This is a recurrent demand from our customers. So here is a quick guide to add an antivirus scanner when uploading blobs in Nuxeo documents.
One way to implement an antivirus scan for uploaded documents without any significant performance hit at creation time would be to:
- implement a new
QuarantineBinaryManagerthat would wrap a two instances of
BinaryManagerconfigured to use two distinct repositories, e.g.
- introduce a new dynamic facet with a schema that can store antivirus status and metadata of all the blobs stored on the document.
Whenever a new blob is uploaded and attached to a Nuxeo document the
QuarantineBinaryManager would first delegate the insertion to the
repo-quarantine instance of
A new Nuxeo synchronous core event listener would also react to the
beforeDocumentModification event and introspect whether one of the blob fields is dirty. If so, the dynamic facet of the document would be updated to mark the new blob as being quarantined for antivirus analysis and a new asynchronous task would be scheduled using the
WorkManager that would delegate a call to the antivirus service out of transaction and then collect the outcome of the antivirus as follows:
If the antivirus outcome is negative (no virus detected): the
WorkManagertask would call a new public method of
QuarantineBinaryManager, for instance named
QuarantineBinaryManager#giveClearance(String blobDigest). This method would physically move the blob from the
repo-quarantinebucket to the
WorkManagertask would also update the document dynamic facet to inform the user (e.g. with a dedicated blob widget) that the document does not contain a suspect blob.
If the antivirus outcome is positive (a virus is detected in the attached file): the
WorkManagertask would not call the
giveClearancemethod and instead just update the metadata fields of the dynamic facet schema to inform the user of the outcome of the analysis. The user could then decide to delete the contaminated blob attachment (or the system could be configured to do it automatically).
Furthermore it would be very useful to make the event listener manage a new local ACL that would render documents with blobs in quarantine only visible to the user who uploaded the last blob until it is moved out of quarantine or deleted. This feature would have the following purposes:
- Never propagate a contaminated blob to other users by denying access to the documents that contain contaminated files.
- Do not disrupt too much any existing Nuxeo components (e.g. Nuxeo Drive 1) that usually expect any uploaded blob in a document to be immediately available.
- Make it possible for the uploader to introspect the state of the virus analysis by making a custom blob widget.
The management of the dynamic facet, the ACL and the call to the
giveClearance method should be wrapped in a single
AntivirusVirusAware document adapter to abstract away all those operations in a simple and clean public API.
Implementing such extensions to the Nuxeo platform is possible but might not be easy for non-core Nuxeo developer.
The software architecture of binary management has slightly changed. Instead of a binary manager, one should think of a custom Blob Dispatcher. Furthermore, it would make sense in this new architecture to introduce this as a feature of the Blob Manager service.