image_vise 0.2.1 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e98d1a278c1306d99e84e78721179a9b27e32b36
-  data.tar.gz: 81b82d9c4a68142d346a36c44fc0d5716d3332fb
+  metadata.gz: cdf5ad5923491f14b204be61539b2e45869d4003
+  data.tar.gz: 4aeebb9df5fa9f232c8c6e7bbc305b3bbc49ab1b
 SHA512:
-  metadata.gz: 6e7935983502915b40a4739ae9a22ec0dd344d80a4bcd5215d9a54c74845851a8a12dbb0d14599c7d85754636d33eb57fc299c750f14da0622f7b408dae3ad1b
-  data.tar.gz: f7836e89a7cb3bc3544ca09029ab550d91281ad73fbecf51ed48563dbdc552b71f5cac2d82302be0bdeae1396a78c41719e619e599bef4d1a49a0260c04e6551
+  metadata.gz: 2f906ce580e67875972c699045df0bc1ed3826a078db16bcbc126a661b191091562644b07bcd7ec555fc05435b1d6f1570eca816850284656aae09fc4aa55206
+  data.tar.gz: ba77348924856dc11a5230cd8f430b06c93236337006c5c202eccf456a5dc8ed7e05a59b4d95c53a17a28317b267d45513f00e25748ff06ccfe31f211ad47d85

data/.gitignore

@@ -0,0 +1,8 @@
+scratchpad
+Gemfile.lock
+.bundle
+.env
+*.sqlite3
+*.log
+pkg
+coverage

data/.travis.yml

@@ -0,0 +1,13 @@
+rvm:
+- 2.1
+- 2.2
+- 2.3.0
+- 2.4.1
+sudo: false
+cache: bundler
+
+env:
+  global:
+    - SKIP_INTERACTIVE=yes
+
+script: bundle exec rspec

