safe_image 0.1.0 → 0.2.0

data/lib/safe_image/sandbox.rb

@@ -16,7 +16,7 @@ module SafeImage
     }.freeze
 
     OPERATIONS = %w[
-      probe thumbnail type size dimensions info orientation optimize resize crop downsize convert convert_to_jpeg fix_orientation
+      probe thumbnail type size dimensions info orientation dominant_color optimize resize crop downsize convert convert_to_jpeg fix_orientation
       convert_favicon_to_png frame_count animated? letter_avatar optimize_image!
       sanitize_svg!
     ].freeze
@@ -50,7 +50,7 @@ module SafeImage
       raise Error, "landlock sandbox requested but the landlock gem is unavailable"
     rescue Landlock::SafeExec::CommandError => e
       raise CommandError.new(
-        "sandboxed command failed",
+        "sandboxed command failed: #{failure_detail(e)}",
         command: argv,
         status: e.status&.exitstatus,
         stdout: e.stdout,
@@ -65,20 +65,21 @@ module SafeImage
       operation == "type" && result ? result.to_sym : result
     end
 
-    def thumbnail(request)
-      public_call!(
-        :thumbnail,
-        args: [],
-        kwargs: request.merge(execution: :inline)
-      )
-    end
-
     def run_worker!(operation, request)
       operation = operation.to_s
       raise ArgumentError, "unsupported sandbox operation: #{operation}" unless OPERATIONS.include?(operation)
 
       require "landlock"
-      payload = JSON.dump({ operation: operation, request: request })
+      config = SafeImage.config
+      payload = JSON.dump(
+        {
+          operation: operation,
+          request: request,
+          # The worker is a fresh process and must be configured like the
+          # parent — minus landlock, since it already runs inside the sandbox.
+          config: { backend: config.backend, max_pixels: config.max_pixels }
+        }
+      )
       code = <<~'RUBY'
         require "json"
         require "safe_image"
@@ -97,7 +98,7 @@ module SafeImage
         payload = JSON.parse(ARGV.fetch(0), symbolize_names: true)
         operation = payload.fetch(:operation).to_s
         allowed_operations = %w[
-          probe thumbnail type size dimensions info orientation optimize resize crop downsize convert convert_to_jpeg fix_orientation
+          probe thumbnail type size dimensions info orientation dominant_color optimize resize crop downsize convert convert_to_jpeg fix_orientation
           convert_favicon_to_png frame_count animated? letter_avatar optimize_image! sanitize_svg!
         ]
         raise ArgumentError, "unsupported sandbox operation: #{operation}" unless allowed_operations.include?(operation)
@@ -106,9 +107,14 @@ module SafeImage
         args = request[:args] || []
         kwargs = deep_symbolize(request[:kwargs] || {})
 
-        result = SafeImage.with_sandbox_disabled do
-          SafeImage.__send__(operation, *args, **kwargs)
-        end
+        config = payload.fetch(:config)
+        SafeImage.configure!(
+          backend: config.fetch(:backend).to_sym,
+          landlock: false,
+          max_pixels: config.fetch(:max_pixels)
+        )
+
+        result = SafeImage.__send__(operation, *args, **kwargs)
 
         if defined?(SafeImage::Result) && result.is_a?(SafeImage::Result)
           puts JSON.dump({ __type: "Result", data: result.to_h })
@@ -161,7 +167,7 @@ module SafeImage
       raise Error, "landlock sandbox requested but the landlock gem is unavailable"
     rescue Landlock::SafeExec::CommandError => e
       raise CommandError.new(
-        "sandboxed worker failed",
+        "sandboxed worker failed: #{failure_detail(e)}",
         command: [RbConfig.ruby, "-e", "..."],
         status: e.status&.exitstatus,
         stdout: e.stdout,
@@ -221,7 +227,18 @@ module SafeImage
       paths << RbConfig::CONFIG["rubyarchdir"]
       paths << RbConfig::CONFIG["sitearchdir"]
       paths << RbConfig::CONFIG["vendorarchdir"]
+      # An --enable-shared Ruby installed outside the default read roots
+      # (e.g. GitHub Actions' /opt/hostedtoolcache builds) keeps libruby in
+      # libdir; without read access the worker dies at dynamic-link time
+      # before any Ruby code runs.
+      paths << RbConfig::CONFIG["libdir"]
       paths << File.dirname(RbConfig.ruby)
+      # Pango/fontconfig need the font directories and configs for the native
+      # letter_avatar text rendering inside the worker.
+      paths << "/etc/fonts"
+      paths << "/usr/share/fonts"
+      paths << "/usr/local/share/fonts"
+      paths << "/var/cache/fontconfig"
       paths
     end
 
