safe_image 0.1.0

data/SECURITY.md

@@ -0,0 +1,48 @@
+# Security Policy
+
+Safe Image is a hardened image-processing boundary for untrusted uploads, not a proof that hostile image bytes are harmless.
+
+## Supported versions
+
+Security fixes are expected to land on `main` until the gem has tagged releases. Once releases exist, report against the latest released version unless you can reproduce on `main` as well.
+
+## Threat model
+
+Safe Image assumes image input may be attacker-controlled. The library is designed to reduce the number of places an application touches those bytes and to remove common image-processing foot-guns:
+
+- shell-free external command execution using argv arrays
+- allowlisted command environment
+- bounded command output and process-group timeout cleanup
+- explicit libvips loader selection for supported raster formats
+- no silent fallback from libvips to generic ImageMagick decoding
+- restrictive ImageMagick policy disabling delegates, filters, `@file`, remote URL coders, Ghostscript-backed formats, and dangerous pseudo-formats
+- symlink rejection for untrusted local input/output paths
+- remote fetch SSRF hardening: scheme/port restrictions, special-use IP blocking, DNS pinning, redirect limits, HTTPS-to-HTTP rejection, header allowlists, content-type/extension agreement, and probe-before-yield
+- bounded SVG metadata parsing and conservative SVG sanitising without handing SVG to ImageMagick for probing
+- optional Linux Landlock/seccomp subprocess sandboxing
+
+## Non-goals
+
+Safe Image does not claim that parsing hostile images in-process is memory-safe. Raster decoders such as libjpeg, libpng, libwebp, libheif, libvips loaders, and ImageMagick coders still parse attacker-controlled bytes. A decoder memory-corruption bug or pathological resource-consumption bug is still possible.
+
+The honest claim is defense-in-depth:
+
+- without Landlock: centralized and hardened image processing with major delegate/protocol/policy foot-guns removed
+- with Landlock: the same hardening plus a kernel containment boundary around subprocess-based public operations
+
+If your deployment needs a hard isolation boundary, enable sandbox execution and run image processing away from your main web worker process.
+
+## Reporting vulnerabilities
+
+Please report suspected security issues privately to `sam@discourse.org`.
+
+Include:
+
+- affected version or commit
+- input file or minimized reproducer, if shareable
+- operation/API called
+- expected vs actual result
+- whether Landlock sandboxing was enabled
+- host OS, kernel, libvips, ImageMagick, and optimizer tool versions
+
+Do not open a public issue for an exploitable crash, sandbox escape, SSRF bypass, arbitrary file read/write, command execution bug, or denial-of-service vector until there has been time to patch.

data/ext/safe_image_native/extconf.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "mkmf"
+
+pkg_config("vips") or abort "libvips development files are required (pkg-config vips failed)"
+have_header("vips/vips.h") or abort "missing vips/vips.h"
+have_library("vips") or abort "missing libvips"
+create_makefile("safe_image_native")

data/ext/safe_image_native/safe_image_native.c

@@ -0,0 +1,392 @@
+#include <ruby.h>
+#include <vips/vips.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <time.h>
+#include <math.h>
+
+static VALUE mSafeImage;
+static VALUE mNative;
+static VALUE eError;
+static VALUE eUnsupported;
+static VALUE eInvalid;
+static VALUE eLimit;
+
+/* Default decompression-bomb ceiling applied when the caller does not pass an
+ * explicit max_pixels. Mirrors SafeImage::DEFAULT_MAX_PIXELS and the 128MP area
