image_processing 1.13.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fa60a0e94436db0e6f672a321162282b92fff25b9acac0031d11f8e75bd46bee
-  data.tar.gz: f6f2cc0a61658d8a3db0883b4bdf7b9ec6421d29b74ce22ca1fee5ea2ff58d94
+  metadata.gz: a1627bd72e94e9d3c200ee8a78c91a6d53c68c0ed139ead780c8feccd40bf3f4
+  data.tar.gz: e73eaf24349e390627206cce11fc1dccc2cb226cbd24f504cff8c72103f7c2b4
 SHA512:
-  metadata.gz: 7220163f9f2572070de49f84ac4a9051433c504c44c6925660bcac162855b38920691d6e661deeeee3b2b6238f8a78cc4881dd10e539136bf02bef01ff05cca0
-  data.tar.gz: 9b21b5d109a9e7f8b116cccbf347809a2943171e959e8c1efc9797fcc133759c34ee83148601aa3f413f7e972b12a1803b4229f2b27835c35ab745fe39b0011f
+  metadata.gz: 703ae2deab2b8533331c39961690888d51ddc100eb2bb5df036541ce240067e4c4ce3e59320d932fdedefc58811e01c3591c0699eaa4feef7fe065141be49d5f
+  data.tar.gz: 990a0eed40a6f50a76811f0250e73fd833dca1241d1cb3eb5df3d481623e5cb2a788533c266294c503dc0050d708d3219a3678dd33caee9e28901183ace5f307

data/CHANGELOG.md

@@ -1,3 +1,23 @@
+## 2.0.0 (2026-05-20)
+
+* `mini_magick`/`ruby-vips` are now soft dependencies and need to be manually added to the Gemfile (@janko)
+
+* Avoid remote shell execution vulnerability in `#apply` when arguments are coming from user input (@janko)
+
+* [vips] Unfuzzed loaders are now blocked by default (@janko)
+
+* [vips] Sharpening after resize has been disabled by default (@janko)
+
+* [minimagick] Remove deprecated `:compose` and `:geometry` keyword arguments for `#composite` (@janko)
+
+* Ruby 3.0+ is now required (@janko)
+
+## 1.14.0 (2025-02-10)
+
+* Add support for MiniMagick 5.x (@lukeasrodgers)
+
+* Fix `#resize_to_cover` when dealing with EXIF orientated images (@brendon)
+
 ## 1.13.0 (2024-07-24)
 
 * [minimagick] Use `-append` when calling `#append` with no arguments (@janko)

data/README.md

@@ -3,11 +3,10 @@
 Provides higher-level image processing helpers that are commonly needed
 when handling image uploads.
 
-This gem can process images with either [ImageMagick]/[GraphicsMagick] or
-[libvips] libraries. ImageMagick is a good default choice, especially if you
-are migrating from another gem or library that uses ImageMagick. Libvips is a
-newer library that can process images [very rapidly][libvips performance]
-(often multiple times faster than ImageMagick).
+This gem can process images with [ImageMagick] or [libvips]. ImageMagick is a
+good default choice, especially if you are migrating from another gem or library
+that uses ImageMagick. Libvips is a newer library that can process images [very
+rapidly][libvips performance] (often multiple times faster than ImageMagick).
 
 
 ## Goal
@@ -16,7 +15,7 @@ The goal of this project is to have a single gem that contains all the
 helper methods needed to resize and process images.
 
 Currently, existing attachment gems (like Paperclip, CarrierWave, Refile,
-Dragonfly, ActiveStorage, and others) implement their own custom image
+Dragonfly, Active Storage, and others) implement their own custom image
 helper methods. But why? That's not very DRY, is it?
 
 Let's be honest. Image processing is a dark, mysterious art. So we want to
@@ -32,19 +31,23 @@ how to resize and process images.
 In a Mac terminal:
 
 ```sh
-  $ brew install imagemagick vips
+  $ brew install imagemagick # if using ImageMagick
+  $ brew install vips # if using libvips
   ```
 
  In a debian/ubuntu terminal:
 
 ```sh
-  $ sudo apt install imagemagick libvips
+  $ sudo apt install imagemagick # if using ImageMagick
+  $ sudo apt install libvips # if using libvips
   ```
 
-2. Add the gem to your Gemfile:
+2. Add the gem(s) to your Gemfile:
 
   ```rb
-  gem "image_processing", "~> 1.0"
+  gem "image_processing", "~> 2.0"
+  gem "mini_magick", "~> 5.0" # if using ImageMagick
+  gem "ruby-vips", "~> 2.0" # if using libvips
   ```
 