@@ -229,6 +246,15 @@ module SafeImage
       paths.flatten.compact.map(&:to_s).reject(&:empty?).select { |path| File.exist?(path) }.uniq
     end
 
+    # Sandbox failures often happen before the child can run any Ruby (e.g. a
+    # denied shared-library read kills it at dynamic-link time); without the
+    # child's stderr in the message they are undiagnosable from a CI log.
+    def failure_detail(error)
+      detail = error.stderr.to_s.strip
+      detail = "exit status #{error.status&.exitstatus.inspect}" if detail.empty?
+      detail[0, 2000]
+    end
+
     def symbolize(hash)
       hash.transform_keys(&:to_sym)
     end

data/lib/safe_image/svg_metadata.rb

@@ -2,6 +2,7 @@
 
 require "pathname"
 require "rexml/document"
+require "rexml/parsers/pullparser"
 
 module SafeImage
   module SvgMetadata
@@ -31,14 +32,13 @@ module SafeImage
     end
 
     def dimensions(path, max_pixels: nil, max_bytes: MAX_SVG_BYTES)
-      path = safe_svg_path(path)
-      doc = parse(path, max_bytes: max_bytes)
-      root = doc.root
-      width = parse_length(root.attributes["width"])
-      height = parse_length(root.attributes["height"])
+      xml = read_svg(path, max_bytes: max_bytes)
+      _name, attributes = scan_svg!(xml)
+      width = parse_length(attributes["width"])
+      height = parse_length(attributes["height"])
 
       unless width && height
-        view_box = parse_view_box(root.attributes["viewBox"])
+        view_box = parse_view_box(attributes["viewBox"])
         width ||= view_box&.fetch(2)
         height ||= view_box&.fetch(3)
       end
@@ -46,7 +46,22 @@ module SafeImage
       validate_dimensions!(width, height, max_pixels: max_pixels)
     end
 
+    # Builds the full REXML tree. Used only by the SVG sanitizer, which needs to
+    # walk and rewrite the document; metadata reads go through the DOM-free
+    # streaming path above. The streaming validation runs first so a document
+    # that breaches the structural caps is rejected before the tree is built.
     def parse(path, max_bytes: MAX_SVG_BYTES)
+      xml = read_svg(path, max_bytes: max_bytes)
+      scan_svg!(xml)
+      doc = REXML::Document.new(xml)
+      raise InvalidImageError, "SVG root required" unless doc.root&.name == "svg"
+
+      doc
+    rescue REXML::ParseException => e
+      raise InvalidImageError, "invalid SVG: #{e.message}"
+    end
+
+    def read_svg(path, max_bytes: MAX_SVG_BYTES)
       path = safe_svg_path(path)
       size = File.size(path)
       raise LimitError, "SVG exceeds #{max_bytes} bytes" if size > max_bytes
@@ -54,13 +69,7 @@ module SafeImage
       xml = File.binread(path, max_bytes + 1)
       raise LimitError, "SVG exceeds #{max_bytes} bytes" if xml.bytesize > max_bytes
       reject_unsafe_xml!(xml)
-      doc = REXML::Document.new(xml)
-      raise InvalidImageError, "SVG root required" unless doc.root&.name == "svg"
-
-      validate_tree!(doc.root)
-      doc
-    rescue REXML::ParseException => e
-      raise InvalidImageError, "invalid SVG: #{e.message}"
+      xml
     end
 
     def safe_svg_path(path)
@@ -110,23 +119,44 @@ module SafeImage
       [width.ceil, height.ceil]
     end
 