data/DEVELOPMENT.md

@@ -0,0 +1,111 @@
+# NOTE: Until 1.0.0 ImageVise API is somewhat in flux
+
+## Defining image operators
+
+To add an image operator, define a class roughly like so, and add it to the list of operators.
+
+    class MyBlur
+      # The constructor must accept keyword arguments if your operator accepts them
+      def initialize(radius:, sigma:)
+        @radius = radius.to_f
+        @sigma = sigma.to_f
+      end
+      
+      # Needed for the operator to be serialized to parameters
+      def to_h
+        {radius: @radius, sigma: @sigma}
+      end
+      
+      def apply!(magick_image) # The argument is a Magick::Image
+        # Apply the method to the function argument
+        blurred_image = magick_image.blur_image(@radius, @sigma)
+        
+        # Some methods (without !) return a new Magick::Image.
+        # That image has to be composited back into the original.
+        magick_image.composite!(blurred_image, Magick::CenterGravity, Magick::CopyCompositeOp)
+      ensure
+        # Make sure to explicitly destroy() all the intermediate images
+        ImageVise.destroy(blurred_image)
+      end
+    end
+    
+    # This will also make `ImageVise::Pipeline` respond to `blur(radius:.., sigma:..)`
+    ImageVise.add_operator 'my_blur', MyBlur
+
+## Defining fetchers
+
+Fetchers are based on the scheme of the image URL. Default fetchers are already defined for `http`, `https`
+and `file` schemes. If you need to grab data from a database, for instance, you can define a fetcher and register
+it:
+
+    module DatabaseFetcher
+      def self.fetch_uri_to_tempfile(uri_object)
+        tf = Tempfile.new 'data-fetch'
+        
+        object_id = uri_object.path[/\d+/]
+        data_model = ProfilePictures.find(object_id)
+        tf << data_model.body
+        
+        tf.rewind; tf
+      rescue Exception => e
+        ImageVise.close_and_unlink(tf) # do not litter Tempfiles
+        raise e
+      end
+    end
+    
+    ImageVise.register_fetcher 'profilepictures', self
+
+Once done, you can use URLs like `profilepictures:/5674`. A very simple Fetcher would just
+override the standard filesystem one (be mindful that the filesystem fetcher still checks
+path access using the glob whitelist)
+
+    class PicFetcher < ImageVise::FetcherFile
+      def self.fetch_uri_to_tempfile(uri_object)
+        # Convert an internal "pic://sites/uploads/abcdef.jpg" to a full path URL
+        partial_path = URI.decode(uri_object.path)
+        full_path = File.join(Mappe::ROOT, 'sites', partial_path)
+        full_path_uri = URI('file://' + URI.encode(full_path))
+        super(full_path_uri)
+      end
+      ImageVise.register_fetcher 'pic', self
+    end
+
+## Overriding the render engine
+
+By default, `ImageVise.call` delegates to `ImageVise::RenderEngine.new.call`. You can mount your own subclass
+instead, and it will handle everything the same way:
+
+    class MyThumbnailer < ImageVise::RenderEngine
+      ...
+    end
+    
+    map '/thumbs' do
+      run MyThumbnailer.new
+    end
+
+Note that since the API is in flux the methods you can override in `RenderEngine` can change.
+So far none of them are private.
+
+## Performance and memory
+
+ImageVise uses ImageMagick and RMagick. It _does not_ shell out to `convert` or `mogrify`, because shelling out
+is _expensive_ in terms of wall clock. It _does_ do it's best to deallocate (`#destroy!`) the image it works on,
+but it is not 100% bullet proof.
+
+Additionally, in contrast to `convert` and `mogrify` ImageVise supports _stackable_ operations, and these operations
+might be repeated with different parameters. Unfortunately, `convert` is _not_ Shake, so we cannot pass a DAG of
+image operators to it and just expect it to work. If we want to do processing of multiple steps that `convert` is
+unable to execute in one call, we have to do
+
+     [fork+exec read + convert + write] -> [fork+exec read + convert + write] + ...
+
+for each operator we want to apply in a consistent fashion. We cannot stuff all the operators into one `convert`
+command because the order the operators get applied within `convert` is not clear, whereas we need a reproducible
+deterministic order of operations (as set in the pipeline). A much better solution is - load the image into memory
+**once**, do all the transformations, save. Additionally, if you use things like OpenCL with ImageMagick, the overhead
+of loading the library and compiling the compute kernels will outweigh _any_ performance gains you might get when
+actually using them. If you are using a library it is a one-time cost, with very fast processing afterwards.
+
+Also note that image operators are not per definition Imagemagick-specific - it's completely possible to not only use
+a different library for processing them, but even to use a different image processing server complying to the
+same protocol (a signed JSON-encodded waybill of HTTP(S) source-URL + pipeline instructions).

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in image_vise.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,29 @@
+Copyright (c) 2016 WeTransfer
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+To anyone who acknowledges that the file "sRGB_v4_ICC_preference_displayclass" is
+provided "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTY, permission to use,
+copy and distribute this file for any purpose is hereby granted without
+fee, provided that the file is not changed including the ICC copyright
+notice tag, and that the name of ICC shall not be used in advertising or
+publicity pertaining to distribution of the software without specific,
+written prior permission. ICC makes no representations about the
+suitability of this software for any purpose.