 
@@ -66,7 +69,7 @@ processed = ImageProcessing::MiniMagick
 processed #=> #<Tempfile:/var/folders/.../image_processing20180316-18446-1j247h6.png>
 ```
 
-This allows easy branching when generating multiple derivates:
+This allows easy branching when generating multiple derivatives:
 
 ```rb
 require "image_processing/vips"
@@ -187,22 +190,9 @@ pipeline
 
 ## Contributing
 
-Our test suite requires both `imagemagick` and `libvips` libraries to be installed.
+Our test suite requires both `imagemagick` and `libvips` libraries to be installed. Afterwards you can run tests with:
 
-In a Mac terminal:
-
-```
-$ brew install imagemagick vips
-```
-
-In a debian/ubuntu terminal:
-```shell
-sudo apt install imagemagick libvips
-```
-
-Afterwards you can run tests with
-
-```
+```sh
 $ bundle exec rake test
 ```
 

data/image_processing.gemspec

@@ -4,7 +4,7 @@ Gem::Specification.new do |spec|
   spec.name          = "image_processing"
   spec.version       = ImageProcessing::VERSION
 
-  spec.required_ruby_version = ">= 2.3"
+  spec.required_ruby_version = ">= 3.0"
 
   spec.summary       = "High-level wrapper for processing images for the web with ImageMagick or libvips."
   spec.description   = "High-level wrapper for processing images for the web with ImageMagick or libvips."
@@ -16,12 +16,12 @@ Gem::Specification.new do |spec|
   spec.files         = Dir["README.md", "LICENSE.txt", "CHANGELOG.md", "lib/**/*.rb", "*.gemspec"]
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "mini_magick", ">= 4.9.5", "< 5"
-  spec.add_dependency "ruby-vips", ">= 2.0.17", "< 3"
+  spec.metadata = { "changelog_uri" => spec.homepage + "/blob/master/CHANGELOG.md",
+                    "rubygems_mfa_required" => "true" }
 
   spec.add_development_dependency "rake"
   spec.add_development_dependency "minitest", "~> 5.8"
   spec.add_development_dependency "minitest-hooks", ">= 1.4.2"
   spec.add_development_dependency "minispec-metadata"
-  spec.add_development_dependency "dhash-vips"
+  spec.add_development_dependency "dhash-vips" unless RUBY_ENGINE == "jruby"
 end

data/lib/image_processing/chainable.rb

@@ -33,6 +33,10 @@ module ImageProcessing
     #   .apply([[:resize_to_limit, [400, 400]], [:strip, true])
     def apply(operations)
       operations.inject(self) do |builder, (name, argument)|
+        if invalid_operation?(name)
+          fail ArgumentError, "#{name.inspect} is not a valid ImageProcessing operation"
+        end
+
         if argument == true || argument == nil
           builder.public_send(name)
         elsif argument.is_a?(Array)
@@ -81,11 +85,22 @@ module ImageProcessing
 
     private
 
+    # This prevents calling unsafe Ruby core methods such as `Kernel#system`,
+    # which would allow for remote shell execution.
+    def invalid_operation?(name)
+      return true if name.end_with?("!")
+
+      owner = method(name).owner
+      [BasicObject, Kernel, Object, Module].include?(owner)
+    rescue NameError
+      false
+    end
+
     # Assume that any unknown method names an operation supported by the
     # processor. Add a bang ("!") if you want processing to be performed.
     def method_missing(name, *args, &block)
       return super if name.to_s.end_with?("?")
-      return send(name.to_s.chomp("!"), *args, &block).call if name.to_s.end_with?("!")
+      return public_send(name.to_s.chomp("!"), *args, &block).call if name.to_s.end_with?("!")
 
       operation(name, *args, &block)
     end

data/lib/image_processing/mini_magick.rb

@@ -1,13 +1,25 @@
-require "mini_magick"
 require "image_processing"
+begin
+  require "mini_magick"
+rescue LoadError
+  fail ImageProcessing::Error, "ImageProcessing::MiniMagick requires the mini_magick gem. Please add `gem \"mini_magick\", \"~> 5.0\"` to your Gemfile."
+end
 
 module ImageProcessing
   module MiniMagick
     extend Chainable
 
+    def self.convert_shim(&block)
+      if ::MiniMagick.respond_to?(:convert)
+        ::MiniMagick.convert(&block)
+      else
+        ::MiniMagick::Tool::Convert.new(&block)
+      end
+    end
+
     # Returns whether the given image file is processable.
     def self.valid_image?(file)
-      ::MiniMagick::Tool::Convert.new do |convert|
+      convert_shim do |convert|
         convert << file.path
         convert << "null:"
       end
@@ -30,7 +42,7 @@ module ImageProcessing
           magick = path_or_magick
         else
           source_path = path_or_magick
-          magick = ::MiniMagick::Tool::Convert.new
+          magick = ::ImageProcessing::MiniMagick.convert_shim
 
           Utils.apply_options(magick, **options)
 
@@ -112,18 +124,9 @@ module ImageProcessing
       # Overlays the specified image over the current one. Supports specifying