-    def validate_tree!(root)
-      counters = { elements: 0, attributes: 0 }
-      validate_element!(root, depth: 0, counters: counters)
-    end
-
-    def validate_element!(element, depth:, counters:)
-      raise LimitError, "SVG nesting exceeds #{MAX_SVG_DEPTH}" if depth > MAX_SVG_DEPTH
-
-      counters[:elements] += 1
-      raise LimitError, "SVG has too many elements" if counters[:elements] > MAX_SVG_ELEMENTS
-
-      counters[:attributes] += element.attributes.length
-      raise LimitError, "SVG has too many attributes" if counters[:attributes] > MAX_SVG_ATTRIBUTES
-
-      element.elements.each do |child|
-        validate_element!(child, depth: depth + 1, counters: counters)
+    # Streams the document with a pull parser, enforcing the structural caps as
+    # events arrive, so a hostile "millions of tiny elements" document is
+    # rejected at the cap without ever retaining the multi-million-object DOM
+    # that a parse-then-validate approach would build first. Returns the root
+    # element's name and its attributes hash.
+    def scan_svg!(xml)
+      parser = REXML::Parsers::PullParser.new(xml)
+      depth = -1
+      elements = 0
+      attributes = 0
+      root_name = nil
+      root_attributes = nil
+
+      while parser.has_next?
+        event = parser.pull
+        if event.start_element?
+          depth += 1
+          raise LimitError, "SVG nesting exceeds #{MAX_SVG_DEPTH}" if depth > MAX_SVG_DEPTH
+
+          elements += 1
+          raise LimitError, "SVG has too many elements" if elements > MAX_SVG_ELEMENTS
+
+          attributes += event[1].size
+          raise LimitError, "SVG has too many attributes" if attributes > MAX_SVG_ATTRIBUTES
+
+          if root_name.nil?
+            root_name = event[0]
+            root_attributes = event[1]
+          end
+        elsif event.end_element?
+          depth -= 1
+        end
       end
+
+      raise InvalidImageError, "SVG root required" unless root_name == "svg"
+      [root_name, root_attributes]
+    rescue REXML::ParseException => e
+      raise InvalidImageError, "invalid SVG: #{e.message}"
     end
   end
 end

data/lib/safe_image/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SafeImage
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/lib/safe_image/vips_backend.rb

@@ -20,6 +20,63 @@ module SafeImage
       Native.resize(input.to_s, output.to_s, scale, normalized_format(format), Integer(quality), max_pixels)
     end
 
+    def dominant_color(input, max_pixels: nil)
+      input = PathSafety.ensure_regular_file!(input).to_s
+      rgb = Native.dominant_color(input, max_pixels)
+      format("%02X%02X%02X", *rgb)
+    end
+
+    def frame_count(input, max_pixels: nil)
+      input = PathSafety.ensure_regular_file!(input).to_s
+      Native.pages(input, max_pixels)
+    end
+
+    def orientation(input, max_pixels: nil)
+      input = PathSafety.ensure_regular_file!(input).to_s
+      Native.orientation(input, max_pixels)
+    end
+
+    # Maps the public font tokens (shared with the ImageMagick backend) to
+    # Pango family names. DejaVu Sans additionally pins the font file bundled
+    # with the gem, so its rendering does not depend on host fonts.
+    BUNDLED_DEJAVU = File.expand_path("fonts/DejaVuSans.ttf", __dir__)
+    PANGO_FONTS = {
+      "DejaVu-Sans" => ["DejaVu Sans", BUNDLED_DEJAVU],
+      "NimbusSans-Regular" => ["Nimbus Sans", nil],
+      "Liberation-Sans" => ["Liberation Sans", nil],
+      "Arial" => ["Arial", nil],
+      "Helvetica" => ["Helvetica", nil],
+      "Adwaita-Sans" => ["Adwaita Sans", nil]
+    }.freeze
+
+    def letter_avatar(output:, size:, background_rgb:, letter:, pointsize: 280, font: "DejaVu-Sans")
+      started = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+      output = PathSafety.ensure_safe_output_path!(output).to_s
+      size = Integer(size)
+      raise ArgumentError, "size must be 1..4096" unless (1..4096).cover?(size)
+      pointsize = Integer(pointsize)
+      raise ArgumentError, "pointsize must be 1..2000" unless (1..2000).cover?(pointsize)
+      rgb = Array(background_rgb).map { |value| Integer(value) }
+      unless rgb.length == 3 && rgb.all? { |value| (0..255).cover?(value) }
+        raise ArgumentError, "background_rgb must have three channels in 0..255"
+      end
+      family, fontfile = PANGO_FONTS.fetch(font.to_s) { raise ArgumentError, "unsupported font: #{font.to_s.inspect}" }
+      fontfile = nil unless fontfile && File.file?(fontfile)
+
+      # vips_text parses Pango markup, and the glyph derives from user input.
+      glyph = letter.to_s.each_grapheme_cluster.first.to_s.strip
+      markup = glyph.gsub("&", "&amp;").gsub("<", "&lt;").gsub(">", "&gt;")
+
+      Native.letter_avatar(output, size, rgb[0], rgb[1], rgb[2], markup, "#{family} #{pointsize}", fontfile.to_s)
+      {
+        input_format: "generated",
+        output_format: "png",
+        width: size,
+        height: size,
+        duration_ms: (Process.clock_gettime(Process::CLOCK_MONOTONIC) - started) * 1000
+      }
+    end
+
     def normalized_format(format)
       format = format.to_s.downcase
       format == "jpeg" ? "jpg" : format

