All files / lib/attachment-archive source-repair.ts

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1x
1x
1x
 
 
 
 
1x
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1x
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1x
3x
 
 
1x
 
 
 
 
 
 
 
 
 
 
 
 
 
4x
1x
 
 
3x
3x
1x
 
 
2x
 
 
import path from "path";
 
export interface AttachmentScanTag {
  Key: string;
  Value: string;
}
 
export interface ScannerRedriveTarget {
  bucket: string;
  key: string;
}
 
export interface ManualRetagEligibilityInput {
  attemptedRedrive: boolean;
  bucket: string;
  exists: boolean;
  filename: string;
  virusScanStatus?: string;
}
 
const VIRUS_SCAN_STATUS_KEY = "virusScanStatus";
const VIRUS_SCAN_TIMESTAMP_KEY = "virusScanTimestamp";
const CLEAN_STATUS = "CLEAN";
 
// Keep this aligned with the ClamAV scanner allowlist in
// lib/local-constructs/clamav-scanning/src/lib/file-ext.ts without importing
// that package into operational repair tooling.
const ALLOWED_EXTENSIONS = new Set([
  ".bmp",
  ".csv",
  ".doc",
  ".docx",
  ".gif",
  ".jpeg",
  ".odp",
  ".ods",
  ".odt",
  ".pdf",
  ".png",
  ".ppt",
  ".pptx",
  ".rtf",
  ".tif",
  ".txt",
  ".xls",
  ".xlsx",
]);
 
export function buildSyntheticScannerInvokePayload(target: ScannerRedriveTarget) {
  return {
    Records: [
      {
        body: JSON.stringify({
          Records: [
            {
              s3: {
                bucket: { name: target.bucket },
                object: { key: target.key },
              },
            },
          ],
        }),
      },
    ],
  };
}
 
export function upsertScanTags({
  existingTags,
  status,
  timestamp,
}: {
  existingTags: AttachmentScanTag[];
  status: string;
  timestamp: string;
}) {
  const preserved = existingTags.filter(
    (tag) => tag.Key !== VIRUS_SCAN_STATUS_KEY && tag.Key !== VIRUS_SCAN_TIMESTAMP_KEY,
  );
 
  return [
    ...preserved,
    { Key: VIRUS_SCAN_STATUS_KEY, Value: status },
    { Key: VIRUS_SCAN_TIMESTAMP_KEY, Value: timestamp },
  ];
}
 
export function isManualCleanRetagEligible({
  attemptedRedrive,
  bucket,
  exists,
  filename,
  virusScanStatus,
}: ManualRetagEligibilityInput) {
  if (!attemptedRedrive || !exists || !virusScanStatus || virusScanStatus === CLEAN_STATUS) {
    return false;
  }
 
  const extension = path.extname(filename).toLowerCase();
  if (!ALLOWED_EXTENSIONS.has(extension)) {
    return false;
  }
 
  return bucket.startsWith("mako-main-attachments-");
}