each do |k, v|
+            traverse(k, &block)
+            traverse(v, &block)
+          end
+        elsif value.is_a?(Array)
+          value.each do |v|
+            traverse(v, &block)
+          end
+        else
+          block.call(value)
+        end
+      end
+    end
+  end
+end

lib/rack/secure_upload/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  module SecureUpload
+    VERSION = "0.0.1"
+  end
+end

rack-secure-upload.gemspec

@@ -0,0 +1,26 @@
+require File.expand_path('../lib/rack/secure_upload/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.name        = "rack-secure-upload"
+  gem.version     = Rack::SecureUpload::VERSION
+  gem.platform    = Gem::Platform::RUBY
+  gem.authors     = ["Daisuke Taniwaki"]
+  gem.email       = ["daisuketaniwaki@gmail.com"]
+  gem.homepage    = "https://github.com/dtaniwaki/rack-secure-upload"
+  gem.summary     = "Upload files securely"
+  gem.description = "Upload files securely"
+  gem.license     = "MIT"
+
+  gem.files       = `git ls-files`.split("\n")
+  gem.test_files  = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.require_paths = ['lib']
+
+  gem.add_dependency 'logger', '>= 1.2'
+  gem.add_dependency "rack", ">= 1.1"
+  gem.add_dependency "cocaine"
+
+  gem.add_development_dependency "rake"
+  gem.add_development_dependency "rspec", ">= 3.0"
+  gem.add_development_dependency "coveralls"
+end

spec/rack/secure_upload/middleware_spec.rb

@@ -0,0 +1,33 @@
+require "spec_helper"
+
+describe Rack::SecureUpload::Middleware do
+  let(:env) { Rack::MockRequest.env_for('/') }
+  let(:file) { Rack::Multipart::UploadedFile.new(__FILE__) }
+  let(:scanner) { double scan: true }
+  subject { Rack::SecureUpload::Middleware.new(->env { ":)" }, scanner) }
+
+  context "with uploaded file" do
+    let(:env) { Rack::MockRequest.env_for('/', method: :post, params: {foo: file}) }
+
+    it "scans" do
+      expect(scanner).to receive(:scan)
+      subject.call(env)
+    end
+
+    context "with multiple uploaded files" do
+      let(:env) { Rack::MockRequest.env_for('/', method: :post, params: {foo: file, bar: file, zoo: file}) }
+
+      it "scans" do
+        expect(scanner).to receive(:scan).exactly(3).times
+        subject.call(env)
+      end
+    end
+  end
+
+  context "without uplaod file" do
+    it "does not scan" do
+      expect(scanner).not_to receive(:scan)
+      subject.call(env)
+    end
+  end
+end