safe_image 0.1.0

data/lib/safe_image/discourse_compat.rb

@@ -0,0 +1,283 @@
+# frozen_string_literal: true
+
+require "fileutils"
+require "pathname"
+require "tempfile"
+
+module SafeImage
+  # Compatibility-shaped API for the operations Discourse currently performs in
+  # OptimizedImage, UploadCreator, ShrinkUploadedImage and FileHelper.
+  module DiscourseCompat
+    module_function
+
+    def resize(from, to, width, height, quality: nil, backend: :imagemagick, optimize: true, max_pixels: nil, encoder: :auto, chroma_subsampling: :auto)
+      if backend.to_sym == :vips
+        return SafeImage.thumbnail(
+          input: from,
+          output: to,
+          width: width,
+          height: height,
+          quality: quality || 85,
+          backend: backend,
+          optimize: optimize,
+          max_pixels: max_pixels,
+          encoder: encoder,
+          chroma_subsampling: chroma_subsampling
+        )
+      end
+
+      probe = compat_probe(from, backend: :imagemagick, max_pixels: max_pixels)
+      output = PathSafety.ensure_safe_output_path!(to).to_s
+      info = ImageMagickBackend.thumbnail(
+        input: probe.input,
+        output: output,
+        width: width,
+        height: height,
+        format: File.extname(output).delete_prefix(".").downcase,
+        quality: quality
+      )
+      Optimizer.optimize(output, mode: :lossless, strip_metadata: true, quality: quality) if optimize
+      result_from_info(probe.input, output, info, "imagemagick")
+    end
+
+    def crop(from, to, width, height, quality: nil, backend: :imagemagick, optimize: true, max_pixels: nil, encoder: :auto, chroma_subsampling: :auto)
+      probe = compat_probe(from, backend: backend, max_pixels: max_pixels)
+      output = PathSafety.ensure_safe_output_path!(to).to_s
+      format = File.extname(output).delete_prefix(".").downcase
+
+      info =
+        if backend.to_sym == :vips && use_jpegli_for_generated_jpeg?(format, backend, encoder)
+          with_temp_png(output) do |tmp_path|
+            VipsBackend.crop_north(
+              input: probe.input,
+              output: tmp_path,
+              width: width,
+              height: height,
+              format: "png",
+              quality: 100,
+              max_pixels: max_pixels
+            )
+            JpegliBackend.encode(
+              input: tmp_path,
+              output: output,
+              quality: quality || JpegliBackend::DEFAULT_QUALITY,
+              chroma_subsampling: JpegliBackend.validate_chroma_subsampling!(chroma_subsampling, input_format: probe.input_format),
+              input_format: probe.input_format
+            )
+          end
+        elsif backend.to_sym == :vips
+          VipsBackend.crop_north(
+            input: probe.input,
+            output: output,
+            width: width,
+            height: height,
+            format: format,
+            quality: quality || 85,
+            max_pixels: max_pixels
+          )
+        else
+          ImageMagickBackend.resize_like(
+            input: probe.input,
+            output: output,
+            width: width,
+            height: height,
+            format: format,
+            quality: quality,
+            crop: :north
+          )
+        end
+      Optimizer.optimize(output, mode: :lossless, strip_metadata: true, quality: quality) if optimize
+      result_from_info(probe.input, output, info, compat_backend_name(backend, info))
+    end
+
+    def downsize(from, to, dimensions, backend: :imagemagick, optimize: true, max_pixels: nil, quality: 85, encoder: :auto, chroma_subsampling: :auto)
+      probe = compat_probe(from, backend: backend, max_pixels: max_pixels)
+      output = PathSafety.ensure_safe_output_path!(to).to_s
+      format = File.extname(output).delete_prefix(".").downcase
+      info =
+        if backend.to_sym == :vips && use_jpegli_for_generated_jpeg?(format, backend, encoder)
+          with_temp_png(output) do |tmp_path|
+            VipsBackend.downsize(
+              input: probe.input,
+              output: tmp_path,
+              dimensions: dimensions,
+              format: "png",
+              quality: 100,
+              max_pixels: max_pixels
+            )
+            JpegliBackend.encode(
