@inspectFile example not working

[Piyushgargcse]

The example you had defined in your documentation is not working
#!/usr/bin/perl

runav.pl

Copyright (c) 2004-2011 Trustwave

This script is an interface between ModSecurity and its

ability to intercept files being uploaded through the

web server, and ClamAV

$CLAMSCAN = "clamscan";

if ($#ARGV != 0) {
print "Usage: runav.pl \n";
exit;
}

my ($FILE) = shift @argv;

$cmd = "$CLAMSCAN --stdout --no-summary $FILE";
$input = $cmd;
$input =~ m/^(.+)/;
$error_message = $1;

$output = "0 Unable to parse clamscan output [$1]";

if ($error_message =~ m/: Empty file.?$/) {
$output = "1 empty file";
}
elsif ($error_message =~ m/: (.+) ERROR$/) {
$output = "0 clamscan: $1";
}
elsif ($error_message =~ m/: (.+) FOUND$/) {
$output = "0 clamscan: $1";
}
elsif ($error_message =~ m/: OK$/) {
$output = "1 clamscan: OK";
}

print "$output\n";

Here you had put a condition that is not taking any parameter so please update your documentation
if ($#ARGV != 0) {
print "Usage: runav.pl \n";
exit;
}

[zimmerle]

Hi @Piyushgargcse what leads to believe that this is not working?

[defanator]

May be useful to check: #1610 (comment)

[intelbg]

Hello,
We also want and try to implement mod security version3 with NginX 1.12 upload file scanning with clamav according to your documentation with runav.pl which is renamed in our case but it's the same and we are using the following rule:

SecRule FILES_TMPNAMES "@inspectFile /usr/local/bin/pesho.pl"
"phase:2,t:none,block,msg:'Virus found in uploaded file',id:'2222'"

We are seeing that modsecurity creates a temporary file with filename "20180329-113446-152231248681.994854-file-0bn484" in directory "/opt/modsecurity/var/upload", but when the rule 2222 is processed, the "FILES_TMPNAMES" parameter has value "c99.png" which is the real name of the uploaded file. Why FILES_TMPNAMES gives us the real name, and can we inspect the right file?

Here is the complete debug.log from mod security attached.

debug.log.txt

SecUploadKeepFiles is set to on On (In the documentation I read that it should be RelevantOnly but I am not sure if it's only for version 2.9. Please confirm this to me.)

#SecTmpSaveUploadedFiles Off - if this option is ON (I am not sure if it should be on) uploading of any file returns 400 bad request.

Last, but not least I would like to mention that we are familiar with the last commend in the following case and it does not sense:

#1610 (comment)

Please give us complete information which options we need to configure and if the problem with files_tmpnames is the core issue in this case. Thank you in advance.

P.S. I updated with the latest source of modsecurity master branch, because I saw changes to inspect file operator and the problem still exists.

[zimmerle]

Re-opening the issue for further investigation.

[wanjidong]

I have the same problem

[victorhora]

@wanjidong

There was a recent change to fix the behaviour of the operator here. Check if this fixes the issue you're facing.

[wanjidong]

@victorhora Thank you for your reply, but it's not what you said. You can't get FILES_TMPNAMES. My configuration files and log files are as follows.

modsecurity.conf.txt
REQUEST-949-Clamav-Scan.conf.txt
runav.pl.txt
clamav.log
20180409-094128-152323808853.784017.log

ModSecurity version:v3/master 077b182
ModSecurity-nginx version:master owasp-modsecurity/ModSecurity-nginx@6d5f759

[intelbg]

Finally, can you please tell me if it's fixed in the latest master?

[victorhora]

Thanks for the feedback @wanjidong and @intelbg.

#1748 should fix this issue. It's being tested in the buildbots now.

Please let us know if it solves your issue.

[zimmerle]

As stated by @victorhora, #1748 fix this. Thanks.