Perform a Virus Scan on Files Uploaded into Sitecore
Last week I took notice of a SDN forum post asking whether there are any best practices for checking files uploaded into Sitecore for viruses.
Although I am unaware of there being any best practices for this, adding a processor into the <uiUpload> pipeline to perform virus scans has been on my plate for the past month. Not being able to find an open source .NET antivirus library has been my major blocker for building one.
However, after many hours of searching the web — yes, I do admit some of this time is sprinkled with idle surfing — over multiple weeks, I finally discovered nClam — a .NET client library for scanning files using a Clam Antivirus server (I setup one using instructions enumerated here).
Before I continue, I would like to caution you on using this or any antivirus solution before doing a substantial amount of research — I do not know how robust the solution I am sharing actually is, and I am by no means an antivirus expert. The purpose of this post is to show how one might go about adding antivirus capabilities into Sitecore, and I am not advocating or recommending any particular antivirus software package. Please consult with an antivirus expert before using any antivirus software/.NET client library .
The solution I came up with uses the adapter design pattern — it basically wraps and makes calls to the nClam library, and is accessible through the following antivirus scanner interface:
using System.IO;
namespace Sitecore.Sandbox.Security.Antivirus
{
public interface IScanner
{
ScanResult Scan(Stream sourceStream);
ScanResult Scan(string filePath);
}
}
This interface defines the bare minimum methods our antivirus classes should have. Instances of these classes should offer the ability to scan a file through the file’s Stream, or scan a file located on the server via the supplied file path.
The two scan methods defined by the interface must return an instance of the following data transfer object:
namespace Sitecore.Sandbox.Security.Antivirus
{
public class ScanResult
{
public string Message { get; set; }
public ScanResultType ResultType { get; set; }
}
}
Instances of the above class contain a detailed message coupled with a ScanResultType enumeration value which conveys whether the scanned file is clean, contains a virus, or something else went wrong during the scanning process:
namespace Sitecore.Sandbox.Security.Antivirus
{
public enum ScanResultType
{
Clean,
VirusDetected,
Error,
Unknown
}
}
I used the ClamScanResults enumeration as a model for the above.
I created and used the ScanResultType enumeration instead of the ClamScanResults enumeration so that this solution can be extended for other antivirus libraries — or calls could be made to other antivirus software through the command-line — and these shouldn’t be tightly coupled to the nClam library.
I then wrapped the nClam library calls in the following ClamScanner class:
using System;
using System.IO;
using System.Linq;
using Sitecore.Diagnostics;
using nClam;
namespace Sitecore.Sandbox.Security.Antivirus
{
public class ClamScanner : IScanner
{
private ClamClient Client { get; set; }
public ClamScanner(string server, string port)
: this(server, int.Parse(port))
{
}
public ClamScanner(string server, int port)
: this(new ClamClient(server, port))
{
}
public ClamScanner(ClamClient client)
{
SetClient(client);
}
private void SetClient(ClamClient client)
{
Assert.ArgumentNotNull(client, "client");
Client = client;
}
public ScanResult Scan(Stream sourceStream)
{
ScanResult result;
try
{
result = CreateNewScanResult(Client.SendAndScanFile(sourceStream));
}
catch (Exception ex)
{
result = CreateNewExceptionScanResult(ex);
}
return result;
}
public ScanResult Scan(string filePath)
{
ScanResult result;
try
{
result = CreateNewScanResult(Client.SendAndScanFile(filePath));
}
catch (Exception ex)
{
result = CreateNewExceptionScanResult(ex);
}
return result;
}
private static ScanResult CreateNewScanResult(ClamScanResult result)
{
Assert.ArgumentNotNull(result, "result");
if (result.Result == ClamScanResults.Clean)
{
return CreateNewScanResult("Yay! No Virus found!", ScanResultType.Clean);
}
if (result.Result == ClamScanResults.VirusDetected)
{
string message = string.Format("Oh no! The {0} virus was found!", result.InfectedFiles.First().VirusName);
return CreateNewScanResult(message, ScanResultType.VirusDetected);
}
if (result.Result == ClamScanResults.Error)
{
string message = string.Format("Something went terribly wrong somewhere. Details: {0}", result.RawResult);
return CreateNewScanResult(message, ScanResultType.Error);
}
return CreateNewScanResult("I have no clue about what just happened.", ScanResultType.Unknown);
}
private static ScanResult CreateNewExceptionScanResult(Exception ex)
{
string message = string.Format("Something went terribly wrong somewhere. Details:\n{0}", ex.ToString());
return CreateNewScanResult(ex.ToString(), ScanResultType.Error);
}
private static ScanResult CreateNewScanResult(string message, ScanResultType type)
{
return new ScanResult
{
Message = message,
ResultType = type
};
}
}
}
Methods in the above class make calls to the nClam library, and return a ScanResult intance containing detailed information about the file scan.