data/lib/safe_image/vips_glue.rb

@@ -0,0 +1,361 @@
+# frozen_string_literal: true
+
+require "fiddle"
+
+module SafeImage
+  # Minimal Fiddle binding for libvips. Instead of libvips' variadic C
+  # convenience API, operations are invoked through the fixed-signature
+  # GObject layer: vips_operation_new -> set properties as GValues ->
+  # vips_cache_operation_build -> read outputs -> unref. The invocation
+  # pattern is modelled on ruby-vips (MIT, Copyright (c) 2016 John Cupitt,
+  # https://github.com/libvips/ruby-vips), trimmed to exactly the operations
+  # SafeImage::Native performs — the function table below doubles as an
+  # operation allowlist.
+  module VipsGlue
+    GVALUE_SIZE = 24
+    GVALUE_ZERO = ("\0" * GVALUE_SIZE).freeze
+    # Public, decades-stable GParamSpec ABI: GTypeInstance(8) + name(8) +
+    # flags(4 + padding) puts value_type at byte 24.
+    PSPEC_VALUE_TYPE_OFFSET = 24
+
+    LIBRARY_CANDIDATES = %w[libvips.so.42 libvips.42.dylib libvips.dylib libvips.so].freeze
+
+    TYPE = {
+      void: Fiddle::TYPE_VOID,
+      int: Fiddle::TYPE_INT,
+      double: Fiddle::TYPE_DOUBLE,
+      size_t: Fiddle::TYPE_SIZE_T,
+      ptr: Fiddle::TYPE_VOIDP
+    }.freeze
+
+    # Fixed-signature entry points only; no varargs anywhere. The g_*
+    # symbols resolve through the libvips handle via its GLib dependency.
+    SIGNATURES = {
+      vips_init: [%i[ptr], :int],
+      vips_version: [%i[int], :int],
+      vips_error_buffer: [[], :ptr],
+      vips_error_clear: [[], :void],
+      vips_block_untrusted_set: [%i[int], :void],
+      vips_operation_block_set: [%i[ptr int], :void],
+      vips_concurrency_set: [%i[int], :void],
+      vips_cache_set_max: [%i[int], :void],
+      vips_cache_set_max_mem: [%i[size_t], :void],
+      vips_cache_set_max_files: [%i[int], :void],
+      vips_type_find: [%i[ptr ptr], :size_t],
+      vips_enum_from_nick: [%i[ptr size_t ptr], :int],
+      vips_operation_new: [%i[ptr], :ptr],
+      vips_cache_operation_build: [%i[ptr], :ptr],
+      vips_object_unref_outputs: [%i[ptr], :void],
+      vips_value_set_array_double: [%i[ptr ptr int], :void],
+      vips_image_get_width: [%i[ptr], :int],
+      vips_image_get_height: [%i[ptr], :int],
+      vips_image_get_bands: [%i[ptr], :int],
+      vips_image_get_n_pages: [%i[ptr], :int],
+      vips_image_get_orientation: [%i[ptr], :int],
+      vips_image_hasalpha: [%i[ptr], :int],
+      vips_colourspace_issupported: [%i[ptr], :int],
+      vips_image_new_from_memory_copy: [%i[ptr size_t int int int int], :ptr],
+      vips_image_write_to_memory: [%i[ptr ptr], :ptr],
+      g_object_ref: [%i[ptr], :ptr],
+      g_object_unref: [%i[ptr], :void],
+      g_object_set_property: [%i[ptr ptr ptr], :void],
+      g_object_get_property: [%i[ptr ptr ptr], :void],
+      g_object_class_find_property: [%i[ptr ptr], :ptr],
+      g_value_init: [%i[ptr size_t], :ptr],
+      g_value_unset: [%i[ptr], :void],
+      g_value_set_boolean: [%i[ptr int], :void],
+      g_value_set_int: [%i[ptr int], :void],
+      g_value_set_double: [%i[ptr double], :void],
+      g_value_set_string: [%i[ptr ptr], :void],
+      g_value_set_enum: [%i[ptr int], :void],
+      g_value_set_flags: [%i[ptr int], :void],
+      g_value_set_object: [%i[ptr ptr], :void],
+      g_value_get_object: [%i[ptr], :ptr],
+      g_type_fundamental: [%i[size_t], :size_t],
+      g_type_from_name: [%i[ptr], :size_t],
+      g_free: [%i[ptr], :void]
+    }.freeze
+
+    @initialized = false