+              input: tmp_path,
+              output: output,
+              quality: quality,
+              chroma_subsampling: JpegliBackend.validate_chroma_subsampling!(chroma_subsampling, input_format: probe.input_format),
+              input_format: probe.input_format
+            )
+          end
+        elsif backend.to_sym == :vips
+          VipsBackend.downsize(
+            input: probe.input,
+            output: output,
+            dimensions: dimensions,
+            format: format,
+            quality: quality,
+            max_pixels: max_pixels
+          )
+        else
+          ImageMagickBackend.downsize(
+            input: probe.input,
+            output: output,
+            dimensions: dimensions,
+            format: format
+          )
+        end
+      Optimizer.optimize(output, mode: :lossless, strip_metadata: true) if optimize
+      result_from_info(probe.input, output, info, compat_backend_name(backend, info))
+    end
+
+    def convert(from, to, format:, quality: nil, optimize: true, max_pixels: nil, encoder: :auto, chroma_subsampling: :auto)
+      probe = compat_probe(from, backend: :imagemagick, max_pixels: max_pixels)
+      output = PathSafety.ensure_safe_output_path!(to).to_s
+      normalized_format = format.to_s.downcase == "jpeg" ? "jpg" : format.to_s.downcase
+
+      info =
+        if use_jpegli_for_convert?(probe.input, normalized_format, encoder)
+          JpegliBackend.convert(
+            input: probe.input,
+            output: output,
+            quality: quality || JpegliBackend::DEFAULT_QUALITY,
+            chroma_subsampling: chroma_subsampling
+          )
+        else
+          if encoder.to_sym == :cjpegli
+            raise UnsupportedFormatError, "cjpegli cannot directly encode #{File.extname(probe.input).delete_prefix(".").downcase.inspect}; use encoder: :auto or another encoder"
+          end
+          ImageMagickBackend.convert(input: probe.input, output: output, format: format, quality: quality)
+        end
+
+      Optimizer.optimize(output, mode: :lossless, strip_metadata: true, quality: normalized_format == "jpg" ? quality : nil) if optimize && info[:encoder] != "cjpegli"
+      result_from_info(probe.input, output, info, info[:encoder] == "cjpegli" ? "cjpegli" : "imagemagick")
+    end
+
+    def use_jpegli_for_convert?(input, normalized_format, encoder)
+      encoder = encoder.to_sym
+      return false unless normalized_format == "jpg"
+      return false if encoder == :imagemagick
+      raise ArgumentError, "unknown encoder: #{encoder.inspect}" unless %i[auto cjpegli].include?(encoder)
+      return true if encoder == :cjpegli && JpegliBackend.suitable_direct_input?(input)
+      encoder == :auto && JpegliBackend.available? && JpegliBackend.suitable_direct_input?(input)
+    end
+
+    def use_jpegli_for_generated_jpeg?(format, backend, encoder)
+      encoder = encoder.to_sym
+      normalized_format = format.to_s.downcase == "jpeg" ? "jpg" : format.to_s.downcase
+      return false unless normalized_format == "jpg"
+      return false if %i[vips imagemagick magick].include?(encoder)
+      raise ArgumentError, "unknown encoder: #{encoder.inspect}" unless %i[auto cjpegli].include?(encoder)
+      raise ArgumentError, "encoder: :cjpegli currently requires backend: :vips" if encoder == :cjpegli && backend.to_sym != :vips
+      encoder == :cjpegli || (backend.to_sym == :vips && JpegliBackend.available?)
+    end
+
+    def with_temp_png(output)
+      output_path = Pathname.new(output)
+      output_path.dirname.mkpath
+      Tempfile.create([output_path.basename(".*").to_s, ".safe-image.png"], output_path.dirname.to_s) do |tmp|
+        tmp_path = Pathname.new(tmp.path)
+        tmp.close
+        yield tmp_path
+      ensure
+        FileUtils.rm_f(tmp_path) if defined?(tmp_path) && tmp_path
+      end
+    end
+
+    def compat_backend_name(backend, info)
+      base = backend.to_sym == :vips ? "libvips-direct" : "imagemagick"
+      info[:encoder] == "cjpegli" ? "#{base}+cjpegli" : base
+    end
+
+    def convert_to_jpeg(from, to, quality: nil, optimize: true, max_pixels: nil, encoder: :auto, chroma_subsampling: :auto)
