Skip to content

Commit

Permalink
Update package versions and remove need for cloud-run-proxy
Browse files Browse the repository at this point in the history
Implement a reverse authenticating proxy in node.
Fixes multiple CVEs
  • Loading branch information
nielm committed Nov 24, 2023
1 parent 0cf80e6 commit 0064bcc
Show file tree
Hide file tree
Showing 8 changed files with 505 additions and 3,065 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ Run and Eventarc.
* 2023-06-20 v2.1.0 Resolve #46 where docker build failed, and #50 where pip3
installs failed
* 2023-11-22 v2.2.0 Add support for using environmental variables in the config.json file.
* 2023-11-23 v2.3.0 Remove need for cloud-run-proxy, and update versions of packages. Fixes multiple CVEs.

## Upgrading from v1.x to v2.x

Expand Down
8 changes: 1 addition & 7 deletions cloudrun-malware-scanner/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

FROM node:20
FROM node:21
WORKDIR /app
COPY . /app
COPY config.json /app
Expand Down Expand Up @@ -70,12 +70,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
gcloud --version && \
truncate -s 0 /var/log/apt/*.log /var/log/*.log

# Get the cloud-run-proxy tool
RUN CLOUD_RUN_PROXY_VERSION=0.3.0 && \
curl -s -L \
https://github.com/GoogleCloudPlatform/cloud-run-proxy/releases/download/v${CLOUD_RUN_PROXY_VERSION}/cloud-run-proxy_${CLOUD_RUN_PROXY_VERSION}_linux_amd64.tar.gz | \
tar -zxf - cloud-run-proxy

# Get all required node.js dependencies
RUN npm install --omit=dev

Expand Down
20 changes: 7 additions & 13 deletions cloudrun-malware-scanner/bootstrap.sh
Original file line number Diff line number Diff line change
Expand Up @@ -47,18 +47,12 @@ apt-get -qqy install --no-install-recommends clamav-daemon clamav-freshclam
export PATH="$PATH:$HOME/.local/bin" # add pipx locations to path.
pipx install cvdupdate

# Set up an authentication proxy server to point to GCS CVD Mirror bucket, and to
# restart with a fresh token every 50 mins because access tokens expire after 1hr
AUTH_SERVER_ADDRESS=127.0.0.1:8001
while true ; do
Log INFO main "Restarting authentication proxy service"
./cloud-run-proxy \
-host https://storage.googleapis.com/ \
-token "$(gcloud auth print-access-token)" \
-bind "${AUTH_SERVER_ADDRESS}" \
-server-up-time 50m
done &

# The node server includes a reverse proxy which adds authentication
# to requests to GCS REST API, allowing freshclam to access the GCS
# CVD mirror as if it was an unauthenticated HTPP server
#
export PROXY_PORT=8888
PROXY_SERVER_ADDRESS=127.0.0.1:${PROXY_PORT}

# Ensure clamav services are shut down, as we do not have the config files set up yet.
service clamav-daemon stop &
Expand Down Expand Up @@ -140,7 +134,7 @@ EOF
updateClamConfigFile /etc/clamav/freshclam.conf << EOF
# DatabaseMirror specifies to which mirror(s) freshclam should connect.
# Set to the authentication proxy service which proxys to the GCS API.
DatabaseMirror http://${AUTH_SERVER_ADDRESS}/${CVD_MIRROR_BUCKET}/cvds
DatabaseMirror http://${PROXY_SERVER_ADDRESS}/${CVD_MIRROR_BUCKET}/cvds
# Number of database checks per day.
# Once per half hour, which is fine as we are using a local mirror.
Expand Down
4 changes: 2 additions & 2 deletions cloudrun-malware-scanner/logger.js
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@ const pkgJson = require('./package.json');
const loggingBunyan = new LoggingBunyan({
redirectToStdout: true,
projectId: process.env.PROJECT_ID,
logName: "malware-scanner",
useMessageField: false
logName: 'malware-scanner',
useMessageField: false,
});

exports.logger = bunyan.createLogger({
Expand Down
29 changes: 15 additions & 14 deletions cloudrun-malware-scanner/metrics.js
Original file line number Diff line number Diff line change
Expand Up @@ -98,21 +98,21 @@ function writeScanCompletedMetric_(measure, sourceBucket, destinationBucket,

/**
* Writes metrics when a CVD Mirror Update occurs.
*
*
* @param {boolean} success
* @param {boolean} isUpdated
*/
function writeCvdMirrorUpdatedMetric(success, isUpdated) {
function writeCvdMirrorUpdatedMetric(success, isUpdated) {
const tags = new TagMap();
tags.set(TAGS.cloudRunRevision, {value: process.env.K_REVISION});
tags.set(TAGS.cvdUpdateStatus,
{value: (
tags.set(TAGS.cvdUpdateStatus,
{value: (
success ? (
isUpdated ? "SUCCESS_UPDATED" : "SUCCESS_NO_UPDATES" )
: "FAILURE" )});
isUpdated ? 'SUCCESS_UPDATED' : 'SUCCESS_NO_UPDATES' ) :
'FAILURE' )});
globalStats.record(
[{ measure: METRICS.cvdUpdates, value: 1}],
tags);
[{measure: METRICS.cvdUpdates, value: 1}],
tags);
}

/**
Expand All @@ -134,8 +134,8 @@ async function initMetrics(projectId) {
TAGS.clamVersion,
TAGS.cloudRunRevision,
TAGS.sourceBucket,
TAGS.destinationBucket
]
TAGS.destinationBucket,
];

METRICS.cleanFiles = globalStats.createMeasureInt64(
METRIC_TYPE_ROOT + 'clean-files', MeasureUnit.UNIT,
Expand Down Expand Up @@ -183,7 +183,8 @@ async function initMetrics(projectId) {
'The scan duration in milliseconds');
const scanDurationView = globalStats.createView(
METRICS.scanDuration.name, METRICS.scanDuration,
AggregationType.DISTRIBUTION, fileScanTags, 'Duration spent scanning files',
AggregationType.DISTRIBUTION, fileScanTags,
'Duration spent scanning files',
// Bucket Boundaries in ms
[
0,
Expand All @@ -203,12 +204,12 @@ async function initMetrics(projectId) {
globalStats.registerView(scanDurationView);

METRICS.cvdUpdates = globalStats.createMeasureInt64(
METRIC_TYPE_ROOT + 'cvd-mirror-updates', MeasureUnit.UNIT,
'Number of CVD mirror Update Checks performed');
METRIC_TYPE_ROOT + 'cvd-mirror-updates', MeasureUnit.UNIT,
'Number of CVD mirror Update Checks performed');

const cvdUpdatesView = globalStats.createView(
METRICS.cvdUpdates.name, METRICS.cvdUpdates,
AggregationType.COUNT,
AggregationType.COUNT,
[TAGS.cloudRunRevision, TAGS.cvdUpdateStatus],
'Number of CVD mirror update checks performed with their status');
globalStats.registerView(cvdUpdatesView);
Expand Down
Loading

0 comments on commit 0064bcc

Please sign in to comment.