+    @load_error = nil
+    @init_mutex = Mutex.new
+
+    class << self
+      def init!
+        return if @initialized
+        raise @load_error if @load_error
+
+        @init_mutex.synchronize do
+          next if @initialized
+          raise @load_error if @load_error
+
+          handle = open_library
+          @functions = SIGNATURES.to_h do |name, (args, ret)|
+            address = handle[name.to_s]
+            [name, Fiddle::Function.new(address, args.map { |t| TYPE.fetch(t) }, TYPE.fetch(ret))]
+          end
+
+          silence_vips_log!
+          raise Error, "vips_init failed: #{error_message}" if c(:vips_init, "safe_image") != 0
+
+          major = c(:vips_version, 0)
+          minor = c(:vips_version, 1)
+          @version = [major, minor]
+          raise Error, "libvips >= 8.13 is required (found #{major}.#{minor})" if (@version <=> [8, 13]).negative?
+
+          harden!
+          resolve_gtypes!
+          @initialized = true
+        end
+      end
+
+      def version
+        init!
+        @version
+      end
+
+      # True when libvips loaded (or loads) successfully. A load failure is
+      # memoized; the gem keeps working through the ImageMagick paths.
+      def available?
+        init!
+        true
+      rescue VipsUnavailableError
+        false
+      end
+
+      # Calls a bound C function by name.
+      def c(name, *args)
+        @functions.fetch(name).call(*args)
+      end
+
+      def error!
+        message = error_message
+        c(:vips_error_clear)
+        raise InvalidImageError, message
+      end
+
+      def error_message
+        ptr = c(:vips_error_buffer)
+        message = ptr.null? ? "" : ptr.to_s
+        message.empty? ? "libvips error" : message.strip
+      end
+
+      def type_find?(nickname)
+        init!
+        !c(:vips_type_find, "VipsOperation", nickname).zero?
+      end
+
+      def unref(image_ptr)
+        c(:g_object_unref, image_ptr) if image_ptr && !image_ptr.null?
+      end
+
+      # Tracks every acquired VipsImage pointer and releases all of them when
+      # the block exits, success or failure. Pipelines are strictly linear,
+      # so deterministic unref in reverse order is sufficient.
+      def with_images
+        acquired = []
+        track = lambda do |ptr|
+          acquired << ptr
+          ptr
+        end
+        init!
+        yield track
+      ensure
+        acquired.reverse_each { |ptr| unref(ptr) }
+      end
+
+      # Invokes one vips operation. Property values are converted according
+      # to the property's GType: booleans, ints, doubles, strings, enums
+      # (given as nick strings), flags, double arrays and VipsImage pointers.
+      # Returns the named output image pointer (caller owns one reference),
+      # or nil when output is nil (savers).
+      def operation(nickname, inputs, output: "out")
+        op = c(:vips_operation_new, nickname)
+        raise UnsupportedFormatError, "unknown vips operation: #{nickname}" if op.null?
+
+        begin
+          inputs.each { |name, value| set_property(op, name.to_s, value) }
+
+          built = c(:vips_cache_operation_build, op)
+          if built.null?
+            c(:vips_object_unref_outputs, op)
+            error!
+          end
+
+          begin
+            output ? image_output(built, output) : nil
+          ensure
+            c(:vips_object_unref_outputs, built)
+            c(:g_object_unref, built)
+          end
+        ensure
