[Minor] Add rules that observes limits in pdf files

diff --git a/conf/scores.d/content_group.conf b/conf/scores.d/content_group.conf
index b53ec31d0a03859704423674a36d0bc2933de072..6a011b9387f708af94230c118041e2dd2eee8fe1 100644 (file)
--- a/conf/scores.d/content_group.conf
+++ b/conf/scores.d/content_group.conf
@@ -18,20 +18,30 @@
 description = "Content rules";
 
 symbols = {
-    "PDF_ENCRYPTED" {
-        weight = 0.3;
-        description = "There is an encrypted PDF in the message";
-        one_shot = true;
-    }
-    "PDF_JAVASCRIPT" {
-        weight = 0.1;
-        description = "There is an PDF with JavaScript in the message";
-        one_shot = true;
-    }
-    "PDF_SUSPICIOUS" {
-        weight = 4.5;
-        description = "There is an PDF with suspicious properties in the message";
-        one_shot = true;
-    }
+  "PDF_ENCRYPTED" {
+    weight = 0.3;
+    description = "There is an encrypted PDF in the message";
+    one_shot = true;
+  }
+  "PDF_JAVASCRIPT" {
+    weight = 0.1;
+    description = "There is an PDF with JavaScript in the message";
+    one_shot = true;
+  }
+  "PDF_SUSPICIOUS" {
+    weight = 4.5;
+    description = "There is an PDF with suspicious properties in the message";
+    one_shot = true;
+  }
+  "PDF_LONG_TRAILER" {
+    weight = 0.2;
+    description = "There is an PDF with a long trailer";
+    one_shot = true;
+  }
+  "PDF_MANY_OBJECTS" {
+    weight = 0;
+    description = "There is a PDF file with too many objects";
+    one_shot = true;
+  }
 }
 

diff --git a/rules/content.lua b/rules/content.lua
index 1f591c2d73159dc267ee5787702c7684e18cb8f3..5bdc46c253e125337c87a5f6f3eff69743345992 100644 (file)
--- a/rules/content.lua
+++ b/rules/content.lua
@@ -17,7 +17,7 @@ limitations under the License.
 local function process_pdf_specific(task, part, specific)
   local suspicious_factor = 0
   if specific.encrypted then
-    task:insert_result('PDF_ENCRYPTED', 1.0, part:get_filename())
+    task:insert_result('PDF_ENCRYPTED', 1.0, part:get_filename() or 'unknown')
     suspicious_factor = suspicious_factor + 0.1
     if specific.openaction then
       suspicious_factor = suspicious_factor + 0.5
@@ -25,7 +25,7 @@ local function process_pdf_specific(task, part, specific)
   end
 
   if specific.scripts then
-    task:insert_result('PDF_JAVASCRIPT', 1.0, part:get_filename())
+    task:insert_result('PDF_JAVASCRIPT', 1.0, part:get_filename() or 'unknown')
     suspicious_factor = suspicious_factor + 0.1
   end
 
@@ -35,7 +35,16 @@ local function process_pdf_specific(task, part, specific)
 
   if suspicious_factor > 0.5 then
     if suspicious_factor > 1.0 then suspicious_factor = 1.0 end
-    task:insert_result('PDF_SUSPICIOUS', suspicious_factor, part:get_filename())
+    task:insert_result('PDF_SUSPICIOUS', suspicious_factor, part:get_filename() or 'unknown')
+  end
+
+  if specific.long_trailer then
+    task:insert_result('PDF_LONG_TRAILER', 1.0, string.format('%s:%d',
+        part:get_filename() or 'unknown', specific.long_trailer))
+  end
+  if specific.many_objects then
+    task:insert_result('PDF_MANY_OBJECTS', 1.0, string.format('%s:%d',
+        part:get_filename() or 'unknown', specific.many_objects))
   end
 end
 
@@ -83,3 +92,15 @@ rspamd_config:register_symbol{
   parent = id,
   groups = {"content", "pdf"},
 }
+rspamd_config:register_symbol{
+  type = 'virtual',
+  name = 'PDF_LONG_TRAILER',
+  parent = id,
+  groups = {"content", "pdf"},
+}
+rspamd_config:register_symbol{
+  type = 'virtual',
+  name = 'PDF_MANY_OBJECTS',
+  parent = id,
+  groups = {"content", "pdf"},
+}