data/README.md

@@ -0,0 +1,213 @@
+# A thumbnailing server
+
+`ImageVise` is an image-from-url-as-a-service server for use either standalone or within a larger Rails/Rack
+framework. The main uses are:
+
+* Image resizing on request
+* Applying image filters
+
+It is implemented as a Rack application that responds to any URL and accepts the following two _last_ path
+compnents, internally named `q` and `sig`:
+
+* `q` - Base64 encoded JSON object with `src_url` and `pipeline` properties
+    (the source URL of the image and processing steps to apply)
+* `sig` - the HMAC signature, computed over the JSON in `q` before it gets Base64-encoded
+
+A request to `ImageVise` might look like this:
+
+    /acbhGyfhyYErghff/acfgheg123
+
+The URL that gets generated is best composed with the included `ImageVise.image_params` method. This method will
+take care of encoding the source URL and the commands in the right way, as well as signing.
+
+## Using ImageVise within a Rails application
+
+Mount ImageVise in your `routes.rb`:
+
+```ruby
+mount '/images' => ImageVise
+```
+
+and add an initializer (like `config/initializers/image_vise_config.rb`) to set up the permitted hosts
+
+```ruby
+ImageVise.add_allowed_host! your_application_hostname
+ImageVise.add_secret_key! ENV.fetch('IMAGE_VISE_SECRET')
+```
+
+You might want to define a helper method for generating signed URLs as well, which will look something like this:
+
+```ruby
+def thumb_url(source_image_url)
+  path = ImageVise.image_path(src_url: source_image_url, secret: ENV.fetch('IMAGE_VISE_SECRET')) do |pipeline|
+     # For example, you can also yield `pipeline` to the caller
+    pipeline.fit_crop width: 128, height: 128, gravity: 'c'
+  end
+  '/images' + path
+end
+```
+
+To preserve your sanity, make the route to the ImageVise engine terminal and do _not_ perform rewrites
+on it in your webserver configuration - for instance, Base64 permits slashes.
+
+## Using ImageVise within a Rack application
+
+Mount ImageVise under a script name in your `config.ru`:
+
+```ruby
+map '/images' do
+  run ImageVise
+end
+```
+
+and add the initialization code either to `config.ru` proper or to some file in your application:
+
+    ImageVise.add_allowed_host! your_application_hostname
+    ImageVise.add_secret_key! ENV.fetch('IMAGE_VISE_SECRET')
+
+You might want to define a helper method for generating signed URLs as well, which will look something like this:
+
+```ruby
+def thumb_url(source_image_url)
+  path_param = ImageVise.image_path(src_url: source_image_url, secret: ENV.fetch('IMAGE_VISE_SECRET')) do |pipe|
+    pipe.fit_crop width: 256, height: 256, gravity: 'c'
+    pipe.sharpen sigma: 0.5, radius: 2
+    pipe.ellipse_stencil
+  end
+  # Output a URL to the app
+  '/images' + path
+end
+```
+## Path decoding and SCRIPT_NAME
+
+`ImageVise::RenderEngine` _must_ be mounted under a `SCRIPT_NAME` (using either `mount` in Rails
+or using `map` in Rack). That is so since we may have more than 1 path component that we have to
+decode (when the Base64 payload contains slashes).
+
+## Processing files on the local filesystem instead of remote ones
+
+If you want to grab a local file, compose a `file://` URL (mind the endcoding!)
+
+    src_url = 'file://' + URI.encode(File.expand_path(my_pic))
+
+Note that you need to permit certain glob patterns as sources before this will work, see below.
+
+## Operators and pipelining
+
+ImageVise processes an image using _operators_. Each operator is just like an adjustment layer in Photoshop, except
+that it can also resize the canvas. If you are familiar with node-based compositing systems like Shake, Nuke or Fusion
+the pipeline is a node DAG with only one connection arrow going all the way. The operations are always applied in a
+destructive way, so that the additional intermediate versions don't have to be deallocated manually after processing.
+
+Each Operator is described in the pipeline using a tuple (Array) of roughly this structure:
+
+    [<operator_name>, {"<operator_param1>": <operator_param1_value>}]
+
+You can have an unlimited number of such Operators per thumbnail, and they all get encoded in the URL (well,
+technically, you _are_ limited - by the URL length supported by your web server).
+
+For example, you can use the pipeline to apply a sharpening operator _after_ resising an image (for the lack
+of decent image filtering choices in ImageMagick proper).
+
+Here is an example pipeline, JSON-encoded (this is what is passed in the URL):
+
+```json
+[
+  ["auto_orient", {}],
+  ["geom", {"geometry_string": "512x512"}],
+  ["fit_crop", {"width": 32, "height": 32, "gravity": "se"}],
+  ["sharpen", {"radius": 0.75, "sigma": 0.5}],
+  ["ellipse_stencil", {}]
+]
+```
+
+The same pipeline can be created using the `Pipeline` DSL:
+
+```ruby
+pipe = Pipeline.new.
+  auto_orient.
+  geom(geometry_string: '512x512').
+  fit_crop(width: 32, height: 32, gravity: 'se').
+  sharpen(radius: 0.75, sigma: 0.5).
+  ellipse_stencil
+```
+and can then be applied to a `Magick::Image` object:
+
+```ruby
+image = Magick::Image.read(my_image_path)[0]
+pipe.apply!(image)
+```
+
+
+## Caching
+
+The app is _designed_ to be run behind a frontline HTTP cache. The easiest is to use `Rack::Cache`, but this might
+be instance-local depending on the storage backend used. A much better idea is to run ImageVise behind a long-caching
+CDN.
+
+## Shared HMAC keys for signed URLs
+
+To allow `ImageVise` to recognize the signature when the signature is going to be received, add it to the list
+of the shared keys on the `ImageVise` server:
+
+```ruby
+ImageVise.add_secret_key!('ahoy! this is a secret!')
+```
+
+A single `ImageVise` server can maintain multiple signature keys, so that you will be able to generate thumbnails from
+multiple applications all using different keys for their signatures. Every request will be validated against
+each key and if at least one key generates the same signature for the same given parameters, it is going to be
+accepted and the request will be allowed to go through.
+
+## Hostname and filesystem validation
+
+By default, `ImageVise` will refuse to process images from URLs on "unknown" hosts. To mark a host as "known"
+tell `ImageVise` to
+
+```ruby
+ImageVise.add_allowed_host!('my-image-store.ourcompany.co.uk')
+```
+
+If you want to permit images from the local server filesystem to be accessed, add the glob pattern
+to the set of allowed filesystem patterns:
+
+```ruby
+ImageVise.allow_filesystem_source!(Rails.root + '/public/*.jpg')
+```
+
+Note that these are _glob_ patterns. The image path will be checked against them using `File.fnmatch`.
+
+## Handling errors within the rendering Rack app
+
+By default, the Rack app within ImageVise swallows all exceptions and returns the error message
+within a machine-readable JSON payload. If that doesn't work for you, or you want to add error
+handling using some error tracking provider, either subclass `ImageVise::RenderEngine` or prepend
+a module into it that will intercept the errors. See error handling in `examples/` for more.
+
+## State
+
+Except for the HTTP cache no state is stored (`ImageVise` does not care whether you store
+your images using Dragonfly, CarrierWave or some custom handling code). All the app needs is the full URL.
+
+## Running the tests, versioning, contributing
+
+By default, `bundle exec rake` will run RSpec and will also open the generated images using the `$ open` command available
+on your CLI. If you want to skip viewing those images, set the `SKIP_INTERACTIVE` environment variable to any value.
+
+The gem version is specified in `image_vise.rb`. When contributing, please follow:
+
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet.
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it.
+* Fork the project.
+* Start a feature/bugfix branch.
+* Commit and push until you are happy with your contribution.
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+### Copyright
+
+Copyright (c) 2016 WeTransfer. See LICENSE.txt for further details.
+The licensing terms also apply to the `waterside_magic_hour.jpg` test image.
+
+The sRGB color profiles are [downloaded from the ICC](http://www.color.org/srgbprofiles.xalter) and it's
+use is governed by the terms present in the LICENSE.txt

