Bookstack: Test files can cause "Trojan" warnings on some systems

Hi @infario

Can you add some more info or logs from the antivirus?

The file you uploaded, BookStack-master.zip, contains a virus so the upload was canceled: Win.Trojan.Hide-2 FOUND

Can you share what hosting provider you use? Any ideas about what AV software they use?

On a side note, you can download the latest release of BookStack from the release section here - https://github.com/BookStackApp/BookStack/releases

The master branch is for development purpose.

I tried the release BookStack Beta v0.26.3 and still get same error. We use Panel secure hosting. I guess they are using ClamAV Antivirus

Automated malware scanners seem to pick up files in the /tests/test-data directory.

./tests/test-data/bad.php: Win.Trojan.Hide-2 FOUND
./tests/test-data/bad.phtml: Win.Trojan.Hide-2 FOUND

Can i delete "tests" folder and upload?

@infario - Yes that should work fine.

Yes now the virus error gone. Thanks @dawolf and @Abijeet

Re-opening this in order to bring to @ssddanbrown's attention, and maybe make a more long term fix.

These files should be removed from the release if they get picked up by malware scanners.

edit: ninja'd by @Abijeet

Thanks @Abijeet for responding to this.

Yeah, Once we get to a point where we have packaged releases then the test files should not be included. GitHub just provides the current zip as a straight ZIP of the source. Have updated the title and will leave this open as a reminder for when we come to change the release process.

I just want to mention, that my hoster https://all-inkl.com/ reported those 2 PHP files as described above.
I now have deleted the tests folder but a "real solution" would be nice.

April 2020 and this is still not removed... why?
even more, why is this included? a php-file and phtml-file that are images!!

April 2020 and this is still not removed... why?

@stenootje Because we have not developed a packaged release system yet.

even more, why is this included? a php-file and phtml-file that are images!!

Because we have tests to ensure these types of files cannot be uploaded.

so this directory can be removed from installation without causing other problems?

@stenootje The directory can be removed. If you installed using git clone to pull down the files, then it's possible you may get some warnings or error when pulling down the code for an update.

If these files are "just" to test the upload (while developing) why does it have to be in a production environment?
Could this be solved with a production and development branch?

If these files are "just" to test the upload (while developing) why does it have to be in a production environment?

It's ideal to be able to run the tests against the exact branch of code that people are using, They'll never run in production but they're useful to be there.

Could this be solved with a production and development branch?

Yeah, most likely. We pretty much already have that with master as our development branch and release as our production branch, is just working around the above (ensure we're testing production-intended code) and putting process in place. Just wasn't looking to spend time updating our dev/release process to account for just this since I ultimately want to change the release process anyway.

FILE HIT LIST:
{CAV}Win.Trojan.Hide-2 : /.../tests/test-data/bad.php
{CAV}Win.Trojan.Hide-2 : /.../tests/test-data/bad.phtml