Next I developed the following <uiUpload> pipeline processor to use instances of classes that define the IScanner interface above, and these instances are set via Sitecore when instantiating this pipeline processor — the ClamScanner type is defined in the patch configuration file shown later in this post:
using System.IO;
using System.Web;
using Sitecore.Diagnostics;
using Sitecore.Globalization;
using Sitecore.Pipelines.Upload;
using Sitecore.Sandbox.Security.Antivirus;
namespace Sitecore.Sandbox.Pipelines.Upload
{
public class ScanForViruses
{
public void Process(UploadArgs args)
{
Assert.ArgumentNotNull(args, "args");
foreach (string fileKey in args.Files)
{
HttpPostedFile file = args.Files[fileKey];
ScanResult result = ScanFile(file.InputStream);
if(result.ResultType != ScanResultType.Clean)
{
args.ErrorText = Translate.Text(string.Format("The file \"{0}\" cannot be uploaded. Reason: {1}", file.FileName, result.Message));
Log.Warn(args.ErrorText, this);
args.AbortPipeline();
}
}
}
private ScanResult ScanFile(Stream fileStream)
{
Assert.ArgumentNotNull(fileStream, "fileStream");
return Scanner.Scan(fileStream);
}
private IScanner Scanner { get; set; }
}
}
Uploaded files are passed to the IScanner instance, and the pipeline is aborted if something isn’t quite right — this occurs when a virus is detected, or an error is reported by the IScanner instance. If a virus is discovered, or an error occurs, the message contained within the ScanResult instance is captured in the Sitecore log.
I then glued everything together using the following patch configuration file:
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
<sitecore>
<processors>
<uiUpload>
<processor mode="on" patch:before="processor[@type='Sitecore.Pipelines.Upload.CheckSize, Sitecore.Kernel']"
type="Sitecore.Sandbox.Pipelines.Upload.ScanForViruses, Sitecore.Sandbox">
<Scanner type="Sitecore.Sandbox.Security.Antivirus.ClamScanner">
<param desc="server">localhost</param>
<param desc="port">3310</param>
</Scanner>
</processor>
</uiUpload>
</processors>
</sitecore>
</configuration>
I wish I could show you this in action when a virus is discovered in an uploaded file. However, I cannot put my system at risk by testing with an infected file.
But, I can show you what happens when an error is detected. I will do this by shutting down the Clam Antivirus server on my machine:
On upload, I see the following:
When I opened up the Sitecore log, I see what the problem is:
Let’s turn it back on:
I can now upload files again:
If you have any suggestions on making this better, or know of a way to test it with a virus, please share in a comment below.
Choose Template Fields to Display in the Sitecore Content Editor
The other day I was going through search terms people had used to get to my blog, and discovered a few people made their way to my blog by searching for ‘sitecore hide sections in data template’.
I had built something like this in the past, but no longer remember how I had implemented that particular solution — not that I could show you that solution since it’s owned by a previous employer — and decided I would build another solution to accomplish this.
Before I move forward, I would like to point out that Sitecore MVP Andy Uzick wrote a blog post recently showing how to hide fields and sections in the content editor, though I did not have much luck with hiding sections in the way that he had done it — sections with no fields were still displaying for me in the content editor — and I decided to build a different solution altogether to make this work.