+          c(:g_object_unref, op)
+        end
+      end
+
+      def width(image_ptr) = c(:vips_image_get_width, image_ptr)
+      def height(image_ptr) = c(:vips_image_get_height, image_ptr)
+      def bands(image_ptr) = c(:vips_image_get_bands, image_ptr)
+      def pages(image_ptr) = c(:vips_image_get_n_pages, image_ptr)
+      def orientation(image_ptr) = c(:vips_image_get_orientation, image_ptr)
+      def alpha?(image_ptr) = !c(:vips_image_hasalpha, image_ptr).zero?
+      def colourspace_supported?(image_ptr) = !c(:vips_colourspace_issupported, image_ptr).zero?
+
+      def image_from_memory(bytes, width, height, bands, format_number)
+        init!
+        ptr = c(:vips_image_new_from_memory_copy, bytes, bytes.bytesize, width, height, bands, format_number)
+        error! if ptr.null?
+        ptr
+      end
+
+      # Copies the image's pixel data out as a binary string (used to read
+      # the tiny vips_stats matrix without binding the variadic getpoint).
+      def image_bytes(image_ptr)
+        size_out = Fiddle::Pointer.malloc(Fiddle::SIZEOF_SIZE_T, Fiddle::RUBY_FREE)
+        buffer = c(:vips_image_write_to_memory, image_ptr, size_out)
+        error! if buffer.null?
+        begin
+          buffer[0, size_out[0, Fiddle::SIZEOF_SIZE_T].unpack1("J")]
+        ensure
+          c(:g_free, buffer)
+        end
+      end
+
+      private
+
+      def open_library
+        errors = []
+        override = ENV["SAFE_IMAGE_LIBVIPS"]
+        # An explicit override is authoritative: no fallback to the default
+        # names (this also lets tests simulate a vips-less host).
+        candidates = override && !override.empty? ? [override] : LIBRARY_CANDIDATES
+        candidates.each do |name|
+          return Fiddle.dlopen(name)
+        rescue Fiddle::DLError => e
+          errors << e.message
+        end
+        @load_error = VipsUnavailableError.new(
+          "could not load libvips (install the libvips runtime package, e.g. libvips42 on Debian): #{errors.join("; ")}"
+        )
+        raise @load_error
+      end
+
+      def harden!
+        # Block operations libvips tags unsafe for untrusted input, plus the
+        # ImageMagick loader classes by name. The libjxl loader/saver are
+        # deliberately re-enabled: JPEG XL is part of the supported input
+        # surface and inputs still pass extension routing and pixel caps.
+        c(:vips_block_untrusted_set, 1)
+        c(:vips_operation_block_set, "VipsForeignLoadMagick", 1)
+        c(:vips_operation_block_set, "VipsForeignLoadMagick6", 1)
+        c(:vips_operation_block_set, "VipsForeignLoadMagick7", 1)
+        c(:vips_operation_block_set, "VipsForeignLoadJxl", 0)
+        c(:vips_operation_block_set, "VipsForeignSaveJxl", 0)
+
+        # Keep the embedded path predictable and bounded.
+        c(:vips_concurrency_set, 1)
+        c(:vips_cache_set_max, 0)
+        c(:vips_cache_set_max_mem, 0)
+        c(:vips_cache_set_max_files, 0)
+      end
+
+      # Hostile input is expected here; libvips' GLib warnings about it (for
+      # example "Not a PNG file") would otherwise litter stderr on every
+      # rejected upload. Failures still surface as exceptions with the same
+      # detail. Setting VIPS_WARNING makes vips_init install its own C-level
+      # no-op log handler — this must NOT be done with a Ruby callback, which
+      # libvips may invoke from non-Ruby threads and crash the VM. Set
+      # SAFE_IMAGE_VIPS_WARNINGS=1 to keep the warnings.
