Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Tissue
Assessments

Tissue Laravel Package

bubnov/tissue

Scan uploaded files for viruses in PHP via adapter-based integrations. Includes a ClamAV adapter to run ClamAV scans and report infected files, helping you add antivirus checks to your upload pipeline (keep signatures updated; follow upload security best practices).

View on GitHub
Deep Wiki
Context7

Product Decisions This Supports

  • Security Hardening: Enables mandatory malware scanning for user-uploaded content, addressing critical vulnerabilities in file-handling workflows (e.g., PHP shells disguised as images). Directly supports compliance with HIPAA, PCI-DSS, or GDPR for industries handling sensitive data.
  • Roadmap Prioritization:
    • Phase 1: Integrate into core upload pipelines (e.g., media, documents) to block known threats.
    • Phase 2: Extend to dependency scanning (e.g., Composer packages) or email attachments if the product expands into those areas.
    • Phase 3: Replace ad-hoc security checks (e.g., file extensions) with automated, engine-driven validation.
  • Build vs. Buy:
    • Avoids reinventing wheel: No need to build a custom ClamAV wrapper or integrate with proprietary APIs (e.g., VirusTotal).
    • Low-cost alternative: MIT-licensed with no vendor lock-in; total cost = ClamAV server maintenance.
    • Future-proofing: Adapter pattern allows swapping scanners (e.g., if ClamAV becomes unsustainable).
  • Use Cases:
    • SaaS Platforms: Scan user-generated media (images, videos) before processing (e.g., thumbnails, transcoding).
    • Developer Tools: Validate code submissions or dependency uploads in IDEs/forges (e.g., GitHub-like platforms).
    • Legacy Systems: Retrofit old PHP apps (pre-Laravel 5) with modern security without full rewrites.
    • File-Sharing Services: Pre-scan documents/contracts in collaboration tools (e.g., shared drives).
    • E-Commerce: Block malicious product images or downloadable files (e.g., software, templates).

When to Consider This Package

Adopt if:

  • Your primary risk is malware in uploads, and you can tolerate ClamAV’s limitations (e.g., no heuristic analysis, signature-based only).
  • You’re already using ClamAV or willing to deploy it (reduces operational overhead).
  • Your tech stack is PHP/Laravel and you need a lightweight, no-frills solution.
  • Compliance requirements (e.g., PCI-DSS) mandate file validation, and you lack budget for proprietary tools.
  • You can dedicate time to:
    • Maintain ClamAV signatures (freshclam).
    • Handle false positives/negatives (e.g., admin review workflows).
    • Secure file execution (e.g., never serve scanned files directly).

Look elsewhere if:

  • You need multi-engine support (e.g., Sophos, Kaspersky, or cloud APIs like VirusTotal). → Alternatives: PHP-VT, ClamAV CLI + custom wrapper.
  • Your team lacks security expertise to:
    • Configure ClamAV safely (e.g., sandboxing, exclusion lists).
    • Mitigate risks like file execution or ClamAV exploits.
  • Performance is critical:
    • ClamAV scans add latency (e.g., 1–5 seconds per file). For high-throughput systems, consider:
      • Async processing (Laravel queues).
      • Edge scanning (e.g., Cloudflare, AWS Lambda).
      • Lighter checks (e.g., file type validation + size limits).
  • Modern PHP/Laravel compatibility is a blocker:
    • Last release in 2017 may break on PHP 8.0+ or Laravel 9/10. → Mitigation: Fork the package or use a maintained alternative like spatie/laravel-virus-scanner.
  • You’re using Symfony: → Prefer the TissueBundle for tighter integration.
  • False positives/negatives are unacceptable:
    • ClamAV may miss polymorphic malware or flag legitimate files (e.g., packed executables). → Solution: Implement a human review workflow for flagged files.

How to Pitch It (Stakeholders)

For Executives: *"This package lets us automatically block malware in uploads using ClamAV—a free, open-source tool—without building a custom solution. Here’s why it’s a no-brainer:

  • Cost: Zero licensing fees; only operational cost is maintaining ClamAV on our servers.
  • Compliance: Meets PCI-DSS/HIPAA requirements for file validation, reducing audit risks.
  • Risk Reduction: Stops threats like PHP shells, ransomware, or trojans before they hit our systems.
  • Scalability: Handles thousands of uploads/month with minimal dev effort. Trade-offs:
  • We’ll need to manage ClamAV updates and handle occasional false positives (e.g., flagged but safe files).
  • Scans add 1–5 seconds of latency per file (mitigated by async processing). Recommendation: Pilot this for [X] uploads first, then roll out to all user-generated content. The alternative—doing nothing—leaves us exposed to costly breaches."*

For Engineering: *"Tissue provides a ClamAV wrapper for PHP/Laravel that’s simple to integrate but has critical caveats: Pros:

  • Plug-and-play: One adapter for ClamAV; easy to extend with custom scanners.
  • Laravel-friendly: Fits into service containers, facades, and events (e.g., file.uploaded).
  • No vendor lock-in: Open-source with MIT license. Cons:
  • Stale codebase (2017): May need forking for PHP 8.0+/Laravel 10.x.
  • Single-engine: Only ClamAV (no Sophos, Kaspersky, or cloud APIs).
  • Performance: Scans are blocking by default; async queues recommended.
  • Security risks:
    • Must never serve scanned files directly (e.g., store outside web root).
    • ClamAV misconfigurations could miss threats or false-positive legitimate files. Recommendation:
  1. Pilot: Test in staging with a subset of uploads (e.g., media, docs).
  2. Fallback: Implement a graceful degradation (e.g., skip scan if ClamAV fails).
  3. Monitor: Track false positives/negatives and ClamAV update reliability. Alternatives:

For Security/Compliance: *"This addresses two critical gaps in our upload security:

  1. Malware Blocking: ClamAV catches known viruses, trojans, and exploits (e.g., CVE-2023-xxxx in Office macros).
  2. Compliance: Provides audit-ready logs of scanned files (if we add DB logging). Risks to Mitigate:
  • False Positives: Implement a manual review workflow for flagged files (e.g., admin dashboard).
  • ClamAV Evasion: Combine with file type validation (e.g., MIME checks) and size limits.
  • Execution Risks: Ensure scanned files are never executed (e.g., store outside web root, use .user.ini to disable PHP execution). Recommendation: Treat this as a layered defense—not a silver bullet. Pair with:
  • File integrity checks (e.g., checksums).
  • Behavioral analysis (e.g., monitor for suspicious file access patterns).
  • User education (e.g., warn against uploading from untrusted sources)."*
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
croct/coding-standard
croct/plug-php
nqxcode/phpmorphy
boundwize/pyrameter
testo/facade
develia/commons
dmstr/symfony-system-resources-bundle
cuci/prototurk-sdk
cuci/prototurk-sdk-symfony
renatomarinho/laravel-page-speed
develia/geo-bundle
austinheap/laravel-database-encryption
dreamzy/livewire-charts
touchestate-sdk/php-sdk
22h/doctrine-garbage-collection-bundle
imbo/imbo-coding-standard
visualbuilder/filament-lottie
servicioslineaonce/starter-kit
atomcoder/laravel-reorderable
irajul/filament-shadcn-theme