+ * limit used on the ImageMagick path, so the libvips fast path is not unbounded
+ * by default. Callers that legitimately need larger images pass max_pixels. */
+#define SAFE_IMAGE_DEFAULT_MAX_PIXELS (128LL * 1024 * 1024)
+
+static double now_ms(void) {
+  struct timespec ts;
+  clock_gettime(CLOCK_MONOTONIC, &ts);
+  return (double)ts.tv_sec * 1000.0 + (double)ts.tv_nsec / 1000000.0;
+}
+
+static const char *extname(const char *path) {
+  const char *dot = strrchr(path, '.');
+  return dot ? dot + 1 : "";
+}
+
+static int streq_ci(const char *a, const char *b) {
+#ifdef _WIN32
+  return _stricmp(a, b) == 0;
+#else
+  return strcasecmp(a, b) == 0;
+#endif
+}
+
+static const char *normalized_format(const char *fmt) {
+  if (streq_ci(fmt, "jpg") || streq_ci(fmt, "jpeg")) return "jpg";
+  if (streq_ci(fmt, "png")) return "png";
+  if (streq_ci(fmt, "webp")) return "webp";
+  if (streq_ci(fmt, "heic") || streq_ci(fmt, "heif")) return "heic";
+  if (streq_ci(fmt, "avif")) return "avif";
+  return NULL;
+}
+
+static void raise_vips(void) {
+  const char *msg = vips_error_buffer();
+  VALUE rb_msg = rb_str_new_cstr(msg && *msg ? msg : "libvips error");
+  vips_error_clear();
+  rb_exc_raise(rb_exc_new3(eInvalid, rb_msg));
+}
+
+static void init_vips_once(void) {
+  static int initialized = 0;
+  if (initialized) return;
+  if (VIPS_INIT("safe_image") != 0) raise_vips();
+
+  /* Avoid libvips operations that are explicitly tagged as unsafe for
+   * untrusted input. Also block ImageMagick-backed loaders by class name;
+   * this gem uses explicit native libvips loaders and should never fall back
+   * to ImageMagick delegates. */
+  vips_block_untrusted_set(TRUE);
+  vips_operation_block_set("VipsForeignLoadMagick", TRUE);
+  vips_operation_block_set("VipsForeignLoadMagick6", TRUE);
+  vips_operation_block_set("VipsForeignLoadMagick7", TRUE);
+
+  /* Keep the embedded path predictable and bounded. Callers that want harder
+   * isolation should run this gem inside a sandboxed worker process. */
+  vips_concurrency_set(1);
+  vips_cache_set_max(0);
+  vips_cache_set_max_mem(0);
+  vips_cache_set_max_files(0);
+  initialized = 1;
+}
+
+static VipsImage *load_explicit(const char *path, const char **fmt_out) {
+  init_vips_once();
+  const char *fmt = normalized_format(extname(path));
+  if (!fmt) rb_raise(eUnsupported, "unsupported input format");
+
+  VipsImage *image = NULL;
+  int rc = -1;
+  if (strcmp(fmt, "jpg") == 0) {
+    rc = vips_jpegload(path, &image,
+      "access", VIPS_ACCESS_SEQUENTIAL,
+      "fail_on", VIPS_FAIL_ON_ERROR,
+      NULL);
+  } else if (strcmp(fmt, "png") == 0) {
+    rc = vips_pngload(path, &image,
+      "access", VIPS_ACCESS_SEQUENTIAL,
+      "fail_on", VIPS_FAIL_ON_ERROR,
+      NULL);
+  } else if (strcmp(fmt, "webp") == 0) {
+    rc = vips_webpload(path, &image,
+      "access", VIPS_ACCESS_SEQUENTIAL,
+      "fail_on", VIPS_FAIL_ON_ERROR,
+      NULL);
+  } else if (strcmp(fmt, "heic") == 0 || strcmp(fmt, "avif") == 0) {
+    rc = vips_heifload(path, &image,
+      "access", VIPS_ACCESS_SEQUENTIAL,
+      "fail_on", VIPS_FAIL_ON_ERROR,
+      NULL);
+  }
+
+  if (rc != 0 || image == NULL) raise_vips();
+  *fmt_out = fmt;
+  return image;
+}
+
+static void validate_quality_or_raise(int quality) {
+  if (quality < 1 || quality > 100) rb_raise(rb_eArgError, "quality must be 1..100");
+}
+
+static void validate_dimensions_or_raise(int width, int height) {
+  if (width <= 0 || height <= 0) rb_raise(rb_eArgError, "width and height must be positive");
+}
+
+static void validate_scale_or_raise(double scale) {
+  if (!isfinite(scale) || scale <= 0.0 || scale > 100.0) rb_raise(rb_eArgError, "scale must be finite and in 0..100");
+}
+
