safe_image 0.1.0 → 0.2.0

data/lib/safe_image.rb

@@ -4,16 +4,31 @@ require_relative "safe_image/version"
 
 module SafeImage
   class Error < StandardError; end
+
+  # Raised when any operation is attempted before SafeImage.configure!.
+  class NotConfiguredError < Error; end
+
   class UnsupportedFormatError < Error; end
+
+  # Raised when libvips cannot be loaded at runtime. configure!(backend: :vips)
+  # surfaces this at boot; operations never fall back to ImageMagick.
+  class VipsUnavailableError < UnsupportedFormatError; end
   class UnsafePathError < Error; end
   class InvalidImageError < Error; end
   class LimitError < Error; end
 
-  # Default decompression-bomb ceiling for the libvips processing path when the
-  # caller does not pass an explicit max_pixels. Mirrored in the native
-  # extension (SAFE_IMAGE_DEFAULT_MAX_PIXELS) and aligned with the 128MP area
-  # limit on the ImageMagick path. Pass max_pixels to raise or lower it.
+  # Default decompression-bomb ceiling when configure! is not given an explicit
+  # max_pixels. Mirrored in the native binding (SAFE_IMAGE_DEFAULT_MAX_PIXELS)
+  # and aligned with the 128MP area limit on the ImageMagick path. Per-call
+  # max_pixels: overrides the configured value.
   DEFAULT_MAX_PIXELS = 128 * 1024 * 1024
+
+  BACKENDS = %i[vips imagemagick].freeze
+
+  # Process-wide configuration. configure! builds a frozen instance and swaps
+  # it in with a single assignment, so readers never observe a half-applied
+  # config.
+  Config = Data.define(:backend, :landlock, :max_pixels)
 end
 
 require_relative "safe_image/native"
@@ -25,6 +40,7 @@ require_relative "safe_image/optimizer"
 require_relative "safe_image/svg_metadata"
 require_relative "safe_image/svg_sanitizer"
 require_relative "safe_image/remote"
+require_relative "safe_image/ico"
 require_relative "safe_image/image_magick_backend"
 require_relative "safe_image/jpegli_backend"
 require_relative "safe_image/vips_backend"
@@ -34,46 +50,79 @@ require_relative "safe_image/discourse_compat"
 module SafeImage
   module_function
 
-  @sandbox_enabled = false
-
-  def enable_sandbox!
-    raise Error, "landlock sandbox requested but unavailable" unless Sandbox.available?
-    @sandbox_enabled = true
-  end
+  @config = nil
+
+  # Decides, in one place, everything that varies by host: which backend
+  # decodes untrusted bytes, whether operations run inside the Landlock
+  # sandbox, and the default decompression-bomb ceiling. Must be called before
+  # any operation; calling it again replaces the configuration.
+  #
+  # Validation is eager so a misconfigured host fails at boot rather than on
+  # the first request.
+  def configure!(backend:, landlock:, max_pixels: DEFAULT_MAX_PIXELS)
+    backend = backend.to_sym
+    unless BACKENDS.include?(backend)
+      raise ArgumentError, "unknown backend: #{backend.inspect} (expected :vips or :imagemagick)"
+    end
+    unless [true, false].include?(landlock)
+      raise ArgumentError, "landlock must be true or false, got: #{landlock.inspect}"
+    end
+    max_pixels = Integer(max_pixels)
+    raise ArgumentError, "max_pixels must be positive" if max_pixels <= 0
+
+    case backend
+    when :vips
+      begin
+        VipsGlue.init!
+      rescue VipsUnavailableError => e
+        raise Error, "backend: :vips requested but libvips is unavailable: #{e.message}"
+      end
+    when :imagemagick
+      unless Runner.available?("magick") || Runner.available?("convert")
+        raise Error, "backend: :imagemagick requested but no magick/convert executable was found"
+      end
+    end
+    if landlock && !Sandbox.available?
+      raise Error, "landlock: true requested but the Landlock sandbox is unavailable on this host"
+    end
 
-  def disable_sandbox!
-    @sandbox_enabled = false
+    @config = Config.new(backend: backend, landlock: landlock, max_pixels: max_pixels)
   end
 
-  def sandbox_enabled?
-    @sandbox_enabled && ENV["SAFE_IMAGE_SANDBOX_CHILD"] != "1"
+  def config
+    @config || raise(NotConfiguredError, "call SafeImage.configure!(backend: :vips | :imagemagick, landlock: true | false) before using SafeImage")
   end
 
-  def with_sandbox_disabled
-    previous = @sandbox_enabled
-    @sandbox_enabled = false
-    yield
-  ensure
-    @sandbox_enabled = previous
-  end
+  def configured? = !@config.nil?
 
   def sandbox_available? = Sandbox.available?
 
