sshmitm.plugins.sftp.check_file module
- class sshmitm.plugins.sftp.check_file.ClamAVClient(socket_path='/tmp/clamd.sock')
Bases:
object- Parameters:
socket_path (
str, default:'/tmp/clamd.sock')
- __init__(socket_path='/tmp/clamd.sock')
- Parameters:
socket_path (
str, default:'/tmp/clamd.sock')
- instream(data, chunk_size=1024)
- Parameters:
data (
bytes)chunk_size (
int, default:1024)
- Return type:
str
- class sshmitm.plugins.sftp.check_file.SFTPHandlerCheckFilePlugin(sftp, filename)
Bases:
SFTPHandlerPluginScans SFTP-transferred files with ClamAV before forwarding them.
All file data is buffered in memory during the transfer. On uploads, the complete content is scanned via the ClamAV INSTREAM protocol before being written to the remote server. On downloads, the remote file is fetched and scanned before being served to the client. Transfers that fail the scan are blocked with a permission-denied error.
Usage example
Requires a running ClamAV daemon with a Unix socket:
ssh-mitm server --sftp-handler check_file --clamav-socket /tmp/clamd.sock
Notes
ClamAV must be reachable via the configured socket; if the connection fails the transfer is blocked as a precaution.
The entire file is held in memory — avoid this plugin for very large files without sufficient RAM.
Both uploads and downloads are scanned.
- Parameters:
sftp (
SFTPBaseHandle)filename (
str)
- class SFTPInterface(serverinterface)
Bases:
SFTPProxyServerInterface- Parameters:
serverinterface (
BaseServerInterface)
- open(path, flags, attr)
Open a file on the server and create a handle for future operations on that file. On success, a new object subclassed from .SFTPHandle should be returned. This handle will be used for future operations on the file (read, write, etc). On failure, an error code such as
SFTP_PERMISSION_DENIEDshould be returned.flagscontains the requested mode for opening (read-only, write-append, etc) as a bitset of flags from theosmodule:os.O_RDONLYos.O_WRONLYos.O_RDWRos.O_APPENDos.O_CREATos.O_TRUNCos.O_EXCL
(One of
os.O_RDONLY,os.O_WRONLY, oros.O_RDWRwill always be set.)The
attrobject contains requested attributes of the file if it has to be created. Some or all attribute fields may be missing if the client didn’t specify them.Note
The SFTP protocol defines all files to be in “binary” mode. There is no equivalent to Python’s “text” mode.
- Parameters:
path (
str) – the requested path (relative or absolute) of the file to be opened.flags (
int) – flags or’d together from theosmodule indicating the requested mode for opening the file.attr (
SFTPAttributes) – requested attributes of the file if it is newly created.path
flags
attr
- Return type:
SFTPHandle|int- Returns:
a new .SFTPHandle or error code.
- __init__(sftp, filename)
Initializes the in-memory buffer and logs the start of the transfer.
- Parameters:
sftp (
SFTPBaseHandle) – the SFTP file handle for the intercepted transfer.filename (
str) – the original filename as requested by the client.
- check_file()
Scan the buffered file with ClamAV via INSTREAM
- Return type:
bool
- close()
- Return type:
None
- classmethod get_interface()
- Return type:
type[BaseSFTPServerInterface] |None
- handle_data(data, *, offset=None, length=None)
- Parameters:
data (
bytes)offset (
int|None, default:None)length (
int|None, default:None)
- Return type:
bytes
- classmethod parser_arguments()
- Return type:
None