+      convert(from, to, format: "jpg", quality: quality, optimize: optimize, max_pixels: max_pixels, encoder: encoder, chroma_subsampling: chroma_subsampling)
+    end
+
+    def fix_orientation(from, to = from, max_pixels: nil)
+      probe = compat_probe(from, backend: :imagemagick, max_pixels: max_pixels)
+      output = PathSafety.ensure_safe_output_path!(to).to_s
+      info = ImageMagickBackend.fix_orientation(input: probe.input, output: output)
+      result_from_info(probe.input, output, info, "imagemagick")
+    end
+
+    def convert_favicon_to_png(from, to, optimize: true, max_pixels: nil)
+      frame_count(from, max_pixels: max_pixels) if max_pixels
+      output = PathSafety.ensure_safe_output_path!(to).to_s
+      info = ImageMagickBackend.convert_ico_to_png(input: Pathname.new(from).expand_path.to_s, output: output)
+      Optimizer.optimize(output, mode: :lossless, strip_metadata: true) if optimize
+      result_from_info(from, output, info, "imagemagick")
+    end
+
+    def frame_count(path, max_pixels: nil)
+      ImageMagickBackend.frame_count(path, max_pixels: max_pixels)
+    end
+
+    def animated?(path, max_pixels: nil)
+      frame_count(path, max_pixels: max_pixels).to_i > 1
+    end
+
+    def letter_avatar(output:, size:, background_rgb:, letter:, pointsize: 280, font: "NimbusSans-Regular")
+      output = PathSafety.ensure_safe_output_path!(output).to_s
+      info = ImageMagickBackend.letter_avatar(
+        output: output,
+        size: size,
+        background_rgb: background_rgb,
+        letter: letter,
+        pointsize: pointsize,
+        font: font
+      )
+      result_from_info("generated", output, info, "imagemagick")
+    end
+
+    def optimize_image!(path, allow_lossy_png: false, strip_metadata: true, quality: nil, strict: true)
+      Optimizer.optimize(
+        path,
+        mode: allow_lossy_png ? :lossy : :lossless,
+        strip_metadata: strip_metadata,
+        quality: quality,
+        strict: strict
+      )
+    end
+
+    def compat_probe(path, backend:, max_pixels: nil)
+      path = Pathname.new(path).expand_path.to_s
+      if backend.to_sym == :vips
+        SafeImage.probe(path, max_pixels: max_pixels)
+      else
+        info = ImageMagickBackend.probe(path, max_pixels: max_pixels)
+        Result.new(
+          input: path,
+          output: nil,
+          input_format: info.fetch(:input_format),
+          output_format: nil,
+          width: info.fetch(:width),
+          height: info.fetch(:height),
+          filesize: File.size(path),
+          backend: "imagemagick",
+          duration_ms: info.fetch(:duration_ms),
+          optimizer: nil
+        )
+      end
+    end
+
+    def result_from_info(input, output, info, backend)
+      Result.new(
+        input: input.to_s,
+        output: output.to_s,
+        input_format: info.fetch(:input_format),
+        output_format: info.fetch(:output_format),
+        width: info.fetch(:width),
+        height: info.fetch(:height),
+        filesize: File.size(output),
+        backend: backend,
+        duration_ms: info.fetch(:duration_ms),
+        optimizer: nil
+      )
+    end
+  end
+end

data/lib/safe_image/image_magick_backend.rb

@@ -0,0 +1,263 @@
+# frozen_string_literal: true
+
+module SafeImage
+  module ImageMagickBackend
+    module_function
+
+    DEFAULT_PROFILE = File.expand_path("RT_sRGB.icm", __dir__)
+    DECODERS = {
+      "jpg" => "jpeg",
+      "jpeg" => "jpeg",
+      "png" => "png",
+      "gif" => "gif",
+      "webp" => "webp",
+      "heic" => "heic",
+      "heif" => "heic",
+      "avif" => "heic",
+      "ico" => "ico"
+    }.freeze
+
+    IMAGEMAGICK_LIMIT_ARGS = [
+      "-limit", "memory", "256MiB",
+      "-limit", "map", "512MiB",
+      "-limit", "disk", "1GiB",
+      "-limit", "area", "128MP",
+      "-limit", "time", "20",
+      "-limit", "thread", "2"
+    ].freeze
+
+    ALLOWED_FONTS = %w[NimbusSans-Regular DejaVu-Sans Liberation-Sans Arial Helvetica Adwaita-Sans].freeze
+
+    def probe(path, timeout: Runner::DEFAULT_TIMEOUT, max_pixels: nil)
+      raise UnsupportedFormatError, "ImageMagick identify not available" unless Runner.available?("identify")
+      path = PathSafety.ensure_imagemagick_input_file!(path)
+      ext = File.extname(path).delete_prefix(".").downcase