-  def sandbox_call(operation, args: [], kwargs: {})
-    Sandbox.public_call!(operation, args: args, kwargs: kwargs)
+  # Internal: whether operations must route through the sandbox worker. False
+  # before configure! (so configure!'s own availability probes can run
+  # commands) and inside worker children (so sandboxed operations never nest).
+  def sandbox?
+    !!@config&.landlock && ENV["SAFE_IMAGE_SANDBOX_CHILD"] != "1"
+  end
+
+  # Internal: per-call max_pixels overrides the configured default.
+  def resolved_max_pixels(max_pixels)
+    max_pixels.nil? ? config.max_pixels : max_pixels
   end
 
   def maybe_sandbox(operation, args: [], kwargs: {})
-    return yield unless sandbox_enabled?
+    config
+    return yield unless sandbox?
 
-    sandbox_call(operation, args: args, kwargs: kwargs)
+    Sandbox.public_call!(operation, args: args, kwargs: kwargs)
   end
 
   def probe(path, max_pixels: nil)
     maybe_sandbox(:probe, args: [path], kwargs: { max_pixels: max_pixels }) do
       path = PathSafety.local_path(path)
+      max_pixels = resolved_max_pixels(max_pixels)
 
-      if File.extname(path).downcase == ".svg"
+      case File.extname(path).downcase
+      when ".svg"
         info = SvgMetadata.probe(path, max_pixels: max_pixels)
         Result.new(
           input: File.expand_path(path),
@@ -87,10 +136,26 @@ module SafeImage
           duration_ms: info.fetch(:duration_ms),
           optimizer: nil
         )
+      when ".ico"
+        # Pure-Ruby directory parse; reports the largest entry's dimensions.
+        info = Ico.probe(path, max_pixels: max_pixels)
+        Result.new(
+          input: File.expand_path(path),
+          output: nil,
+          input_format: "ico",
+          output_format: nil,
+          width: info.fetch(:width),
+          height: info.fetch(:height),
+          filesize: File.size(path),
+          backend: "ico-metadata",
+          duration_ms: info.fetch(:duration_ms),
+          optimizer: nil
+        )
       else
-        begin
+        case config.backend
+        when :vips
           Processor.new(max_pixels: max_pixels).probe(path)
-        rescue UnsupportedFormatError
+        when :imagemagick
           info = ImageMagickBackend.probe(path, max_pixels: max_pixels)
           Result.new(
             input: File.expand_path(path),
@@ -144,24 +209,60 @@ module SafeImage
 
   def orientation(path, max_pixels: nil)
     maybe_sandbox(:orientation, args: [path], kwargs: { max_pixels: max_pixels }) do
-      if File.extname(PathSafety.local_path(path)).downcase == ".svg"
+      case File.extname(PathSafety.local_path(path)).downcase
+      when ".svg", ".ico"
+        # No EXIF orientation in either format; upright by definition.
         1
       else
-        probe(path, max_pixels: max_pixels) if max_pixels
-        ImageMagickBackend.orientation(path)
+        max_pixels = resolved_max_pixels(max_pixels)
+        case config.backend
+        when :vips
+          # Header-only native read.
+          VipsBackend.orientation(path, max_pixels: max_pixels)
+        when :imagemagick
+          # Probe first: rejects undecodable files and enforces the pixel cap.
+          ImageMagickBackend.probe(path, max_pixels: max_pixels)
+          ImageMagickBackend.orientation(path)
+        end
       end
     end
   end
 
+  def dominant_color(path, max_pixels: nil)
+    maybe_sandbox(:dominant_color, args: [path], kwargs: { max_pixels: max_pixels }) do
+      max_pixels = resolved_max_pixels(max_pixels)
+      case config.backend
+      when :vips
+        if File.extname(PathSafety.local_path(path)).downcase == ".ico"
+          # Pure-Ruby ICO decode; vips only averages the decoded pixels.
+          Ico.dominant_color(path, max_pixels: max_pixels)
+        else
+          VipsBackend.dominant_color(path, max_pixels: max_pixels)
+        end
+      when :imagemagick
+        imagemagick_dominant_color(path, max_pixels: max_pixels)
+      end
+    end
+  end
+
+  def imagemagick_dominant_color(path, max_pixels:)
+    # Probe first: rejects undecodable files and enforces the pixel cap
+    # before ImageMagick fully decodes the image to average it.
+    probe(path, max_pixels: max_pixels)
+    ImageMagickBackend.dominant_color(path)
+  end
+
   def fastimage_type(format)
     format.to_s == "jpg" ? :jpeg : format.to_s.to_sym
   end
 
   def remote_info(url, **kwargs)
+    config
     Remote.info(url, **kwargs)
   end
 
   def remote_size(url, **kwargs)
+    config
     Remote.size(url, **kwargs)
   end
 
