feat: Allow connection to clamd through a TLS proxy

.github/workflows/test.yml

@@ -7,10 +7,10 @@ on:
       - master
 jobs:
   test:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
-        node-version: [12,13,14,15,16,17]
+        node-version: [12,13,14,15,16,17,18,19]
     steps:
       - name: Update Apt
         run: sudo apt-get update
@@ -24,13 +24,31 @@ jobs:
         run: sudo systemctl restart clamav-daemon
       - name: Chill for 30 seconds again
         run: sleep 30
+      - name: Install OpenSSL
+        run: sudo apt-get install openssl
+      - name: Generate Key Pair for TLS
+        run: openssl req -new -sha256 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost" -newkey ed25519 -keyout key.pem -nodes -x509 -days 365 -out cert.pem
+      - name: Install stunnel
+        run: sudo apt-get install stunnel4
+      - name: Install / Trust certificate
+        run: |
+          sudo cp cert.pem /usr/local/share/ca-certificates/snakeoil.crt
+          sudo update-ca-certificates
+          sudo cp cert.pem /etc/stunnel/cert.pem
+          sudo cp key.pem /etc/stunnel/key.pem
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+      - name: Set stunnel config
+        run: sudo cp tests/stunnel.conf /etc/stunnel/
+      - name: Restart stunnel
+        run: sudo /etc/init.d/stunnel4 restart
+      - name: Open ~ for all users to read
+        run: chmod 755 ~
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
       - name: Install dependencies
-        run: npm install
+        run: npm ci
       - name: Run tests
         run: npm test

README.md

@@ -131,6 +131,7 @@ const ClamScan = new NodeClam().init({
         reloadDb: false, // If true, will re-load the DB on every call (slow)
         active: true, // If true, this module will consider using the clamdscan binary
         bypassTest: false, // Check to see if socket is available when applicable
+        tls: false, // Use plaintext TCP to connect to clamd
     },
     preference: 'clamdscan' // If clamdscan is found and active, it will be used by default
 });
@@ -165,6 +166,7 @@ const ClamScan = new NodeClam().init({
         reloadDb: true, // You want your scans to run slow like with clamscan
         active: false, // you don't want to use this at all because it's evil
         bypassTest: true, // Don't check to see if socket is available. You should probably never set this to true.
+        tls: true, // Connect to clamd over TLS
     },
     preference: 'clamscan' // If clamscan is found and active, it will be used by default
 });

index.js

@@ -11,6 +11,7 @@ const os = require('os');
 const net = require('net');
 const fs = require('fs');
 const nodePath = require('path'); // renamed to prevent conflicts in `scanDir`
+const tls = require('tls');
 const { promisify } = require('util');
 const { execFile } = require('child_process');
 const { PassThrough, Transform, Readable } = require('stream');
@@ -70,6 +71,7 @@ class NodeClam {
                 reloadDb: false,
                 active: true,
                 bypassTest: false,
+                tls: false,
             },
             preference: this.defaultScanner,
         });
@@ -104,6 +106,7 @@ class NodeClam {
      * @param {boolean} [options.clamdscan.reloadDb=false] - If true, will re-load the DB on ever call (slow)
      * @param {boolean} [options.clamdscan.active=true] - If true, this module will consider using the `clamdscan` binary
      * @param {boolean} [options.clamdscan.bypassTest=false] - If true, check to see if socket is avaliable
+     * @param {boolean} [options.clamdscan.tls=false] - If true, connect to a TLS-Termination proxy in front of ClamAV
      * @param {object} [options.preference='clamdscan'] - If preferred binary is found and active, it will be used by default
      * @param {Function} [cb] - Callback method. Prototype: `(err, <instance of NodeClam>)`
      * @returns {Promise<object>} An initated instance of NodeClam
@@ -525,14 +528,26 @@ class NodeClam {
             else if (this.settings.clamdscan.port) {
                 // If a host is specified (usually for a remote host)
                 if (this.settings.clamdscan.host) {
-                    client = net.createConnection({
-                        host: this.settings.clamdscan.host,
-                        port: this.settings.clamdscan.port,
-                        timeout,
-                    });
+                    if (this.settings.clamdscan.tls) {
+                        client = tls.connect({
+                            host: this.settings.clamdscan.host,
+                            port: this.settings.clamdscan.port,
+                            // Activate SNI
+                            servername: this.settings.clamdscan.host,
+                            timeout,
+                        });
+                    } else {
+                        client = net.createConnection({
+                            host: this.settings.clamdscan.host,
+                            port: this.settings.clamdscan.port,
+                            timeout,
+                        });
+                    }
                 }
                 // Host can be ignored since the default is `localhost`
-                else {
+                else if (this.settings.tls) {
+                    client = tls.connect({ port: this.settings.clamdscan.port, timeout });
+                } else {
                     client = net.createConnection({ port: this.settings.clamdscan.port, timeout });
                 }
             }