commit 2fa0319: [Minor] Add rules that observes limits in pdf files

Vsevolod Stakhov vsevolod at highsecure.ru
Fri May 22 13:07:08 UTC 2020


Author: Vsevolod Stakhov
Date: 2020-05-22 13:02:32 +0100
URL: https://github.com/rspamd/rspamd/commit/2fa03199e4bcf3d323d5c94ec7a16bb2890e0354

[Minor] Add rules that observes limits in pdf files

---
 conf/scores.d/content_group.conf | 40 +++++++++++++++++++++++++---------------
 rules/content.lua                | 27 ++++++++++++++++++++++++---
 2 files changed, 49 insertions(+), 18 deletions(-)

diff --git a/conf/scores.d/content_group.conf b/conf/scores.d/content_group.conf
index b53ec31d0..6a011b938 100644
--- a/conf/scores.d/content_group.conf
+++ b/conf/scores.d/content_group.conf
@@ -18,20 +18,30 @@
 description = "Content rules";
 
 symbols = {
-    "PDF_ENCRYPTED" {
-        weight = 0.3;
-        description = "There is an encrypted PDF in the message";
-        one_shot = true;
-    }
-    "PDF_JAVASCRIPT" {
-        weight = 0.1;
-        description = "There is an PDF with JavaScript in the message";
-        one_shot = true;
-    }
-    "PDF_SUSPICIOUS" {
-        weight = 4.5;
-        description = "There is an PDF with suspicious properties in the message";
-        one_shot = true;
-    }
+  "PDF_ENCRYPTED" {
+    weight = 0.3;
+    description = "There is an encrypted PDF in the message";
+    one_shot = true;
+  }
+  "PDF_JAVASCRIPT" {
+    weight = 0.1;
+    description = "There is an PDF with JavaScript in the message";
+    one_shot = true;
+  }
+  "PDF_SUSPICIOUS" {
+    weight = 4.5;
+    description = "There is an PDF with suspicious properties in the message";
+    one_shot = true;
+  }
+  "PDF_LONG_TRAILER" {
+    weight = 0.2;
+    description = "There is an PDF with a long trailer";
+    one_shot = true;
+  }
+  "PDF_MANY_OBJECTS" {
+    weight = 0;
+    description = "There is a PDF file with too many objects";
+    one_shot = true;
+  }
 }
 
diff --git a/rules/content.lua b/rules/content.lua
index 1f591c2d7..5bdc46c25 100644
--- a/rules/content.lua
+++ b/rules/content.lua
@@ -17,7 +17,7 @@ limitations under the License.
 local function process_pdf_specific(task, part, specific)
   local suspicious_factor = 0
   if specific.encrypted then
-    task:insert_result('PDF_ENCRYPTED', 1.0, part:get_filename())
+    task:insert_result('PDF_ENCRYPTED', 1.0, part:get_filename() or 'unknown')
     suspicious_factor = suspicious_factor + 0.1
     if specific.openaction then
       suspicious_factor = suspicious_factor + 0.5
@@ -25,7 +25,7 @@ local function process_pdf_specific(task, part, specific)
   end
 
   if specific.scripts then
-    task:insert_result('PDF_JAVASCRIPT', 1.0, part:get_filename())
+    task:insert_result('PDF_JAVASCRIPT', 1.0, part:get_filename() or 'unknown')
     suspicious_factor = suspicious_factor + 0.1
   end
 
@@ -35,7 +35,16 @@ local function process_pdf_specific(task, part, specific)
 
   if suspicious_factor > 0.5 then
     if suspicious_factor > 1.0 then suspicious_factor = 1.0 end
-    task:insert_result('PDF_SUSPICIOUS', suspicious_factor, part:get_filename())
+    task:insert_result('PDF_SUSPICIOUS', suspicious_factor, part:get_filename() or 'unknown')
+  end
+
+  if specific.long_trailer then
+    task:insert_result('PDF_LONG_TRAILER', 1.0, string.format('%s:%d',
+        part:get_filename() or 'unknown', specific.long_trailer))
+  end
+  if specific.many_objects then
+    task:insert_result('PDF_MANY_OBJECTS', 1.0, string.format('%s:%d',
+        part:get_filename() or 'unknown', specific.many_objects))
   end
 end
 
@@ -83,3 +92,15 @@ rspamd_config:register_symbol{
   parent = id,
   groups = {"content", "pdf"},
 }
+rspamd_config:register_symbol{
+  type = 'virtual',
+  name = 'PDF_LONG_TRAILER',
+  parent = id,
+  groups = {"content", "pdf"},
+}
+rspamd_config:register_symbol{
+  type = 'virtual',
+  name = 'PDF_MANY_OBJECTS',
+  parent = id,
+  groups = {"content", "pdf"},
+}


More information about the Commits mailing list