feat: Add configurable command whitelist

fix: Correctly log client address in proxy

fix: Remove pointers from logging statements in proxy.go

Refactor: Improve logging and remove unnecessary pointer dereferences

fix: Correct logging of client address and connection closure

fix: Correct log level for backend connection closure

Improve logging

Author: miklosn

README.md

@@ -72,6 +72,7 @@ clamdproxy --listen 127.0.0.1:3310 --backend 127.0.0.1:3311
 - `--backend`: Address of the backend clamd server (default: 127.0.0.1:3311)
 - `--log-level`: Logging level: debug, info, warn, error (default: warn)
 - `--pprof`: Address for pprof HTTP server (disabled if empty)
+- `--allow-command`: ClamAV command to allow (can be specified multiple times). If not specified, defaults to a subset of commands (PING, VERSION, VERSIONCOMMANDS, INSTREAM).
 
 ## Protocol
 

main.go

@@ -4,22 +4,23 @@ package main
 
 import (
 	"fmt"
-	"github.com/alecthomas/kong"
 	"log/slog"
 	"net"
 	"net/http"
 	_ "net/http/pprof" // Register pprof handlers
 	"os"
 	"strings"
-)
 
+	"github.com/alecthomas/kong"
+)
 
 // CLI configuration structure for Kong
 var cli struct {
-	Listen    string `name:"listen" help:"Address to listen on" default:"127.0.0.1:3310"`
-	Backend   string `name:"backend" help:"Address of the backend clamd server" default:"127.0.0.1:3311"`
-	LogLevel  string `name:"log-level" help:"Log level (debug, info, warn, error)" default:"warn" enum:"debug,info,warn,error"`
-	PprofAddr string `name:"pprof" help:"Address for pprof HTTP server (disabled if empty)" default:""`
+	Listen          string   `name:"listen" help:"Address to listen on" default:"127.0.0.1:3310"`
+	Backend         string   `name:"backend" help:"Address of the backend clamd server" default:"127.0.0.1:3311"`
+	LogLevel        string   `name:"log-level" help:"Log level (debug, info, warn, error)" default:"warn" enum:"debug,info,warn,error"`
+	PprofAddr       string   `name:"pprof" help:"Address for pprof HTTP server (disabled if empty)" default:""`
+	AllowedCommands []string `name:"allow-command" help:"ClamAV commands to allow (can be specified multiple times)"`
 }
 
 // Global logger used throughout the code
@@ -56,15 +57,18 @@ func main() {
 	logger = getLogger(cli.LogLevel)
 	slog.SetDefault(logger)
 
+	// Initialize allowed commands
+	initAllowedCommands()
+
 	logger.Warn("Starting clamdproxy",
-		"listen", &cli.Listen,
-		"backend", &cli.Backend)
+		"listen", cli.Listen,
+		"backend", cli.Backend)
 
 	// Start pprof server if enabled
 	if cli.PprofAddr != "" {
 		go func() {
-			logger.Info("Starting pprof server",
-				"addr", &cli.PprofAddr,
+			logger.Warn("Starting pprof server",
+				"addr", cli.PprofAddr,
 				"url", fmt.Sprintf("http://%s/debug/pprof/", cli.PprofAddr))
 			if err := http.ListenAndServe(cli.PprofAddr, nil); err != nil {
 				logger.Error("Failed to start pprof server", "error", err)
@@ -103,7 +107,7 @@ func handleConnection(clientConn net.Conn) {
 	}()
 	clientAddr := clientConn.RemoteAddr()
 
-	logger.Info("Connection established", "client", &clientAddr)
+	logger.Info("Connection established", "client", clientAddr)
 
 	backendConn, err := net.Dial("tcp", cli.Backend)
 	if err != nil {
@@ -115,14 +119,46 @@ func handleConnection(clientConn net.Conn) {
 	}
 	defer func() {
 		if err := backendConn.Close(); err != nil {
-			logger.Error("Failed to close backend connection", "error", err)
+			logger.Debug("Failed to close backend connection", "error", err)
 		}
 	}()
 
-	logger.Info("Connected to backend", "backend", &cli.Backend, "client", &clientAddr)
+	logger.Info("Connected to backend", "backend", cli.Backend, "client", clientAddr)
 
 	proxy := NewClamdProxy(clientConn, backendConn)
 	proxy.Start()
 
-	logger.Info("Connection closed", "client", &clientAddr)
+	logger.Info("Connection closed", "client", clientAddr)
+}
+
+// initAllowedCommands initializes the allowedCommands map based on CLI options
+func initAllowedCommands() {
+	// If no commands specified, use the default set
+	if len(cli.AllowedCommands) == 0 {
+		// Default commands are already set in the allowedCommands variable
+		logger.Info("Using default allowed commands", "commands", allowedCommands)
+		return
+	}
+
+	// Clear the current allowed commands
+	for cmd := range allowedCommands {
+		delete(allowedCommands, cmd)
+	}
+
+	// Add each specified command if it's valid
+	for _, cmd := range cli.AllowedCommands {
+		cmd = strings.ToUpper(cmd) // Normalize to uppercase
+		if validClamdCommands[cmd] {
+			allowedCommands[cmd] = true
+		} else {
+			logger.Warn("Ignoring invalid command", "command", cmd)
+		}
+	}
+
+	// Log the final set of allowed commands
+	var cmdList []string
+	for cmd := range allowedCommands {
+		cmdList = append(cmdList, cmd)
+	}
+	logger.Info("Configured allowed commands", "commands", cmdList)
 }

proxy.go

@@ -37,7 +37,25 @@ const (
 	newlineDelimiter = byte('\n')
 )
 
