Force scanning despite missing content-header when using s3api? #33
Description
We recently tested uploading through clammit to a s3 bucket with "aws cli".
Choosing s3api as upload method, it seems that one could bypass virus scanning by just not providing the correct HTTP Header.
So, this one here works as expected and EICAR gets detected:
aws --endpoint https://192.168.1.180 s3api put-object --key e.zip.bin --bucket mybucket --body e.zip.bin --content-type=text/plain --no-verify-ssl
Log from clammit:
2022/12/20 14:05:20 Interceptor has deemed that this request should not be forwarded
2022/12/20 14:05:29 Received scan request
2022/12/20 14:05:29 Passing to interceptor
2022/12/20 14:05:29 New request PUT /mybucket/e.zip.bin len 235 from @ (192.168.1.180)
2022/12/20 14:05:29 Sending to clamav
2022/12/20 14:05:29 result of scan: Status: FOUND; Virus: true; Description: Eicar-Signature
2022/12/20 14:05:29 Interceptor has deemed that this request should not be forwarded
so far, so good.
Leaving "content-type" out as option, the following happens:
aws --endpoint https://192.168.1.180 s3api put-object --key e.zip.bin --bucket mybucket --body e.zip.bin --no-verify-ssl
Clammit skips scanning with "unable to parse media type error" and forwards the eicar file:
2022/12/20 14:10:09 Received scan request
2022/12/20 14:10:09 Passing to interceptor
2022/12/20 14:10:09 New request PUT /mybucket/e.zip.bin len 235 from @ (192.168.1.180)
2022/12/20 14:10:09 Unable to parse media type: mime: no media type
2022/12/20 14:10:09 Interceptor passed this request
2022/12/20 14:10:09 Forwarding to https://object.storage/
2022/12/20 14:10:09 Request forwarded, response 200 OK
Is it possible to force scanning, although Clammit can't check the media type?
Would #18 help here as well?
Thanks very much.