       # an additional mask, composite mode, direction or offset of the overlay
       # image.
-      def composite(overlay = :none, mask: nil, mode: nil, gravity: nil, offset: nil, args: nil, **options, &block)
+      def composite(overlay = :none, mask: nil, mode: nil, gravity: nil, offset: nil, args: nil, &block)
         return magick.composite if overlay == :none
 
-        if options.key?(:compose)
-          warn "[IMAGE_PROCESSING] The :compose parameter in #composite has been renamed to :mode, the :compose alias will be removed in ImageProcessing 2."
-          mode = options[:compose]
-        end
-
-        if options.key?(:geometry)
-          warn "[IMAGE_PROCESSING] The :geometry parameter in #composite has been deprecated and will be removed in ImageProcessing 2. Use :offset instead, e.g. `geometry: \"+10+15\"` should be replaced with `offset: [10, 15]`."
-          geometry = options[:geometry]
-        end
         geometry = "%+d%+d" % offset if offset
 
         overlay_path = convert_to_path(overlay, "overlay")

data/lib/image_processing/version.rb

@@ -1,3 +1,3 @@
 module ImageProcessing
-  VERSION = "1.13.0"
+  VERSION = "2.0.0"
 end

data/lib/image_processing/vips.rb

@@ -1,7 +1,11 @@
-require "vips"
 require "image_processing"
+begin
+  require "vips"
+rescue LoadError
+  fail ImageProcessing::Error, "ImageProcessing::Vips requires the ruby-vips gem. Please add `gem \"ruby-vips\", \"~> 2.0\"` to your Gemfile."
+end
 
-fail "image_processing/vips requires libvips 8.6+" unless Vips.at_least_libvips?(8, 6)
+Vips.block_untrusted(true) if Vips.respond_to?(:block_untrusted) && !ENV["VIPS_BLOCK_UNTRUSTED"]
 
 module ImageProcessing
   module Vips
@@ -93,7 +97,7 @@ module ImageProcessing
       # Resizes the image to cover the specified dimensions, without
       # cropping the excess.
       def resize_to_cover(width, height, **options)
-        image = self.image.is_a?(String) ? ::Vips::Image.new_from_file(self.image) : self.image
+        image = self.image.is_a?(String) ? self.class.load_image(self.image) : self.image
 
         image_ratio = Rational(image.width, image.height)
         thumbnail_ratio = Rational(width, height)
@@ -155,7 +159,7 @@ module ImageProcessing
 
       # Resizes the image according to the specified parameters, and sharpens
       # the resulting thumbnail.
-      def thumbnail(width, height, sharpen: SHARPEN_MASK, **options)
+      def thumbnail(width, height, sharpen: nil, **options)
         if self.image.is_a?(String) # path
           # resize on load
           image = ::Vips::Image.thumbnail(self.image, width, height: height, **options)
@@ -167,7 +171,11 @@ module ImageProcessing
           image = self.image.thumbnail_image(width, height: height, **options)
         end
 
-        image = image.conv(sharpen, precision: :integer) if sharpen
+        if sharpen
+          sharpen_mask = sharpen.is_a?(TrueClass) ? SHARPEN_MASK : sharpen
+          image = image.conv(sharpen_mask, precision: :integer)
+        end
+
         image
       end
 

data/lib/image_processing.rb

@@ -7,6 +7,6 @@ require "image_processing/version"
 module ImageProcessing
   Error = Class.new(StandardError)
 
-  autoload :MiniMagick, 'image_processing/mini_magick'
-  autoload :Vips, 'image_processing/vips'
+  autoload :MiniMagick, "image_processing/mini_magick"
+  autoload :Vips, "image_processing/vips"
 end

metadata

@@ -1,55 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: image_processing
 version: !ruby/object:Gem::Version
-  version: 1.13.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Janko Marohnić
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-07-24 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: mini_magick
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 4.9.5
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '5'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 4.9.5
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '5'
-- !ruby/object:Gem::Dependency
-  name: ruby-vips
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.0.17
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.0.17
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -143,8 +102,9 @@ files:
 homepage: https://github.com/janko/image_processing
 licenses:
 - MIT
-metadata: {}
-post_install_message:
+metadata:
+  changelog_uri: https://github.com/janko/image_processing/blob/master/CHANGELOG.md
+  rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
 - lib
@@ -152,15 +112,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '3.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
-signing_key:
+rubygems_version: 4.0.3
 specification_version: 4
 summary: High-level wrapper for processing images for the web with ImageMagick or
   libvips.