I thought it would be a good idea to let users turn this functionality on and off via a checkbox in the ribbon, and used some code from a previous post — in this post I had build an object to keep track of the state of a checkbox in the ribbon — as a model. In the spirit of that object, I defined the following interface:
namespace Sitecore.Sandbox.Utilities.ClientSettings
{
public interface IRegistrySettingToggle
{
bool IsOn();
void TurnOn();
void TurnOff();
}
}
I then created the following abstract class which implements the interface above, and stores the state of the setting defined by the given key — the key of the setting and the “on” value are passed to it via a subclass — in the Sitecore registry.
using Sitecore.Diagnostics;
using Sitecore.Web.UI.HtmlControls;
namespace Sitecore.Sandbox.Utilities.ClientSettings
{
public abstract class RegistrySettingToggle : IRegistrySettingToggle
{
private string RegistrySettingKey { get; set; }
private string RegistrySettingOnValue { get; set; }
protected RegistrySettingToggle(string registrySettingKey, string registrySettingOnValue)
{
SetRegistrySettingKey(registrySettingKey);
SetRegistrySettingOnValue(registrySettingOnValue);
}
private void SetRegistrySettingKey(string registrySettingKey)
{
Assert.ArgumentNotNullOrEmpty(registrySettingKey, "registrySettingKey");
RegistrySettingKey = registrySettingKey;
}
private void SetRegistrySettingOnValue(string registrySettingOnValue)
{
Assert.ArgumentNotNullOrEmpty(registrySettingOnValue, "registrySettingOnValue");
RegistrySettingOnValue = registrySettingOnValue;
}
public bool IsOn()
{
return Registry.GetString(RegistrySettingKey) == RegistrySettingOnValue;
}
public void TurnOn()
{
Registry.SetString(RegistrySettingKey, RegistrySettingOnValue);
}
public void TurnOff()
{
Registry.SetString(RegistrySettingKey, string.Empty);
}
}
}
I then built the following class to toggle the display settings for our displayable fields:
using System;
namespace Sitecore.Sandbox.Utilities.ClientSettings
{
public class ShowDisplayableFieldsOnly : RegistrySettingToggle
{
private const string RegistrySettingKey = "/Current_User/Content Editor/Show Displayable Fields Only";
private const string RegistrySettingOnValue = "on";
private static volatile IRegistrySettingToggle current;
private static object lockObject = new Object();
public static IRegistrySettingToggle Current
{
get
{
if (current == null)
{
lock (lockObject)
{
if (current == null)
{
current = new ShowDisplayableFieldsOnly();
}
}
}
return current;
}
}
private ShowDisplayableFieldsOnly()
: base(RegistrySettingKey, RegistrySettingOnValue)
{
}
}
}
It passes its Sitecore registry key and “on” state value to the RegistrySettingToggle base class, and employs the Singleton pattern — I saw no reason for there to be multiple instances of this object floating around.
In order to use a checkbox in the ribbon, we have to create a new command for it:
using System.Linq;
using Sitecore.Data.Items;
using Sitecore.Diagnostics;
using Sitecore.Shell.Framework.Commands;
using Sitecore.Sandbox.Utilities.ClientSettings;
namespace Sitecore.Sandbox.Commands
{
public class ToggleDisplayableFieldsVisibility : Command
{
public override void Execute(CommandContext context)
{
Assert.ArgumentNotNull(context, "context");
ToggleDisplayableFields();
Refresh(context);
}
private static void ToggleDisplayableFields()
{
IRegistrySettingToggle showDisplayableFieldsOnly = ShowDisplayableFieldsOnly.Current;
if (!showDisplayableFieldsOnly.IsOn())
{
showDisplayableFieldsOnly.TurnOn();
}
else
{
showDisplayableFieldsOnly.TurnOff();
}
}
public override CommandState QueryState(CommandContext context)
{
if (!ShowDisplayableFieldsOnly.Current.IsOn())
{
return CommandState.Enabled;
}
return CommandState.Down;
}
private static void Refresh(CommandContext context)
{
Refresh(GetItem(context));
}
private static void Refresh(Item item)
{
Assert.ArgumentNotNull(item, "item");
Context.ClientPage.ClientResponse.Timer(string.Format("item:load(id={0})", item.ID), 1);
}
private static Item GetItem(CommandContext context)
{
Assert.ArgumentNotNull(context, "context");
return context.Items.FirstOrDefault();
}
}
}
The command above leverages the instance of the ShowDisplayableFieldsOnly class defined above to turn the displayable fields feature on and off.
