Integration of Mat2 for removing metadata from uploaded files

[evilaliv3]

Moving forward the discussion taken on #711, it could be valuable as well to integrate Mat2 in order to remove metadata from uploaded files.

Even if in many discussions it is considered important to maintain metatata to maintain integrity of the evidence it could be worth it to integrate MAT in order to make it possible for recipients to download a copy of the document were metadata is redacted; this copy is expected to be useful in many circumstances.

[evilaliv3]

This same analysis has been as well proposed by Eduar Martin Borrgon of Poder/Mexicoleaks

[emartinborregon]

That will be great for:

• Protect more the whistleblower from bad metada cleaning
• Protect more the user from malware (see Integration of Clamav for verifying uploaded files #711 (comment) )

[sajolida]

Hey, sajolida from Tails here :) I'm glad to see that the discussion I had with @emartinborregon is moving forward here.

This one could be implemented as a alternative download option: "Download with metadata" vs "Download without metadata".

We're good friends with jvoisin, the developper of MAT so tell me if you need help getting in touch with him. I can't speak for him but he might be interested in helping you integrate it in GlobaLeaks.

[evilaliv3]

Thank you @sajolida for your feedback! I'm glad to see you here and really happy of it.

Actually we would really love to integrate MAT within globaleaks!

The only reason that made me avoid this till now was due to the fact that by the current design we never make any plaintext version of the file on the filesystem and initial version of MAT were not offering any API for passing files in streaming.

do you know which is the status at the current time and do you have any advice? @jvoisin what do you think?

[jvoisin]

I think that it's a nice idea, although:

• mat2 won't protect from malwares. Running it on untrusted file might even result in the compromission of the globaleaks instance, albeit there is an integration with bubblewrap to sandbox the process.
• mat2 only works on files, not on streams, but this shouldn't be hard to implement

I'll be happy to give a hand with the integration.

[evilaliv3]

Thank you @jvoisin!
Yes point one is what prevented us to implemente integration with MAT and any antivirus till now. Mayny tickets in fact deals with the possiblity of making it possible to run mat in a sandbox like inside a seccomp process.

Have you ever analyzed possible integrations @jvoisin ?

[fpietrosanti]

Antivirus does communicate trough a standard protocol called ICAP: https://tools.ietf.org/html/rfc3507

In #711 we forecasted implementation of Mat and Antivirus using ICAP, as ICAP enable an ICAP Server to send back a modified version of the content/file being submitted.

If Mat2 would extend it's feature to support a Python ICAP Server, any ICAP capable software would be able to acquire the metadata cleanup feature (A mailserver, an proxy server).

Python ICAP Server found online:

• icapserver https://github.com/Peoplecantfly/icapserver
• pyicap https://github.com/netom/pyicap

That way Mat2 could run on it's own ICAPServer daemon running on 127.0.0.1 or local unix socket with it's own users and sandbox.

Then an ICAP Client implemented in Python https://pypi.org/project/icapclient3/ could be used eventually by GlobaLeaks to handle the file is receiving to an ICAP server.

Or another possibility without integrating an "ICAP server" could be to have Mat2 implement a basic daemon listening on a unix/tcp socket, implementing the very basic Clamav protocol, so it would be possible to speak to it using the existing Python Clamav client ( https://github.com/graingert/python-clamd ), having a compatibility layer ?

[jvoisin]

Wouldn't it make more sense to have a file — icap implementation living in globaleaks?
This seems to specific to be included in mat2.