Back-End Attachment Scan Work & Toasts POC

[S-S-T]

Back-End Attachment Scan Work & Toasts POC: 1756

⚠️ Please confirm target merge branch — develop or test?

Summary

Implements back-end pre-disk scanning for ALL accepted file types (and rejection handling for unaccepted/infected files or types), and UI messaging/toaster POC for the pre-disk ClamAV attachment scanning epic. This work includes previous tickets #1751, #1752, #1753, #1754 and #1755 — consolidated into this PR, #1756.

***Of Note: No API contract work is included in this branch, and, this branch does not handle front-end messaging when specific file types are checked-off during Form creation; that specific issue will be addressed in subsequent branches that immediately follow ***`

Key Features & Behavior

ClamAV Scan

• Pre-disk scan occurs before filesystem writes and MongoDB commits.
• Pre-disk scanning occurs in the Busboy stream for production deployments.
• Infected files (e.g., eicar.txt) are rejected with a clear error message and toast.
• Clean files pass successfully with clear success message and toast

Front-End

• Page updates automatically; no manual refresh required.
• Users see only success or failure of the attachment; no ClamAV internal messages are exposed.
• Failed uploads are removed from front end after failure occurs, observation remains (without failed attachment)

TESTING REQS & SETUP

AWS SSO Login and ClamAV Forwarding

To run the pre-disk ClamAV scan process, ensure the following is in place:

1. Add the ClamAV environment variable to docker-compose.yml just under SFTP_PLUGIN_CONFIG_SALT:

CLAM_AV_URL: tcp://host.docker.internal:3310

2. Make certain you export the new required env variable in a current running session terminal window or VS Code terminal:
   export CLAM_AV_URL="tcp://host.docker.internal:3310"

3. AWS SSO Login

   • Must have an AWS account for magegov.
   • Open terminal:
     RUN:
     aws sso login --profile magegov

• Follow the web page flow, including two-factor authentication (Authy, DUO, etc.).

4. Forward to the PX ClamAV server:
   Kube config set up if required for the following

RUN:
kubectl port-forward svc/clamav 3310:3310 -n clamav

• Should see output like:

Forwarding from 127.0.0.1:3310 -> 3310
Forwarding from [::1]:3310 -> 3310

• Leave this terminal window running while testing.

Testing

• Verify env var is set for CLAM_AV_URL
• npm install/npm run build/npm start to begin
• Log into MAGE
• Verify that EICAR.txt files get rejected.
• Verify clean accepted file types (.Png, .Txt, .Doc) are accepted.
• Verify success/failure toasts show for single and multiple file uploads

Conclusion

This PR covers all back-end work for pre-disk ClamAV attachment scanning, plus POC UI messaging/toaster implementation. Of Note: NO API Contract work is included in this branch. All of that work track will be in the next series of tickets.