+      def silence_vips_log!
+        if ENV["SAFE_IMAGE_VIPS_WARNINGS"] == "1"
+          # VIPS_WARNING may be inherited from a parent process where this
+          # gem set it; the explicit opt-in to warnings wins.
+          ENV.delete("VIPS_WARNING")
+        else
+          ENV["VIPS_WARNING"] ||= "1"
+        end
+      end
+
+      def resolve_gtypes!
+        @gtype = {}
+        {
+          boolean: "gboolean",
+          int: "gint",
+          uint64: "guint64",
+          double: "gdouble",
+          string: "gchararray",
+          enum: "GEnum",
+          flags: "GFlags",
+          boxed: "GBoxed",
+          object: "GObject",
+          image: "VipsImage",
+          array_double: "VipsArrayDouble"
+        }.each do |key, name|
+          gtype = c(:g_type_from_name, name)
+          raise Error, "GType #{name} is not registered" if gtype.zero?
+          @gtype[key] = gtype
+        end
+      end
+
+      def with_gvalue(gtype)
+        buffer = Fiddle::Pointer.malloc(GVALUE_SIZE, Fiddle::RUBY_FREE)
+        buffer[0, GVALUE_SIZE] = GVALUE_ZERO
+        c(:g_value_init, buffer, gtype)
+        begin
+          yield buffer
+        ensure
+          c(:g_value_unset, buffer)
+        end
+      end
+
+      def set_property(object_ptr, name, value)
+        name = name.tr("_", "-")
+        klass = object_ptr[0, Fiddle::SIZEOF_VOIDP].unpack1("J")
+        pspec = c(:g_object_class_find_property, klass, name)
+        raise Error, "vips operation has no argument #{name.inspect}" if pspec.null?
+
+        value_type = pspec[PSPEC_VALUE_TYPE_OFFSET, Fiddle::SIZEOF_VOIDP].unpack1("J")
+        with_gvalue(value_type) do |gvalue|
+          write_gvalue(gvalue, value_type, name, value)
+          c(:g_object_set_property, object_ptr, name, gvalue)
+        end
+      end
+
+      def write_gvalue(gvalue, value_type, name, value)
+        case c(:g_type_fundamental, value_type)
+        when @gtype[:boolean] then c(:g_value_set_boolean, gvalue, value ? 1 : 0)
+        when @gtype[:int] then c(:g_value_set_int, gvalue, Integer(value))
+        when @gtype[:double] then c(:g_value_set_double, gvalue, Float(value))
+        when @gtype[:string] then c(:g_value_set_string, gvalue, value.to_s)
+        when @gtype[:enum] then c(:g_value_set_enum, gvalue, enum_value(value_type, value))
+        when @gtype[:flags] then c(:g_value_set_flags, gvalue, Integer(value))
+        when @gtype[:object] then c(:g_value_set_object, gvalue, value)
+        when @gtype[:boxed]
+          raise Error, "unsupported boxed type for #{name.inspect}" unless value_type == @gtype[:array_double]
+          doubles = Array(value).map { |v| Float(v) }
+          c(:vips_value_set_array_double, gvalue, doubles.pack("d*"), doubles.length)
+        else
+          raise Error, "unsupported GType for vips argument #{name.inspect}"
+        end
+      end
+
+      def enum_value(value_type, value)
+        return Integer(value) if value.is_a?(Integer)
+
+        number = c(:vips_enum_from_nick, "safe_image", value_type, value.to_s)
+        error! if number.negative?
+        number
+      end
+
+      def image_output(op_ptr, name)
+        with_gvalue(@gtype[:image]) do |gvalue|
+          c(:g_object_get_property, op_ptr, name, gvalue)
+          ptr = c(:g_value_get_object, gvalue)
+          raise InvalidImageError, "vips operation produced no output" if ptr.null?
+          c(:g_object_ref, ptr)
+          ptr
+        end
+      end
+    end
+  end
+end