image_processing 1.14.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 613676364c0ba04b655a087a89296cec4604c8f362809ada23d984538f9e962b
-  data.tar.gz: 77a768424b857418d131257ce2c539715aa69999da7e78319255d9eee3f68157
+  metadata.gz: a1627bd72e94e9d3c200ee8a78c91a6d53c68c0ed139ead780c8feccd40bf3f4
+  data.tar.gz: e73eaf24349e390627206cce11fc1dccc2cb226cbd24f504cff8c72103f7c2b4
 SHA512:
-  metadata.gz: ff2e1a9bf128d872ad2c5663525c4e970e8b18457f2b4f0a50588a9f33c736b0ef46a3fb4bd10638be5a276e9aa8bacbae09c9685b954416902de3687a3b2181
-  data.tar.gz: c7efff88134c14c44001ea99ed7632ecc86b93bd3afe5e933cfdc8cb2d57a82fc69333192777ac17cdf9e5bf5ef15e012c17e6c7dffbd7124ed58d765e4bff4b
+  metadata.gz: 703ae2deab2b8533331c39961690888d51ddc100eb2bb5df036541ce240067e4c4ce3e59320d932fdedefc58811e01c3591c0699eaa4feef7fe065141be49d5f
+  data.tar.gz: 990a0eed40a6f50a76811f0250e73fd833dca1241d1cb3eb5df3d481623e5cb2a788533c266294c503dc0050d708d3219a3678dd33caee9e28901183ace5f307

data/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 2.0.0 (2026-05-20)
+
+* `mini_magick`/`ruby-vips` are now soft dependencies and need to be manually added to the Gemfile (@janko)
+
+* Avoid remote shell execution vulnerability in `#apply` when arguments are coming from user input (@janko)
+
+* [vips] Unfuzzed loaders are now blocked by default (@janko)
+
+* [vips] Sharpening after resize has been disabled by default (@janko)
+
+* [minimagick] Remove deprecated `:compose` and `:geometry` keyword arguments for `#composite` (@janko)
+
+* Ruby 3.0+ is now required (@janko)
+
 ## 1.14.0 (2025-02-10)
 
 * Add support for MiniMagick 5.x (@lukeasrodgers)

data/README.md

@@ -3,11 +3,10 @@
 Provides higher-level image processing helpers that are commonly needed
 when handling image uploads.
 
-This gem can process images with either [ImageMagick]/[GraphicsMagick] or
-[libvips] libraries. ImageMagick is a good default choice, especially if you
-are migrating from another gem or library that uses ImageMagick. Libvips is a
-newer library that can process images [very rapidly][libvips performance]
-(often multiple times faster than ImageMagick).
+This gem can process images with [ImageMagick] or [libvips]. ImageMagick is a
+good default choice, especially if you are migrating from another gem or library
+that uses ImageMagick. Libvips is a newer library that can process images [very
+rapidly][libvips performance] (often multiple times faster than ImageMagick).
 
 
 ## Goal
@@ -16,7 +15,7 @@ The goal of this project is to have a single gem that contains all the
 helper methods needed to resize and process images.
 
 Currently, existing attachment gems (like Paperclip, CarrierWave, Refile,
-Dragonfly, ActiveStorage, and others) implement their own custom image
+Dragonfly, Active Storage, and others) implement their own custom image
 helper methods. But why? That's not very DRY, is it?
 
 Let's be honest. Image processing is a dark, mysterious art. So we want to
@@ -32,19 +31,23 @@ how to resize and process images.
 In a Mac terminal:
 
 ```sh
-  $ brew install imagemagick vips
+  $ brew install imagemagick # if using ImageMagick
+  $ brew install vips # if using libvips
   ```
 
  In a debian/ubuntu terminal:
 
 ```sh
-  $ sudo apt install imagemagick libvips
+  $ sudo apt install imagemagick # if using ImageMagick
+  $ sudo apt install libvips # if using libvips
   ```
 
-2. Add the gem to your Gemfile:
+2. Add the gem(s) to your Gemfile:
 