+static int pixels_exceed_limit(VipsImage *image, VALUE max_pixels_val, long long *pixels_out, long long *max_out) {
+  long long max_pixels;
+  if (NIL_P(max_pixels_val)) {
+    max_pixels = SAFE_IMAGE_DEFAULT_MAX_PIXELS;
+  } else {
+    max_pixels = NUM2LL(max_pixels_val);
+    if (max_pixels <= 0) rb_raise(rb_eArgError, "max_pixels must be positive");
+  }
+  if (image->Xsize <= 0 || image->Ysize <= 0) rb_raise(eInvalid, "image dimensions are invalid");
+  long long pixels = (long long)image->Xsize * (long long)image->Ysize;
+  if (pixels_out) *pixels_out = pixels;
+  if (max_out) *max_out = max_pixels;
+  return pixels > max_pixels;
+}
+
+static void raise_pixels_limit(long long pixels, long long max_pixels) {
+  rb_raise(eLimit, "image has %lld pixels, exceeds %lld", pixels, max_pixels);
+}
+
+static int save_explicit(VipsImage *image, const char *path, const char *fmt, int quality) {
+  if (strcmp(fmt, "jpg") == 0) {
+    return vips_jpegsave(image, path,
+      "Q", quality,
+      "interlace", FALSE,
+      "keep", VIPS_FOREIGN_KEEP_NONE,
+      NULL);
+  } else if (strcmp(fmt, "png") == 0) {
+    return vips_pngsave(image, path,
+      "compression", 6,
+      "keep", VIPS_FOREIGN_KEEP_NONE,
+      NULL);
+  } else if (strcmp(fmt, "webp") == 0) {
+    return vips_webpsave(image, path,
+      "Q", quality,
+      "keep", VIPS_FOREIGN_KEEP_NONE,
+      NULL);
+  } else if (strcmp(fmt, "avif") == 0) {
+    return vips_heifsave(image, path,
+      "Q", quality,
+      "compression", VIPS_FOREIGN_HEIF_COMPRESSION_AV1,
+      "keep", VIPS_FOREIGN_KEEP_NONE,
+      NULL);
+  }
+  rb_raise(eUnsupported, "unsupported output format");
+}
+
+static VALUE rb_probe(VALUE self, VALUE path_val) {
+  Check_Type(path_val, T_STRING);
+  double start = now_ms();
+  const char *fmt = NULL;
+  VipsImage *image = load_explicit(StringValueCStr(path_val), &fmt);
+  int width = image->Xsize;
+  int height = image->Ysize;
+  double duration_ms = now_ms() - start;
+  g_object_unref(image);
+
+  VALUE hash = rb_hash_new();
+  rb_hash_aset(hash, ID2SYM(rb_intern("format")), rb_str_new_cstr(fmt));
+  rb_hash_aset(hash, ID2SYM(rb_intern("width")), INT2NUM(width));
+  rb_hash_aset(hash, ID2SYM(rb_intern("height")), INT2NUM(height));
+  rb_hash_aset(hash, ID2SYM(rb_intern("duration_ms")), DBL2NUM(duration_ms));
+  return hash;
+}
+
+static VALUE rb_thumbnail(VALUE self, VALUE input_val, VALUE output_val, VALUE width_val, VALUE height_val, VALUE format_val, VALUE quality_val, VALUE max_pixels_val) {
+  Check_Type(input_val, T_STRING);
+  Check_Type(output_val, T_STRING);
+  Check_Type(format_val, T_STRING);
+  int width = NUM2INT(width_val);
+  int height = NUM2INT(height_val);
+  int quality = NUM2INT(quality_val);
+  validate_dimensions_or_raise(width, height);
+  validate_quality_or_raise(quality);
+  const char *out_fmt = normalized_format(StringValueCStr(format_val));
+  if (!out_fmt || strcmp(out_fmt, "heic") == 0) rb_raise(eUnsupported, "unsupported output format");
+
+  const char *input_path = StringValueCStr(input_val);
+  double start = now_ms();
+
+  /* Read the header through an explicit allowlisted loader. This validates the
+   * input format (the loader fails on mismatched bytes) and lets us enforce the
+   * pixel-count limit before any full decode happens. */
+  const char *input_fmt = NULL;
+  VipsImage *header = load_explicit(input_path, &input_fmt);
+  long long pixels = 0, max_pixels = 0;
+  if (pixels_exceed_limit(header, max_pixels_val, &pixels, &max_pixels)) {
+    g_object_unref(header);
+    raise_pixels_limit(pixels, max_pixels);
+  }
+  g_object_unref(header);
+
+  /* Thumbnail straight from the file so libvips can shrink on load (e.g.
