From a7533e3a57850372488d8342e540e9341d98da95 Mon Sep 17 00:00:00 2001 From: mariocasciaro Date: Wed, 23 Oct 2024 15:21:04 +0100 Subject: [PATCH 1/4] Add rejectUnauthorized option --- index.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index d5afd4b..2c1eb9d 100755 --- a/index.js +++ b/index.js @@ -110,6 +110,7 @@ class NodeClam { * @param {boolean} [options.clamdscan.active=true] - If true, this module will consider using the `clamdscan` binary * @param {boolean} [options.clamdscan.bypassTest=false] - If true, check to see if socket is avaliable * @param {boolean} [options.clamdscan.tls=false] - If true, connect to a TLS-Termination proxy in front of ClamAV + * @param {boolean} [options.clamdscan.rejectUnauthorized=true] - If true, the server certificate is verified against the list of supplied CAs * @param {object} [options.preference='clamdscan'] - If preferred binary is found and active, it will be used by default * @param {Function} [cb = null] - Callback method. Prototype: `(err, )` * @returns {Promise} An initated instance of NodeClam @@ -542,6 +543,7 @@ class NodeClam { client = tls.connect({ host: this.settings.clamdscan.host, port: this.settings.clamdscan.port, + rejectUnauthorized: this.settings.clamdscan.rejectUnauthorized, // Activate SNI // servername: this.settings.clamdscan.host, timeout, @@ -556,7 +558,11 @@ class NodeClam { } // Host can be ignored since the default is `localhost` else if (this.settings.tls) { - client = tls.connect({ port: this.settings.clamdscan.port, timeout }); + client = tls.connect({ + port: this.settings.clamdscan.port, + rejectUnauthorized: this.settings.clamdscan.rejectUnauthorized, + timeout + }); } else { client = net.createConnection({ port: this.settings.clamdscan.port, timeout }); } From 87db368e86aa32c1092d841f94f49dd498802baf Mon Sep 17 00:00:00 2001 From: mariocasciaro Date: Wed, 23 Oct 2024 15:22:57 +0100 Subject: [PATCH 2/4] Improve doc --- index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.js b/index.js index 2c1eb9d..8f1c8d2 100755 --- a/index.js +++ b/index.js @@ -109,7 +109,7 @@ class NodeClam { * @param {boolean} [options.clamdscan.reloadDb=false] - If true, will re-load the DB on ever call (slow) * @param {boolean} [options.clamdscan.active=true] - If true, this module will consider using the `clamdscan` binary * @param {boolean} [options.clamdscan.bypassTest=false] - If true, check to see if socket is avaliable - * @param {boolean} [options.clamdscan.tls=false] - If true, connect to a TLS-Termination proxy in front of ClamAV + * @param {boolean} [options.clamdscan.tls=false] - If true, validates the server's TLS certificate * @param {boolean} [options.clamdscan.rejectUnauthorized=true] - If true, the server certificate is verified against the list of supplied CAs * @param {object} [options.preference='clamdscan'] - If preferred binary is found and active, it will be used by default * @param {Function} [cb = null] - Callback method. Prototype: `(err, )` From 65d3b82ec55b9312a1d5f058ea63c0bb394f4332 Mon Sep 17 00:00:00 2001 From: mariocasciaro Date: Wed, 23 Oct 2024 15:23:38 +0100 Subject: [PATCH 3/4] Fix --- index.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.js b/index.js index 8f1c8d2..4c805d7 100755 --- a/index.js +++ b/index.js @@ -109,8 +109,8 @@ class NodeClam { * @param {boolean} [options.clamdscan.reloadDb=false] - If true, will re-load the DB on ever call (slow) * @param {boolean} [options.clamdscan.active=true] - If true, this module will consider using the `clamdscan` binary * @param {boolean} [options.clamdscan.bypassTest=false] - If true, check to see if socket is avaliable - * @param {boolean} [options.clamdscan.tls=false] - If true, validates the server's TLS certificate - * @param {boolean} [options.clamdscan.rejectUnauthorized=true] - If true, the server certificate is verified against the list of supplied CAs + * @param {boolean} [options.clamdscan.tls=false] - If true, connect to a TLS-Termination proxy in front of ClamAV + * @param {boolean} [options.clamdscan.rejectUnauthorized=true] - If true, validates the server's TLS certificate * @param {object} [options.preference='clamdscan'] - If preferred binary is found and active, it will be used by default * @param {Function} [cb = null] - Callback method. Prototype: `(err, )` * @returns {Promise} An initated instance of NodeClam From 5f659a2c0d99da5b387bb993773d39780d4e2a7d Mon Sep 17 00:00:00 2001 From: mariocasciaro Date: Wed, 23 Oct 2024 15:29:19 +0100 Subject: [PATCH 4/4] Add more docs --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9c33475..f00144a 100755 --- a/README.md +++ b/README.md @@ -133,6 +133,7 @@ const ClamScan = new NodeClam().init({ active: true, // If true, this module will consider using the clamdscan binary bypassTest: false, // Check to see if socket is available when applicable tls: false, // Use plaintext TCP to connect to clamd + rejectUnauthorized: true // Validate TLS certificate (if TLS option enabled) }, preference: 'clamdscan' // If clamdscan is found and active, it will be used by default }); @@ -167,7 +168,8 @@ const ClamScan = new NodeClam().init({ reloadDb: true, // You want your scans to run slow like with clamscan active: false, // you don't want to use this at all because it's evil bypassTest: true, // Don't check to see if socket is available. You should probably never set this to true. - tls: true, // Connect to clamd over TLS + tls: true, // Connect to clamd over TLS, + rejectUnauthorized: false // Don't validate TLS certificate. Useful when using self-signed certificates. }, preference: 'clamscan' // If clamscan is found and active, it will be used by default });