@@ -170,18 +271,26 @@ module SafeImage
   end
 
   def remote_type(url, **kwargs)
+    config
     Remote.type(url, **kwargs)
   end
 
   def remote_animated?(url, **kwargs)
+    config
     Remote.animated?(url, **kwargs)
   end
 
+  def remote_dominant_color(url, **kwargs)
+    config
+    Remote.dominant_color(url, **kwargs)
+  end
+
   def fetch_remote(url, **kwargs, &block)
+    config
     Remote.fetch(url, **kwargs, &block)
   end
 
-  def thumbnail(input:, output:, width:, height:, format: nil, quality: 85, max_pixels: nil, backend: :vips, optimize: false, optimize_mode: :lossless, execution: :inline, encoder: :auto, chroma_subsampling: :auto)
+  def thumbnail(input:, output:, width:, height:, format: nil, quality: 85, max_pixels: nil, optimize: false, optimize_mode: :lossless, chroma_subsampling: :auto)
     maybe_sandbox(
       :thumbnail,
       kwargs: {
@@ -192,15 +301,12 @@ module SafeImage
         format: format,
         quality: quality,
         max_pixels: max_pixels,
-        backend: backend,
         optimize: optimize,
         optimize_mode: optimize_mode,
-        execution: :inline,
-        encoder: encoder,
         chroma_subsampling: chroma_subsampling
       }
     ) do
-      Processor.new(max_pixels: max_pixels, backend: backend, execution: execution, encoder: encoder, chroma_subsampling: chroma_subsampling).thumbnail(
+      Processor.new(max_pixels: resolved_max_pixels(max_pixels), chroma_subsampling: chroma_subsampling).thumbnail(
         input: input,
         output: output,
         width: width,
@@ -252,6 +358,7 @@ module SafeImage
   end
 
   def animated?(*args, **kwargs)
+    config
     path = args.first
     return false if path && File.extname(PathSafety.local_path(path)).downcase == ".svg"
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: safe_image
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Sam Saffron
@@ -10,6 +10,20 @@ bindir: bin
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: fiddle
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: rexml
   requirement: !ruby/object:Gem::Requirement
@@ -53,51 +67,52 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '13.0'
 - !ruby/object:Gem::Dependency
-  name: rake-compiler
+  name: rubocop-discourse
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '3.18'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '3.18'
 - !ruby/object:Gem::Dependency
-  name: rubocop-discourse
+  name: landlock
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '0'
 description: 'Safe Image is a small Ruby image-processing boundary for untrusted uploads:
   direct libvips thumbnails/probing, hardened ImageMagick compatibility operations,
   optimisation, SVG sanitising, and optional atomic Landlock sandbox execution.'
 email:
 - sam@discourse.org
 executables: []
-extensions:
-- ext/safe_image_native/extconf.rb
+extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG.md
 - LICENSE
 - README.md
 - SECURITY.md
-- ext/safe_image_native/extconf.rb
-- ext/safe_image_native/safe_image_native.c
 - lib/safe_image.rb
 - lib/safe_image/RT_sRGB.icm
 - lib/safe_image/discourse_compat.rb
+- lib/safe_image/fonts/DEJAVU-LICENSE
+- lib/safe_image/fonts/DejaVuSans.ttf
+- lib/safe_image/ico.rb
 - lib/safe_image/image_magick_backend.rb
 - lib/safe_image/imagemagick_policy/policy.xml
 - lib/safe_image/jpegli_backend.rb
@@ -113,6 +128,7 @@ files:
 - lib/safe_image/svg_sanitizer.rb
 - lib/safe_image/version.rb
 - lib/safe_image/vips_backend.rb
+- lib/safe_image/vips_glue.rb
 homepage: https://github.com/sam-saffron-jarvis/safe-image
 licenses:
 - MIT
@@ -134,7 +150,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.6
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Hardened image processing boundary for untrusted uploads
 test_files: []

data/ext/safe_image_native/extconf.rb

@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-
-require "mkmf"
-
-pkg_config("vips") or abort "libvips development files are required (pkg-config vips failed)"
-have_header("vips/vips.h") or abort "missing vips/vips.h"
-have_library("vips") or abort "missing libvips"
-create_makefile("safe_image_native")