+   * libjpeg DCT downscaling) instead of decoding the source at full
+   * resolution. vips_thumbnail auto-rotates from the orientation tag by
+   * default. ImageMagick loader classes are blocked globally in
+   * init_vips_once, so this still cannot reach an ImageMagick delegate. */
+  VipsImage *thumb = NULL;
+  if (vips_thumbnail(input_path, &thumb, width,
+      "height", height,
+      "size", VIPS_SIZE_BOTH,
+      "crop", VIPS_INTERESTING_CENTRE,
+      "fail_on", VIPS_FAIL_ON_ERROR,
+      NULL) != 0) {
+    raise_vips();
+  }
+
+  if (save_explicit(thumb, StringValueCStr(output_val), out_fmt, quality) != 0) {
+    g_object_unref(thumb);
+    raise_vips();
+  }
+
+  int out_width = thumb->Xsize;
+  int out_height = thumb->Ysize;
+  double duration_ms = now_ms() - start;
+  g_object_unref(thumb);
+
+  VALUE hash = rb_hash_new();
+  rb_hash_aset(hash, ID2SYM(rb_intern("input_format")), rb_str_new_cstr(input_fmt));
+  rb_hash_aset(hash, ID2SYM(rb_intern("output_format")), rb_str_new_cstr(out_fmt));
+  rb_hash_aset(hash, ID2SYM(rb_intern("width")), INT2NUM(out_width));
+  rb_hash_aset(hash, ID2SYM(rb_intern("height")), INT2NUM(out_height));
+  rb_hash_aset(hash, ID2SYM(rb_intern("duration_ms")), DBL2NUM(duration_ms));
+  return hash;
+}
+
+static VALUE rb_resize(VALUE self, VALUE input_val, VALUE output_val, VALUE scale_val, VALUE format_val, VALUE quality_val, VALUE max_pixels_val) {
+  Check_Type(input_val, T_STRING);
+  Check_Type(output_val, T_STRING);
+  Check_Type(format_val, T_STRING);
+  double scale = NUM2DBL(scale_val);
+  int quality = NUM2INT(quality_val);
+  validate_scale_or_raise(scale);
+  validate_quality_or_raise(quality);
+  const char *out_fmt = normalized_format(StringValueCStr(format_val));
+  if (!out_fmt || strcmp(out_fmt, "heic") == 0) rb_raise(eUnsupported, "unsupported output format");
+
+  double start = now_ms();
+  const char *input_fmt = NULL;
+  VipsImage *in = load_explicit(StringValueCStr(input_val), &input_fmt);
+  long long pixels = 0, max_pixels = 0;
+  if (pixels_exceed_limit(in, max_pixels_val, &pixels, &max_pixels)) {
+    g_object_unref(in);
+    raise_pixels_limit(pixels, max_pixels);
+  }
+
+  VipsImage *rot = NULL;
+  if (vips_autorot(in, &rot, NULL) != 0) {
+    g_object_unref(in);
+    raise_vips();
+  }
+
+  VipsImage *out = NULL;
+  if (vips_resize(rot, &out, scale, NULL) != 0) {
+    g_object_unref(rot);
+    g_object_unref(in);
+    raise_vips();
+  }
+
+  if (save_explicit(out, StringValueCStr(output_val), out_fmt, quality) != 0) {
+    g_object_unref(out);
+    g_object_unref(rot);
+    g_object_unref(in);
+    raise_vips();
+  }
+
+  int out_width = out->Xsize;
+  int out_height = out->Ysize;
+  double duration_ms = now_ms() - start;
+  g_object_unref(out);
+  g_object_unref(rot);
+  g_object_unref(in);
+
+  VALUE hash = rb_hash_new();
+  rb_hash_aset(hash, ID2SYM(rb_intern("input_format")), rb_str_new_cstr(input_fmt));
+  rb_hash_aset(hash, ID2SYM(rb_intern("output_format")), rb_str_new_cstr(out_fmt));
+  rb_hash_aset(hash, ID2SYM(rb_intern("width")), INT2NUM(out_width));
+  rb_hash_aset(hash, ID2SYM(rb_intern("height")), INT2NUM(out_height));
+  rb_hash_aset(hash, ID2SYM(rb_intern("duration_ms")), DBL2NUM(duration_ms));
+  return hash;
+}
+