I followed the creation of the command above with the definition of the ribbon checkbox in the core database:
The command name above — which is set in the Click field — is defined in the patch configuration file towards the end of this post.
I then created the following data template with a TreelistEx field to store the displayable fields:
The TreelistEx field above will pull in all sections and their fields into the TreelistEx dialog, but only allow the selection of template fields, as is dictated by the following parameters that I have mapped in its Source field:
DataSource=/sitecore/templates/Sample/Sample Item&IncludeTemplatesForSelection=Template field&IncludeTemplatesForDisplay=Template section,Template field&AllowMultipleSelection=no
I then set this as a base template in my sandbox solution’s Sample Item template:
In order to remove fields, we need a <getContentEditorFields> pipeline processor. I built the following class for to serve as one:
using System;
using Sitecore.Configuration;
using Sitecore.Data.Fields;
using Sitecore.Data.Items;
using Sitecore.Data.Managers;
using Sitecore.Data.Templates;
using Sitecore.Diagnostics;
using Sitecore.Shell.Applications.ContentManager;
using Sitecore.Shell.Applications.ContentEditor.Pipelines.GetContentEditorFields;
using Sitecore.Sandbox.Utilities.ClientSettings;
namespace Sitecore.Sandbox.Shell.Applications.ContentEditor.Pipelines.GetContentEditorFields
{
public class RemoveUndisplayableFields
{
public void Process(GetContentEditorFieldsArgs args)
{
Assert.ArgumentNotNull(args, "args");
Assert.ArgumentNotNull(args.Item, "args.Item");
Assert.ArgumentCondition(!string.IsNullOrWhiteSpace(DisplayableFieldsFieldName), "DisplayableFieldsFieldName", "DisplayableFieldsFieldName must be set in the configuration file!");
if (!ShowDisplayableFieldsOnly.Current.IsOn())
{
return;
}
foreach (Editor.Section section in args.Sections)
{
AddDisplayableFields(args.Item[DisplayableFieldsFieldName], section);
}
}
private void AddDisplayableFields(string displayableFieldIds, Editor.Section section)
{
Editor.Fields displayableFields = new Editor.Fields();
foreach (Editor.Field field in section.Fields)
{
if (IsDisplayableField(displayableFieldIds, field))
{
displayableFields.Add(field);
}
}
section.Fields.Clear();
section.Fields.AddRange(displayableFields);
}
private bool IsDisplayableField(string displayableFieldIds, Editor.Field field)
{
if (IsStandardValues(field.ItemField.Item))
{
return true;
}
if (IsDisplayableFieldsField(field.ItemField))
{
return false;
}
return IsStandardTemplateField(field.ItemField)
|| string.IsNullOrWhiteSpace(displayableFieldIds)
|| displayableFieldIds.Contains(field.ItemField.ID.ToString());
}
private bool IsDisplayableFieldsField(Field field)
{
return string.Equals(field.Name, DisplayableFieldsFieldName, StringComparison.CurrentCultureIgnoreCase);
}
private static bool IsStandardValues(Item item)
{
if (item.Template.StandardValues != null)
{
return item.Template.StandardValues.ID == item.ID;
}
return false;
}
private bool IsStandardTemplateField(Field field)
{
Assert.IsNotNull(StandardTemplate, "The Stardard Template could not be found.");
return StandardTemplate.ContainsField(field.ID);
}
private static Template GetStandardTemplate()
{
return TemplateManager.GetTemplate(Settings.DefaultBaseTemplate, Context.ContentDatabase);
}
private Template _StandardTemplate;
private Template StandardTemplate
{
get
{
if (_StandardTemplate == null)
{
_StandardTemplate = GetStandardTemplate();
}
return _StandardTemplate;
}
}
private string DisplayableFieldsFieldName { get; set; }
}
}
The class above iterates over all fields for the supplied item, and adds only those that were selected in the Displayable Fields TreelistEx field, and also Standard Fields — we don’t want to remove these since they are shown/hidden by the Standard Fields feature in Sitecore — to a new Editor.Fields collection. This new collection is then set on the GetContentEditorFieldsArgs instance.