+      decoder = DECODERS.fetch(ext) { raise UnsupportedFormatError, "unsupported ImageMagick input format: #{ext.inspect}" }
+      stdout, = Runner.run!(["identify", *IMAGEMAGICK_LIMIT_ARGS, "-ping", "-format", "%m %w %h %n\n", "#{decoder}:#{path}"], timeout: timeout)
+      _magick_format, width, height, frames = stdout.each_line.first.to_s.split
+      width = width.to_i
+      height = height.to_i
+      if max_pixels && width * height > Integer(max_pixels)
+        raise LimitError, "image has #{width * height} pixels, exceeds #{max_pixels}"
+      end
+      { input_format: ext == "jpeg" ? "jpg" : ext, width: width, height: height, frames: frames.to_i, duration_ms: 0.0 }
+    end
+
+    def thumbnail(input:, output:, width:, height:, format:, quality:, timeout: Runner::DEFAULT_TIMEOUT)
+      resize_like(input: input, output: output, width: width, height: height, format: format, quality: quality, crop: :centre, timeout: timeout)
+    end
+
+    def resize_like(input:, output:, width:, height:, format:, quality:, crop: false, timeout: Runner::DEFAULT_TIMEOUT)
+      command = convert_command
+
+      input = PathSafety.ensure_imagemagick_input_file!(input)
+      output = PathSafety.ensure_safe_output_path!(output).to_s
+      output = PathSafety.ensure_imagemagick_safe!(output)
+      ext = File.extname(input).delete_prefix(".").downcase
+      decoder = DECODERS.fetch(ext) { raise UnsupportedFormatError, "unsupported ImageMagick input format: #{ext.inspect}" }
+
+      quality = validate_quality!(quality)
+      argv = [command, *IMAGEMAGICK_LIMIT_ARGS, "#{decoder}:#{input}[0]", "-auto-orient"]
+      if crop == :north
+        argv.concat([
+          "-gravity", "north",
+          "-background", "transparent",
+          "-thumbnail", "#{Integer(width)}x#{Integer(height)}^",
+          "-crop", "#{Integer(width)}x#{Integer(height)}+0+0",
+          "-unsharp", "2x0.5+0.7+0",
+          "-interlace", "none"
+        ])
+      else
+        argv.concat([
+          "-gravity", "center",
+          "-background", "transparent",
+          "-thumbnail", "#{Integer(width)}x#{Integer(height)}^",
+          "-extent", "#{Integer(width)}x#{Integer(height)}",
+          "-interpolate", "catrom",
+          "-unsharp", "2x0.5+0.7+0",
+          "-interlace", "none"
+        ])
+      end
+      argv.concat(["-profile", DEFAULT_PROFILE]) if File.file?(DEFAULT_PROFILE)
+      argv.concat(["-quality", quality.to_s]) if quality
+      argv << output_spec(format, output)
+
+      run_image_command(argv, output, ext, format, timeout)
+    end
+
+    def downsize(input:, output:, dimensions:, format:, timeout: Runner::DEFAULT_TIMEOUT)
+      command = convert_command
+
+      input = PathSafety.ensure_imagemagick_input_file!(input)
+      output = PathSafety.ensure_safe_output_path!(output).to_s
+      output = PathSafety.ensure_imagemagick_safe!(output)
+      ext = File.extname(input).delete_prefix(".").downcase
+      decoder = DECODERS.fetch(ext) { raise UnsupportedFormatError, "unsupported ImageMagick input format: #{ext.inspect}" }
+      dimensions = validate_dimensions!(dimensions)
+      argv = [
+        command, *IMAGEMAGICK_LIMIT_ARGS, "#{decoder}:#{input}[0]",
+        "-auto-orient",
+        "-gravity", "center",
+        "-background", "transparent",
+        "-interlace", "none",
+        "-resize", dimensions,
+      ]
+      argv.concat(["-profile", DEFAULT_PROFILE]) if File.file?(DEFAULT_PROFILE)
+      argv << output_spec(format, output)
+      run_image_command(argv, output, ext, format, timeout)
+    end
+
+    def convert(input:, output:, format:, quality: nil, timeout: Runner::DEFAULT_TIMEOUT)
+      command = convert_command
+      input = PathSafety.ensure_imagemagick_input_file!(input)
+      output = PathSafety.ensure_safe_output_path!(output).to_s
+      output = PathSafety.ensure_imagemagick_safe!(output)
+      ext = File.extname(input).delete_prefix(".").downcase
+      decoder = DECODERS.fetch(ext) { raise UnsupportedFormatError, "unsupported ImageMagick input format: #{ext.inspect}" }
+      normalized_format = format.to_s.downcase
+      normalized_format = "jpg" if normalized_format == "jpeg"
+      output_arg = output_spec(normalized_format, output)