-// allowedCommands defines the only commands that are permitted to be forwarded
+// validClamdCommands defines all known valid clamd commands
+var validClamdCommands = map[string]bool{
+	"PING":            true,
+	"VERSION":         true,
+	"RELOAD":          true,
+	"SHUTDOWN":        true,
+	"SCAN":            true,
+	"INSTREAM":        true,
+	"FILDES":          true,
+	"STATS":           true,
+	"IDSESSION":       true,
+	"END":             true,
+	"VERSIONCOMMANDS": true,
+	"MULTISCAN":       true,
+	"CONTSCAN":        true,
+	"ALLMATCHSCAN":    true,
+}
+
+// allowedCommands defines the commands that are permitted to be forwarded
 // to the backend for security reasons
 var allowedCommands = map[string]bool{
 	"PING":            true,
@@ -70,7 +88,7 @@ func NewClamdProxy(client, backend net.Conn) *ClamdProxy {
 // directly processes backend->client traffic in the current goroutine.
 func (p *ClamdProxy) Start() {
 	clientAddr := p.client.RemoteAddr()
-	logger.Info("Starting proxy", "client", &clientAddr)
+	logger.Info("Starting proxy", "client", clientAddr)
 
 	// Handle client -> backend in a separate goroutine
 	go p.handleClientToBackend()
@@ -119,17 +137,17 @@ func (p *ClamdProxy) Start() {
 
 	if err != nil {
 		if isConnectionClosed(err) {
-			logger.Info("Backend connection closed",
-				"client", &clientAddr,
+			logger.Debug("Backend connection closed",
+				"client", clientAddr,
 				"error", err)
 		} else {
 			logger.Debug("Error copying from backend to client",
-				"client", &clientAddr,
+				"client", clientAddr,
 				"error", err)
 		}
 	} else {
 		logger.Info("Proxy completed",
-			"client", &clientAddr,
+			"client", clientAddr,
 			"bytesTransferred", bytesWritten)
 	}
 }
@@ -146,13 +164,13 @@ func (p *ClamdProxy) handleClientToBackend() {
 		if err != nil {
 			if err == io.EOF {
 				// Normal client disconnection, log at debug level
-				logger.Info("Client disconnected", "client", &clientAddr)
+				logger.Info("Client disconnected", "client", clientAddr)
 			} else {
 				// Only log as error if it's not a connection reset or broken pipe
 				if isConnectionClosed(err) {
-					logger.Info("Client connection closed", "client", &clientAddr, "error", err)
+					logger.Debug("Client connection closed", "client", clientAddr, "error", err)
 				} else {
-					logger.Debug("Error reading command", "client", &clientAddr, "error", err)
+					logger.Debug("Error reading command", "client", clientAddr, "error", err)
 				}
 			}
 			// Close the backend connection to signal we're done
@@ -163,7 +181,7 @@ func (p *ClamdProxy) handleClientToBackend() {
 		}
 
 		// Only log commands at appropriate levels
-		logger.Debug("Command received", "client", &clientAddr, "command", &cmd)
+		logger.Debug("Command received", "client", clientAddr, "command", cmd)
 
 		// Check if command is allowed
 		if isCommandAllowed(cmd) {
@@ -180,17 +198,17 @@ func (p *ClamdProxy) handleClientToBackend() {
 
 			// Handle special case for INSTREAM command (file streaming)
 			if isInstreamCommand(cmd) {
-				logger.Debug("Processing INSTREAM data", "client", &clientAddr)
+				logger.Debug("Processing INSTREAM data", "client", clientAddr)
 
 				if err := p.handleInstream(reader); err != nil {
 					logger.Debug("Error handling INSTREAM data",
-						"client", &clientAddr,
+						"client", clientAddr,
 						"error", err)
 					break
 				}
 			}
 		} else {
-			logger.Info("Blocked command", "client", &clientAddr, "command", &cmd)
+			logger.Info("Blocked command", "client", clientAddr, "command", cmd)
 			// Send error response to client using buffered writer
 			response := "ERROR: Command not allowed\n"
 			if _, err := p.clientBuf.WriteString(response); err != nil {
@@ -320,7 +338,7 @@ func (p *ClamdProxy) handleInstream(reader *bufio.Reader) error {
 		// If size is 0, we're done with the stream
 		if size == 0 {
 			logger.Debug("INSTREAM completed",
-				"client", &clientAddr,
+				"client", clientAddr,
 				"totalBytes", totalBytes,
 				"chunks", chunks)
 			break
@@ -359,7 +377,7 @@ func (p *ClamdProxy) handleInstream(reader *bufio.Reader) error {
 		// Only log chunk details at the most verbose level and only occasionally
 		if chunks%100 == 0 {
 			logger.Debug("INSTREAM progress",
-				"client", &clientAddr,
+				"client", clientAddr,
 				"chunks", chunks,
 				"totalBytes", totalBytes)
 		}

proxy_test.go

@@ -85,6 +85,25 @@ func TestReadCommand(t *testing.T) {
 }
 
 func TestIsCommandAllowed(t *testing.T) {
+	// Save original allowedCommands
+	originalAllowed := make(map[string]bool)
+	for k, v := range allowedCommands {
+		originalAllowed[k] = v
+	}
+	
+	// Restore after test
+	defer func() {
+		allowedCommands = originalAllowed
+	}()
+	
+	// Set test allowed commands
+	allowedCommands = map[string]bool{
+		"PING":            true,
+		"VERSION":         true,
+		"VERSIONCOMMANDS": true,
+		"INSTREAM":        true,
+	}
+	
 	allowedCmds := []string{
 		"PING", "VERSION", "VERSIONCOMMANDS", "INSTREAM",
 		"zPING", "zVERSION", "zVERSIONCOMMANDS", "zINSTREAM",