161 lines
4.6 KiB
TypeScript
161 lines
4.6 KiB
TypeScript
|
import { Email } from '../mail/core/classes.email.js';
|
||
|
|
/**
|
||
|
|
* Scan result information
|
||
|
|
*/
|
||
|
|
export interface IScanResult {
|
||
|
|
isClean: boolean;
|
||
|
|
threatType?: string;
|
||
|
|
threatDetails?: string;
|
||
|
|
threatScore: number;
|
||
|
|
scannedElements: string[];
|
||
|
|
timestamp: number;
|
||
|
|
}
|
||
|
|
/**
|
||
|
|
* Options for content scanner configuration
|
||
|
|
*/
|
||
|
|
export interface IContentScannerOptions {
|
||
|
|
maxCacheSize?: number;
|
||
|
|
cacheTTL?: number;
|
||
|
|
scanSubject?: boolean;
|
||
|
|
scanBody?: boolean;
|
||
|
|
scanAttachments?: boolean;
|
||
|
|
maxAttachmentSizeToScan?: number;
|
||
|
|
scanAttachmentNames?: boolean;
|
||
|
|
blockExecutables?: boolean;
|
||
|
|
blockMacros?: boolean;
|
||
|
|
customRules?: Array<{
|
||
|
|
pattern: string | RegExp;
|
||
|
|
type: string;
|
||
|
|
score: number;
|
||
|
|
description: string;
|
||
|
|
}>;
|
||
|
|
minThreatScore?: number;
|
||
|
|
highThreatScore?: number;
|
||
|
|
}
|
||
|
|
/**
|
||
|
|
* Threat categories
|
||
|
|
*/
|
||
|
|
export declare enum ThreatCategory {
|
||
|
|
SPAM = "spam",
|
||
|
|
PHISHING = "phishing",
|
||
|
|
MALWARE = "malware",
|
||
|
|
EXECUTABLE = "executable",
|
||
|
|
SUSPICIOUS_LINK = "suspicious_link",
|
||
|
|
MALICIOUS_MACRO = "malicious_macro",
|
||
|
|
XSS = "xss",
|
||
|
|
SENSITIVE_DATA = "sensitive_data",
|
||
|
|
BLACKLISTED_CONTENT = "blacklisted_content",
|
||
|
|
CUSTOM_RULE = "custom_rule"
|
||
|
|
}
|
||
|
|
/**
|
||
|
|
* Content Scanner for detecting malicious email content
|
||
|
|
*/
|
||
|
|
export declare class ContentScanner {
|
||
|
|
private static instance;
|
||
|
|
private scanCache;
|
||
|
|
private options;
|
||
|
|
private static readonly MALICIOUS_PATTERNS;
|
||
|
|
private static readonly EXECUTABLE_EXTENSIONS;
|
||
|
|
private static readonly MACRO_DOCUMENT_EXTENSIONS;
|
||
|
|
/**
|
||
|
|
* Default options for the content scanner
|
||
|
|
*/
|
||
|
|
private static readonly DEFAULT_OPTIONS;
|
||
|
|
/**
|
||
|
|
* Constructor for the ContentScanner
|
||
|
|
* @param options Configuration options
|
||
|
|
*/
|
||
|
|
constructor(options?: IContentScannerOptions);
|
||
|
|
/**
|
||
|
|
* Get the singleton instance of the scanner
|
||
|
|
* @param options Configuration options
|
||
|
|
* @returns Singleton scanner instance
|
||
|
|
*/
|
||
|
|
static getInstance(options?: IContentScannerOptions): ContentScanner;
|
||
|
|
/**
|
||
|
|
* Scan an email for malicious content
|
||
|
|
* @param email The email to scan
|
||
|
|
* @returns Scan result
|
||
|
|
*/
|
||
|
|
scanEmail(email: Email): Promise<IScanResult>;
|
||
|
|
/**
|
||
|
|
* Generate a cache key from an email
|
||
|
|
* @param email The email to generate a key for
|
||
|
|
* @returns Cache key
|
||
|
|
*/
|
||
|
|
private generateCacheKey;
|
||
|
|
/**
|
||
|
|
* Scan email subject for threats
|
||
|
|
* @param subject The subject to scan
|
||
|
|
* @param result The scan result to update
|
||
|
|
*/
|
||
|
|
private scanSubject;
|
||
|
|
/**
|
||
|
|
* Scan plain text content for threats
|
||
|
|
* @param text The text content to scan
|
||
|
|
* @param result The scan result to update
|
||
|
|
*/
|
||
|
|
private scanTextContent;
|
||
|
|
/**
|
||
|
|
* Scan HTML content for threats
|
||
|
|
* @param html The HTML content to scan
|
||
|
|
* @param result The scan result to update
|
||
|
|
*/
|
||
|
|
private scanHtmlContent;
|
||
|
|
/**
|
||
|
|
* Scan an attachment for threats
|
||
|
|
* @param attachment The attachment to scan
|
||
|
|
* @param result The scan result to update
|
||
|
|
*/
|
||
|
|
private scanAttachment;
|
||
|
|
/**
|
||
|
|
* Extract links from HTML content
|
||
|
|
* @param html HTML content
|
||
|
|
* @returns Array of extracted links
|
||
|
|
*/
|
||
|
|
private extractLinksFromHtml;
|
||
|
|
/**
|
||
|
|
* Extract plain text from HTML
|
||
|
|
* @param html HTML content
|
||
|
|
* @returns Extracted text
|
||
|
|
*/
|
||
|
|
private extractTextFromHtml;
|
||
|
|
/**
|
||
|
|
* Extract text from a binary buffer for scanning
|
||
|
|
* @param buffer Binary content
|
||
|
|
* @returns Extracted text (may be partial)
|
||
|
|
*/
|
||
|
|
private extractTextFromBuffer;
|
||
|
|
/**
|
||
|
|
* Check if an Office document likely contains macros
|
||
|
|
* This is a simplified check - real implementation would use specialized libraries
|
||
|
|
* @param attachment The attachment to check
|
||
|
|
* @returns Whether the file likely contains macros
|
||
|
|
*/
|
||
|
|
private likelyContainsMacros;
|
||
|
|
/**
|
||
|
|
* Map a pattern category to a threat type
|
||
|
|
* @param category The pattern category
|
||
|
|
* @returns The corresponding threat type
|
||
|
|
*/
|
||
|
|
private mapCategoryToThreatType;
|
||
|
|
/**
|
||
|
|
* Log a high threat finding to the security logger
|
||
|
|
* @param email The email containing the threat
|
||
|
|
* @param result The scan result
|
||
|
|
*/
|
||
|
|
private logHighThreatFound;
|
||
|
|
/**
|
||
|
|
* Log a threat finding to the security logger
|
||
|
|
* @param email The email containing the threat
|
||
|
|
* @param result The scan result
|
||
|
|
*/
|
||
|
|
private logThreatFound;
|
||
|
|
/**
|
||
|
|
* Get threat level description based on score
|
||
|
|
* @param score Threat score
|
||
|
|
* @returns Threat level description
|
||
|
|
*/
|
||
|
|
static getThreatLevel(score: number): 'none' | 'low' | 'medium' | 'high';
|
||
|
|
}
|