   ```rb
-  gem "image_processing", "~> 1.0"
+  gem "image_processing", "~> 2.0"
+  gem "mini_magick", "~> 5.0" # if using ImageMagick
+  gem "ruby-vips", "~> 2.0" # if using libvips
   ```
 
 
@@ -66,7 +69,7 @@ processed = ImageProcessing::MiniMagick
 processed #=> #<Tempfile:/var/folders/.../image_processing20180316-18446-1j247h6.png>
 ```
 
-This allows easy branching when generating multiple derivates:
+This allows easy branching when generating multiple derivatives:
 
 ```rb
 require "image_processing/vips"
@@ -187,22 +190,9 @@ pipeline
 
 ## Contributing
 
-Our test suite requires both `imagemagick` and `libvips` libraries to be installed.
+Our test suite requires both `imagemagick` and `libvips` libraries to be installed. Afterwards you can run tests with:
 
-In a Mac terminal:
-
-```
-$ brew install imagemagick vips
-```
-
-In a debian/ubuntu terminal:
-```shell
-sudo apt install imagemagick libvips
-```
-
-Afterwards you can run tests with
-
-```
+```sh
 $ bundle exec rake test
 ```
 

data/image_processing.gemspec

@@ -4,7 +4,7 @@ Gem::Specification.new do |spec|
   spec.name          = "image_processing"
   spec.version       = ImageProcessing::VERSION
 
-  spec.required_ruby_version = ">= 2.3"
+  spec.required_ruby_version = ">= 3.0"
 
   spec.summary       = "High-level wrapper for processing images for the web with ImageMagick or libvips."
   spec.description   = "High-level wrapper for processing images for the web with ImageMagick or libvips."
@@ -19,12 +19,9 @@ Gem::Specification.new do |spec|
   spec.metadata = { "changelog_uri" => spec.homepage + "/blob/master/CHANGELOG.md",
                     "rubygems_mfa_required" => "true" }
 
-  spec.add_dependency "mini_magick", ">= 4.9.5", "< 6"
-  spec.add_dependency "ruby-vips", ">= 2.0.17", "< 3"
-
   spec.add_development_dependency "rake"
   spec.add_development_dependency "minitest", "~> 5.8"
   spec.add_development_dependency "minitest-hooks", ">= 1.4.2"
   spec.add_development_dependency "minispec-metadata"
-  spec.add_development_dependency "dhash-vips"
+  spec.add_development_dependency "dhash-vips" unless RUBY_ENGINE == "jruby"
 end

data/lib/image_processing/chainable.rb

@@ -33,6 +33,10 @@ module ImageProcessing
     #   .apply([[:resize_to_limit, [400, 400]], [:strip, true])
     def apply(operations)
       operations.inject(self) do |builder, (name, argument)|
+        if invalid_operation?(name)
+          fail ArgumentError, "#{name.inspect} is not a valid ImageProcessing operation"
+        end
+
         if argument == true || argument == nil
           builder.public_send(name)
         elsif argument.is_a?(Array)
@@ -81,11 +85,22 @@ module ImageProcessing
 
     private
 
+    # This prevents calling unsafe Ruby core methods such as `Kernel#system`,
+    # which would allow for remote shell execution.
+    def invalid_operation?(name)
+      return true if name.end_with?("!")
+
+      owner = method(name).owner
+      [BasicObject, Kernel, Object, Module].include?(owner)
+    rescue NameError
+      false
+    end
+
     # Assume that any unknown method names an operation supported by the
     # processor. Add a bang ("!") if you want processing to be performed.
     def method_missing(name, *args, &block)
       return super if name.to_s.end_with?("?")
-      return send(name.to_s.chomp("!"), *args, &block).call if name.to_s.end_with?("!")
+      return public_send(name.to_s.chomp("!"), *args, &block).call if name.to_s.end_with?("!")
 
       operation(name, *args, &block)
     end

data/lib/image_processing/mini_magick.rb

@@ -1,5 +1,9 @@
-require "mini_magick"
 require "image_processing"
+begin
+  require "mini_magick"
+rescue LoadError
+  fail ImageProcessing::Error, "ImageProcessing::MiniMagick requires the mini_magick gem. Please add `gem \"mini_magick\", \"~> 5.0\"` to your Gemfile."
+end
 
 module ImageProcessing
   module MiniMagick
@@ -120,18 +124,9 @@ module ImageProcessing