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/SECURITY.md

@@ -0,0 +1,57 @@
+# Security implications for ImageVise
+
+This lists out the implementation details of security-sensitive parts of ImageVise.
+
+## Protection of the URLs
+
+URLs are passed as Base64-encoded JSON. The HMAC signature is computed over the Base-64 encoded string,
+so altering the string (with the intention to bust the cache) will invalidate the signature.
+
+For checking HMAC values `Rack::Utils.secure_compare` constant-time comparison is used.
+
+## Throttling still recommended
+
+Throttling between the caching CDN/proxy is recommended.
+
+## Cache bypass protection for fuzzed paths
+
+ImageVise accepts exactly 2 path components, and will return early if there are more
+
+## Cache bypass protection for randomized query string params
+
+ImageVise defaults to using paths. If you have a way to forbid query strings on the fronting CDN
+or proxy server we suggest you to do so, to prevent randomized URLs from filling up your cache
+and extreme amounts of processing from happening.
+
+* `/image/<pipeline>/<sig>?&random=123`
+* `/image/<pipeline>/<sig>?&random=456`
+
+These URLs would in fact resolve to the same source image and pipeline, but would not be stored in an upstream
+CDN cache because the query string params contain extra data.
+
+## Protection for remote URLs from HTTP(s) origins
+
+Only URLs referring to permitted hosts are going to be permitted for fetching. If there are no hosts added,
+any remote URL is going to cause an exception. No special verification for whether the upstream must be HTTP
+or HTTPS is performed at this time.
+
+## Protection for "file:/" URLs
+
+The file URLs are going to be decoded, and the path component will be matched against permitted _glob patterns._
+The matching takes links (hard and soft) into account, and uses Ruby's `File.fnmatch?` under the hood. The path
+is always expanded first using `File.expand_path`. The data is not read into ImageMagick from the original location,
+but gets copied into a tempfile first.
+
+The path in to the file gets encoded in the image processing request and may be examined by the user, that will
+disclose where the source image is stored on the server's filesystem. This might be an issue - if it is,
+a customised version with a custom URL scheme should be used for the source URL.
+
+## ImageMagick memory constraints
+
+ImageVise does not set RMagick limits by itself. You should
+[set them according to the RMagick documentation.](https://rmagick.github.io/magick.html#limit_resource)
+
+## Processing time constraints
+
+If you are using forking, there will be a timeout used for how long the forked child process may run,
+which is the default timeout used in ExceptionalFork.