Plus, we don’t want to show the Displayable Fields TreelistEx field when the feature is turned on, and we are on an item. This field should only display when we are on the standard values item when the feature is turned on — this is how we will choose our displayable fields.
Now we have to handle sections without fields — especially after ripping them out via the pipeline processor above.
I built the following class to serve as a <renderContentEditor> pipeline processor to do this:
using System.Linq;
using Sitecore.Diagnostics;
using Sitecore.Shell.Applications.ContentManager;
using Sitecore.Shell.Applications.ContentEditor.Pipelines.RenderContentEditor;
namespace Sitecore.Sandbox.Shell.Applications.ContentEditor.Pipelines.RenderContentEditor
{
public class FilterSectionsWithFields
{
public void Process(RenderContentEditorArgs args)
{
Assert.ArgumentNotNull(args, "args");
args.Sections = GetSectionsWithFields(args.Sections);
}
private static Editor.Sections GetSectionsWithFields(Editor.Sections sections)
{
Assert.ArgumentNotNull(sections, "sections");
Editor.Sections sectionsWithFields = new Editor.Sections();
foreach (Editor.Section section in sections)
{
AddIfContainsFields(sectionsWithFields, section);
}
return sectionsWithFields;
}
private static void AddIfContainsFields(Editor.Sections sections, Editor.Section section)
{
Assert.ArgumentNotNull(sections, "sections");
Assert.ArgumentNotNull(section, "section");
if (!ContainsFields(section))
{
return;
}
sections.Add(section);
}
private static bool ContainsFields(Editor.Section section)
{
Assert.ArgumentNotNull(section, "section");
return section.Fields != null && section.Fields.Any();
}
}
}
It basically builds a new collection of sections that contain at least one field, and sets it on the RenderContentEditorArgs instance being passed through the <renderContentEditor> pipeline.
In order for this to work, we must make this pipeline processor run before all other processors.
I tied all of the above together with the following patch configuration file:
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
<sitecore>
<commands>
<command name="contenteditor:ToggleDisplayableFieldsVisibility" type="Sitecore.Sandbox.Commands.ToggleDisplayableFieldsVisibility, Sitecore.Sandbox"/>
</commands>
<pipelines>
<getContentEditorFields>
<processor type="Sitecore.Sandbox.Shell.Applications.ContentEditor.Pipelines.GetContentEditorFields.RemoveUndisplayableFields, Sitecore.Sandbox">
<DisplayableFieldsFieldName>Displayable Fields</DisplayableFieldsFieldName>
</processor>
</getContentEditorFields>
<renderContentEditor>
<processor patch:before="processor[@type='Sitecore.Shell.Applications.ContentEditor.Pipelines.RenderContentEditor.RenderSkinedContentEditor, Sitecore.Client']"
type="Sitecore.Sandbox.Shell.Applications.ContentEditor.Pipelines.RenderContentEditor.FilterSectionsWithFields, Sitecore.Sandbox"/>
</renderContentEditor>
</pipelines>
</sitecore>
</configuration>
Let’s try this out.
I navigated to the standard values item for my Sample Item data template, and selected the fields I want to display in the content editor:
I then went to an item that uses this data template, and turned on the displayable fields feature:
As you can see, only the fields we had chosen display — along with standard fields since the Standard Fields checkbox is checked.
I then turned off the displayable fields feature:
Now all fields for the item display.
I then turned the displayable fields feature back on, and turned off Standard Fields:
Now only our selected fields display.
If you have any thoughts on this, or ideas around making this better, please share in a comment.
SitecoreJunkie.com 