       # Overlays the specified image over the current one. Supports specifying
       # an additional mask, composite mode, direction or offset of the overlay
       # image.
-      def composite(overlay = :none, mask: nil, mode: nil, gravity: nil, offset: nil, args: nil, **options, &block)
+      def composite(overlay = :none, mask: nil, mode: nil, gravity: nil, offset: nil, args: nil, &block)
         return magick.composite if overlay == :none
 
-        if options.key?(:compose)
-          warn "[IMAGE_PROCESSING] The :compose parameter in #composite has been renamed to :mode, the :compose alias will be removed in ImageProcessing 2."
-          mode = options[:compose]
-        end
-
-        if options.key?(:geometry)
-          warn "[IMAGE_PROCESSING] The :geometry parameter in #composite has been deprecated and will be removed in ImageProcessing 2. Use :offset instead, e.g. `geometry: \"+10+15\"` should be replaced with `offset: [10, 15]`."
-          geometry = options[:geometry]
-        end
         geometry = "%+d%+d" % offset if offset
 
         overlay_path = convert_to_path(overlay, "overlay")

data/lib/image_processing/version.rb

@@ -1,3 +1,3 @@
 module ImageProcessing
-  VERSION = "1.14.0"
+  VERSION = "2.0.0"
 end

data/lib/image_processing/vips.rb

@@ -1,7 +1,11 @@
-require "vips"
 require "image_processing"
+begin
+  require "vips"
+rescue LoadError
+  fail ImageProcessing::Error, "ImageProcessing::Vips requires the ruby-vips gem. Please add `gem \"ruby-vips\", \"~> 2.0\"` to your Gemfile."
+end
 
-fail "image_processing/vips requires libvips 8.6+" unless Vips.at_least_libvips?(8, 6)
+Vips.block_untrusted(true) if Vips.respond_to?(:block_untrusted) && !ENV["VIPS_BLOCK_UNTRUSTED"]
 
 module ImageProcessing
   module Vips
@@ -155,7 +159,7 @@ module ImageProcessing
 
       # Resizes the image according to the specified parameters, and sharpens
       # the resulting thumbnail.
-      def thumbnail(width, height, sharpen: SHARPEN_MASK, **options)
+      def thumbnail(width, height, sharpen: nil, **options)
         if self.image.is_a?(String) # path
           # resize on load
           image = ::Vips::Image.thumbnail(self.image, width, height: height, **options)
@@ -167,7 +171,11 @@ module ImageProcessing
           image = self.image.thumbnail_image(width, height: height, **options)
         end
 
-        image = image.conv(sharpen, precision: :integer) if sharpen
+        if sharpen
+          sharpen_mask = sharpen.is_a?(TrueClass) ? SHARPEN_MASK : sharpen
+          image = image.conv(sharpen_mask, precision: :integer)
+        end
+
         image
       end
 

data/lib/image_processing.rb

@@ -7,6 +7,6 @@ require "image_processing/version"
 module ImageProcessing
   Error = Class.new(StandardError)
 
-  autoload :MiniMagick, 'image_processing/mini_magick'
-  autoload :Vips, 'image_processing/vips'
+  autoload :MiniMagick, "image_processing/mini_magick"
+  autoload :Vips, "image_processing/vips"
 end

metadata

@@ -1,54 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: image_processing
 version: !ruby/object:Gem::Version
-  version: 1.14.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Janko Marohnić
 bindir: bin
 cert_chain: []
-date: 2025-02-10 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: mini_magick
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 4.9.5
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '6'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 4.9.5
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '6'
-- !ruby/object:Gem::Dependency
-  name: ruby-vips
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.0.17
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.0.17
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -152,14 +112,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '3.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 4.0.3
 specification_version: 4
 summary: High-level wrapper for processing images for the web with ImageMagick or
   libvips.