+static VALUE rb_crop_north(VALUE self, VALUE input_val, VALUE output_val, VALUE width_val, VALUE height_val, VALUE format_val, VALUE quality_val, VALUE max_pixels_val) {
+  Check_Type(input_val, T_STRING);
+  Check_Type(output_val, T_STRING);
+  Check_Type(format_val, T_STRING);
+  int width = NUM2INT(width_val);
+  int height = NUM2INT(height_val);
+  int quality = NUM2INT(quality_val);
+  validate_dimensions_or_raise(width, height);
+  validate_quality_or_raise(quality);
+  const char *out_fmt = normalized_format(StringValueCStr(format_val));
+  if (!out_fmt || strcmp(out_fmt, "heic") == 0) rb_raise(eUnsupported, "unsupported output format");
+
+  double start = now_ms();
+  const char *input_fmt = NULL;
+  VipsImage *in = load_explicit(StringValueCStr(input_val), &input_fmt);
+  long long pixels = 0, max_pixels = 0;
+  if (pixels_exceed_limit(in, max_pixels_val, &pixels, &max_pixels)) {
+    g_object_unref(in);
+    raise_pixels_limit(pixels, max_pixels);
+  }
+
+  VipsImage *rot = NULL;
+  if (vips_autorot(in, &rot, NULL) != 0) {
+    g_object_unref(in);
+    raise_vips();
+  }
+
+  double sx = (double)width / (double)rot->Xsize;
+  double sy = (double)height / (double)rot->Ysize;
+  double scale = sx > sy ? sx : sy;
+  scale *= 1.0000001;
+
+  VipsImage *resized = NULL;
+  if (vips_resize(rot, &resized, scale, NULL) != 0) {
+    g_object_unref(rot);
+    g_object_unref(in);
+    raise_vips();
+  }
+
+  int left = (resized->Xsize - width) / 2;
+  if (left < 0) left = 0;
+
+  VipsImage *crop = NULL;
+  if (vips_extract_area(resized, &crop, left, 0, width, height, NULL) != 0) {
+    g_object_unref(resized);
+    g_object_unref(rot);
+    g_object_unref(in);
+    raise_vips();
+  }
+
+  if (save_explicit(crop, StringValueCStr(output_val), out_fmt, quality) != 0) {
+    g_object_unref(crop);
+    g_object_unref(resized);
+    g_object_unref(rot);
+    g_object_unref(in);
+    raise_vips();
+  }
+
+  int out_width = crop->Xsize;
+  int out_height = crop->Ysize;
+  double duration_ms = now_ms() - start;
+  g_object_unref(crop);
+  g_object_unref(resized);
+  g_object_unref(rot);
+  g_object_unref(in);
+
+  VALUE hash = rb_hash_new();
+  rb_hash_aset(hash, ID2SYM(rb_intern("input_format")), rb_str_new_cstr(input_fmt));
+  rb_hash_aset(hash, ID2SYM(rb_intern("output_format")), rb_str_new_cstr(out_fmt));
+  rb_hash_aset(hash, ID2SYM(rb_intern("width")), INT2NUM(out_width));
+  rb_hash_aset(hash, ID2SYM(rb_intern("height")), INT2NUM(out_height));
+  rb_hash_aset(hash, ID2SYM(rb_intern("duration_ms")), DBL2NUM(duration_ms));
+  return hash;
+}
+
+void Init_safe_image_native(void) {
+  mSafeImage = rb_define_module("SafeImage");
+  eError = rb_const_get(mSafeImage, rb_intern("Error"));
+  eUnsupported = rb_const_get(mSafeImage, rb_intern("UnsupportedFormatError"));
+  eInvalid = rb_const_get(mSafeImage, rb_intern("InvalidImageError"));
+  eLimit = rb_const_get(mSafeImage, rb_intern("LimitError"));
+  mNative = rb_define_module_under(mSafeImage, "Native");
+  rb_define_singleton_method(mNative, "probe", rb_probe, 1);
+  rb_define_singleton_method(mNative, "thumbnail", rb_thumbnail, 7);
+  rb_define_singleton_method(mNative, "resize", rb_resize, 6);
+  rb_define_singleton_method(mNative, "crop_north", rb_crop_north, 7);
+}