[Feature]: Add configurations to disable certain validation paths

[detilium]

Feature description

There doesn't seem to be a way to perform a malware/av scan on a file who's file Extension isn't in class FileExtensions.cs from ByteGuard.FileValidator. We allow uploads in our application outside of those supported in FileExtensions for simplicity say a CSV. We would still want Windows to scan that file even though its not part of your supported file extensions. Is there a way to go about that?

It looks like the code in FileValidator rejects the file when it fails IsValidFileType check before we get to the antimalware code. I'd like to be able to skip all the checks for files who's extension isn't supported but still run the malware scan.

public bool IsValidFile(string fileName, Stream stream)
{
    // Validate file type.
    if (!IsValidFileType(fileName))
    {
        if (_configuration.ThrowExceptionOnInvalidFile)
        {
            throw new UnsupportedFileException();
        }

        return false;
    }

    // Validate file size.
    if (!HasValidSize(stream))
    {
        if (_configuration.ThrowExceptionOnInvalidFile)
        {
            throw new UnsupportedFileException();
        }

        return false;
    }

    // Validate file signature.
    if (!HasValidSignature(fileName, stream))
    {
        if (_configuration.ThrowExceptionOnInvalidFile)
        {
            throw new InvalidSignatureException();
        }

        return false;
    }

    // Validate Open XML conformance for specific file types.
    if (IsOpenXmlFormat(fileName) && !IsValidOpenXmlDocument(fileName, stream))
    {
        if (_configuration.ThrowExceptionOnInvalidFile)
        {
            throw new InvalidOpenXmlFormatException();
        }

        return false;
    }

    // Validate Open Document Format (ODF) for specific file types.
    if (IsOpenDocumentFormat(fileName) && !IsValidOpenDocumentFormat(fileName, stream))
    {
        if (_configuration.ThrowExceptionOnInvalidFile)
        {
            throw new InvalidOpenDocumentFormatException();
        }

        return false;
    }

    // Validate antimalware scan if configured.
    if (_antimalwareScanner != null)
    {
        var isClean = IsMalwareClean(fileName, stream);
        if (!isClean)
        {
            if (_configuration.ThrowExceptionOnInvalidFile)
            {
                throw new MalwareDetectedException();
            }

            return false;
        }
    }

    return true;
}

Why is this needed?

We would still want Windows to scan that file even though its not part of your supported file extensions.

Suggested solutions

Expansion of the FileValidatorConfiguration do skip certain validation paths, e.g:

• SupportedFileValidationEnabled = true/false
• SizeValidationEnabled = true/false
• OpenXmlValidationEnabled = true/false
• OdfValidationEnabled = true/false

Or similar solution.

The configurations should be secure by default (true), but this would allow for specific validation scenarios and would allow you to only just use the antimalware scanning functionality.

Additional context

Ported from issue 3 in the buteguard-file-validator-scanner-amsi repo.

[detilium]

Come to think of it, this wouldn't change a thing.

Adding configurations to skip certain validation paths, still requires initializing the file validator through the constructor, where the configuration validation would fail for file types not yet supported by the file validator.

Another proposal is to add static functions that allows consuming application to trigger a specific validation without having to set up the entire file validator.