data/examples/config.ru

@@ -0,0 +1,17 @@
+require File.dirname(__FILE__) + '/lib/image_vise'
+
+# Add all the secret keys specified in the environment separated by a comma
+if ENV['VISE_SECRET_KEYS']
+  ENV['VISE_SECRET_KEYS'].split(',').map do | key |
+    ImageVise.add_secret_key!(key.strip)
+  end
+end
+
+# Cover things with caching, even redirects (since we do not want to ask S3 too often)
+use Rack::Cache, :metastore => 'file:tmp/cache/rack/meta', :entitystore  => 'file:tmp/cache/rack/entity', 
+  :verbose => true, :allow_reload => false, :allow_revalidate => false
+
+# Serve runtime thumbnails, under a specific URL
+map '/images'do
+  run ImageVise
+end

data/examples/custom_image_operator.rb

@@ -0,0 +1,27 @@
+class MyBlur
+  # The constructor must accept keyword arguments if your operator accepts them
+  def initialize(radius:, sigma:)
+    @radius = radius.to_f
+    @sigma = sigma.to_f
+  end
+  
+  # Needed for the operator to be serialized to parameters
+  def to_h
+    {radius: @radius, sigma: @sigma}
+  end
+  
+  def apply!(magick_image) # The argument is a Magick::Image
+    # Apply the method to the function argument
+    blurred_image = magick_image.blur_image(@radius, @sigma)
+    
+    # Some methods (without !) return a new Magick::Image.
+    # That image has to be composited back into the original.
+    magick_image.composite!(blurred_image, Magick::CenterGravity, Magick::CopyCompositeOp)
+  ensure
+    # Make sure to explicitly destroy() all the intermediate images
+    ImageVise.destroy(blurred_image)
+  end
+end
+
+# This will also make `ImageVise::Pipeline` respond to `blur(radius:.., sigma:..)`
+ImageVise.add_operator 'my_blur', MyBlur

data/examples/error_handline_appsignal.rb

@@ -0,0 +1,23 @@
+# Anywhere in your app code
+module ImageViseAppsignal
+  ImageVise::RenderEngine.prepend self
+
+  def setup_error_handling(rack_env)
+    txn = Appsignal::Transaction.current
+    txn.set_action('%s#%s' % [self.class, 'call'])
+  end
+
+  def handle_request_error(err)
+    Appsignal.add_exception(err)
+  end
+
+  def handle_generic_error(err)
+    Appsignal.add_exception(err)
+  end
+end
+
+# In config.ru
+map '/thumbnails' do
+  use Appsignal::Rack::GenericInstrumentation
+  run ImageVise
+end

data/examples/error_handling_sentry.rb

@@ -0,0 +1,25 @@
+# Anywhere in your app code
+module ImageViseSentrySupport
+  ImageVise::RenderEngine.prepend self
+
+  def setup_error_handling(rack_env)
+    @env = rack_env
+  end
+
+  def handle_request_error(err)
+    @env['rack.exception'] = err
+  end
+
+  def handle_generic_error(err)
+    @env['rack.exception'] = err
+  end
+end
+
+# In config.ru
+Raven.configure do |config|
+  config.dsn = 'https://secretoken@app.getsentry.com/1234567'
+end
+use Raven::Rack
+map '/thumbnails' do
+  run ImageVise
+end

