How to Scan for Custom Content Threats in Azure Blob Storage using Node.js
In cybersecurity, overconfidence is a particularly dangerous condition. No matter how confident we are in our antivirus solutions, we should always factor some redundancy into our security model to keep up with rapidly evolving (and increasingly well-disguised) threats.
This is highly relevant when it comes to securing our Azure Blob storage containers. If we’re storing file uploads from client-facing web applications, our blob might be at risk of accepting malicious file uploads, and these uploads can potentially impact us AND our other application users.
For a sophisticated malware author, obfuscating malicious code is a trivial task. As a result, we need to look past traditional malware detection methods to keep our storage locations safe.
Using the below code, we can take advantage of a free-to-use advanced virus scan API designed to scan files directly from Azure Blob storage. In addition to performing a powerful virus & malware scan, this service offers the option to categorically block potentially threatening file types through in-depth content verification (identifying file types at the file encoding level).
We can screen out scripts, executables, invalid files, unsafe archives, and a variety of other threatening file types by setting custom content rules, and we can even establish a strict whitelist to disallow files outside of a select few. We can, for example, ensure only PDF and DOCX files are permitted in a Blob designated for resume uploads by supplying our request with a comma-separated list (like so: ‘.pdf,.docx’).
To authorize our API requests, we’ll need a free-tier API key, and this will allow us to scan a limit of 800 files per month with no additional commitment. It’s a great option for keeping small scale projects secure & helping them get off the ground.
To structure our API call, we’ll need to begin by installing the SDK. We can either run the following command:
npm install cloudmersive-virus-api-client --saveOr we can add the following snippet to our package.json:
"dependencies": {
"cloudmersive-virus-api-client": "^1.1.9"
}Before we call the function, we’ll need to have a few important details ready to ensure requests target specific files in our Azure Blob container. These details include:
- Connection String — the connection string for the Azure Blob storage account
- Container Name — the name of the Blob container within the Azure Blob storage account
- Blob Path — the path to the blob within the container (such as ‘hello.pdf’ or ‘/folder/subfolder/world.pdf’). Please note that if the blog path contains Unicode characters, we must base64 encode the blob path and prepend it with ‘base64’.
With those details ready, we can now copy the below code into our file, provide our API key in the designated line, and customize our content verification parameters:
var CloudmersiveVirusApiClient = require('cloudmersive-virus-api-client');
var defaultClient = CloudmersiveVirusApiClient.ApiClient.instance;
// Configure API key authorization: Apikey
var Apikey = defaultClient.authentications['Apikey'];
Apikey.apiKey = 'YOUR API KEY';
var apiInstance = new CloudmersiveVirusApiClient.ScanCloudStorageApi();
var connectionString = "connectionString_example"; // String | Connection string for the Azure Blob Storage Account; you can get this connection string from the Access Keys tab of the Storage Account blade in the Azure Portal.
var containerName = "containerName_example"; // String | Name of the Blob container within the Azure Blob Storage account
var blobPath = "blobPath_example"; // String | Path to the blob within the container, such as 'hello.pdf' or '/folder/subfolder/world.pdf'. If the blob path contains Unicode characters, you must base64 encode the blob path and prepend it with 'base64:', such as: 'base64:6ZWV6ZWV6ZWV6ZWV6ZWV6ZWV'.
var opts = {
'allowExecutables': true, // Boolean | Set to false to block executable files (program code) from being allowed in the input file. Default is false (recommended).
'allowInvalidFiles': true, // Boolean | Set to false to block invalid files, such as a PDF file that is not really a valid PDF file, or a Word Document that is not a valid Word Document. Default is false (recommended).
'allowScripts': true, // Boolean | Set to false to block script files, such as a PHP files, Python scripts, and other malicious content or security threats that can be embedded in the file. Set to true to allow these file types. Default is false (recommended).
'allowPasswordProtectedFiles': true, // Boolean | Set to false to block password protected and encrypted files, such as encrypted zip and rar files, and other files that seek to circumvent scanning through passwords. Set to true to allow these file types. Default is false (recommended).
'allowMacros': true, // Boolean | Set to false to block macros and other threats embedded in document files, such as Word, Excel and PowerPoint embedded Macros, and other files that contain embedded content threats. Set to true to allow these file types. Default is false (recommended).
'allowXmlExternalEntities': true, // Boolean | Set to false to block XML External Entities and other threats embedded in XML files, and other files that contain embedded content threats. Set to true to allow these file types. Default is false (recommended).
'restrictFileTypes': "restrictFileTypes_example" // String | Specify a restricted set of file formats to allow as clean as a comma-separated list of file formats, such as .pdf,.docx,.png would allow only PDF, PNG and Word document files. All files must pass content verification against this list of file formats, if they do not, then the result will be returned as CleanResult=false. Set restrictFileTypes parameter to null or empty string to disable; default is disabled.
};
var callback = function(error, data, response) {
if (error) {
console.error(error);
} else {
console.log('API called successfully. Returned data: ' + data);
}
};
apiInstance.scanCloudStorageScanAzureBlobAdvanced(connectionString, containerName, blobPath, opts, callback);We can now increase security redundancy for our precious Azure Blob data with a free, low-code solution.