data/image_vise.gemspec

@@ -0,0 +1,43 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'image_vise/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "image_vise"
+  spec.version       = ImageVise::VERSION
+  spec.authors       = ["Julik Tarkhanov"]
+  spec.email         = ["me@julik.nl"]
+
+  spec.summary       = "Runtime thumbnailing proxy"
+  spec.description   = "Image processing via URLs"
+  spec.homepage      = "https://github.com/WeTransfer/image_vise"
+  spec.license       = "MIT"
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata['allowed_push_host'] = "https://rubygems.org"
+  else
+    raise "RubyGems 2.0 or newer is required to protect against public gem pushes."
+  end
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency 'patron', '~> 0.6'
+  spec.add_dependency 'rmagick', '~> 2.15'
+  spec.add_dependency 'ks'
+  spec.add_dependency 'magic_bytes', '~> 1'
+  spec.add_dependency 'rack', '~> 1'
+
+  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rack-test"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "addressable"
+  spec.add_development_dependency "strenv"
+  spec.add_development_dependency "simplecov"
+end

data/lib/image_vise/fetchers/fetcher_file.rb

@@ -0,0 +1,27 @@
+class ImageVise::FetcherFile
+  class AccessError < StandardError
+    def http_status; 403; end
+  end
+  def self.fetch_uri_to_tempfile(uri)
+    tf = Tempfile.new 'imagevise-localfs-copy'
+    real_path_on_filesystem = File.expand_path(URI.decode(uri.path))
+    verify_filesystem_access! real_path_on_filesystem
+    # Do the checks
+    File.open(real_path_on_filesystem, 'rb') do |f|
+      IO.copy_stream(f, tf)
+    end
+    tf.rewind; tf
+  rescue Exception => e
+    ImageVise.close_and_unlink(tf)
+    raise e
+  end
+
+  def self.verify_filesystem_access!(path_on_filesystem)
+    patterns = ImageVise.allowed_filesystem_sources
+    matches = patterns.any? { |glob_pattern| File.fnmatch?(glob_pattern, path_on_filesystem) }
+    raise AccessError, "filesystem access is disabled" unless patterns.any?
+    raise AccessError, "#{path_on_filesystem} is not on the path whitelist" unless matches
+  end
+
+  ImageVise.register_fetcher 'file', self
+end

data/lib/image_vise/fetchers/fetcher_http.rb

@@ -0,0 +1,42 @@
+class ImageVise::FetcherHTTP
+  EXTERNAL_IMAGE_FETCH_TIMEOUT_SECONDS = 5
+
+  class AccessError < StandardError; end
+
+  class UpstreamError < StandardError
+    attr_accessor :http_status
+    def initialize(http_status, message)
+      super(message)
+      @http_status = http_status
+    end
+  end
+  
+  def self.fetch_uri_to_tempfile(uri)
+    tf = Tempfile.new 'imagevise-http-download'
+    verify_uri_access!(uri)
+    s = Patron::Session.new
+    s.automatic_content_encoding = true
+    s.timeout = EXTERNAL_IMAGE_FETCH_TIMEOUT_SECONDS
+    s.connect_timeout = EXTERNAL_IMAGE_FETCH_TIMEOUT_SECONDS
+    
+    response = s.get_file(uri.to_s, tf.path)
+    
+    if response.status != 200
+      raise UpstreamError.new(response.status, "Unfortunate upstream response #{response.status} on #{uri}")
+    end
+    
+    tf
+  rescue Exception => e
+    ImageVise.close_and_unlink(tf)
+    raise e
+  end
+  
+  def self.verify_uri_access!(uri)
+    host = uri.host
+    return if ImageVise.allowed_hosts.include?(uri.host)
+    raise AccessError, "#{uri} is not permitted as source"
+  end
+
+  ImageVise.register_fetcher 'http', self
+  ImageVise.register_fetcher 'https', self
+end