+      quality = validate_quality!(quality)
+
+      argv = [command, *IMAGEMAGICK_LIMIT_ARGS, "#{decoder}:#{input}[0]", "-auto-orient", "-interlace", "none"]
+      argv.concat(["-background", "white", "-flatten"]) if normalized_format == "jpg"
+      argv.concat(["-quality", quality.to_s]) if quality
+      argv << output_arg
+      run_image_command(argv, output, ext, normalized_format, timeout)
+    end
+
+    def convert_to_jpeg(input:, output:, quality: nil, timeout: Runner::DEFAULT_TIMEOUT)
+      convert(input: input, output: output, format: "jpg", quality: quality, timeout: timeout)
+    end
+
+    def convert_ico_to_png(input:, output:, timeout: Runner::DEFAULT_TIMEOUT)
+      command = convert_command
+      input = PathSafety.ensure_imagemagick_input_file!(input)
+      output = PathSafety.ensure_safe_output_path!(output).to_s
+      output = PathSafety.ensure_imagemagick_safe!(output)
+      argv = [command, *IMAGEMAGICK_LIMIT_ARGS, "ico:#{input}[-1]", "-auto-orient", "-background", "transparent", output_spec("png", output)]
+      run_image_command(argv, output, "ico", "png", timeout)
+    end
+
+    def frame_count(path, timeout: Runner::DEFAULT_TIMEOUT, max_pixels: nil)
+      raise UnsupportedFormatError, "ImageMagick identify not available" unless Runner.available?("identify")
+      path = PathSafety.ensure_imagemagick_input_file!(path)
+      ext = File.extname(path).delete_prefix(".").downcase
+      decoder = DECODERS.fetch(ext) { raise UnsupportedFormatError, "unsupported ImageMagick input format: #{ext.inspect}" }
+      stdout, = Runner.run!(["identify", *IMAGEMAGICK_LIMIT_ARGS, "-ping", "-format", "%w %h %n\n", "#{decoder}:#{path}"], timeout: timeout)
+      width, height, frames = stdout.each_line.first.to_s.split.map(&:to_i)
+      if max_pixels && width.to_i * height.to_i > Integer(max_pixels)
+        raise LimitError, "image has #{width * height} pixels, exceeds #{max_pixels}"
+      end
+      frames.to_i
+    end
+
+    def orientation(path, timeout: Runner::DEFAULT_TIMEOUT)
+      raise UnsupportedFormatError, "ImageMagick identify not available" unless Runner.available?("identify")
+      path = PathSafety.ensure_imagemagick_input_file!(path)
+      ext = File.extname(path).delete_prefix(".").downcase
+      decoder = DECODERS.fetch(ext) { raise UnsupportedFormatError, "unsupported ImageMagick input format: #{ext.inspect}" }
+      stdout, = Runner.run!(
+        ["identify", *IMAGEMAGICK_LIMIT_ARGS, "-ping", "-format", "%[EXIF:Orientation]", "#{decoder}:#{path}[0]"],
+        timeout: timeout
+      )
+      value = stdout.to_s.strip
+      value.empty? ? 1 : value.to_i
+    rescue CommandError
+      1
+    end
+
+    def letter_avatar(output:, size:, background_rgb:, letter:, pointsize:, font: "NimbusSans-Regular", timeout: Runner::DEFAULT_TIMEOUT)
+      command = convert_command
+      output = PathSafety.ensure_safe_output_path!(output).to_s
+      output = PathSafety.ensure_imagemagick_safe!(output)
+      rgb = Array(background_rgb).map { |v| Integer(v) }
+      raise ArgumentError, "background_rgb must have three channels" unless rgb.length == 3
+      glyph = letter.to_s.each_grapheme_cluster.first.to_s.gsub("%", "%%")
+      font_name = font.to_s
+      raise ArgumentError, "unsupported font: #{font_name.inspect}" unless ALLOWED_FONTS.include?(font_name)
+
+      argv = [
+        command, *IMAGEMAGICK_LIMIT_ARGS,
+        "-size", "#{Integer(size)}x#{Integer(size)}",
+        "xc:rgb(#{rgb[0]},#{rgb[1]},#{rgb[2]})",
+        "-pointsize", Integer(pointsize).to_s,
+        "-fill", "#FFFFFFCC",
+        "-font", font_name,
+        "-gravity", "Center",
+        "-annotate", "-0+34", glyph,
+        "-depth", "8",
+        output_spec("png", output)
+      ]
+      run_image_command(argv, output, "generated", "png", timeout)
+    end
+
+    def fix_orientation(input:, output: input, timeout: Runner::DEFAULT_TIMEOUT)
+      command = convert_command
+      input = PathSafety.ensure_imagemagick_input_file!(input)
+      output = PathSafety.ensure_safe_output_path!(output).to_s
+      output = PathSafety.ensure_imagemagick_safe!(output)
+      ext = File.extname(input).delete_prefix(".").downcase
+      decoder = DECODERS.fetch(ext) { raise UnsupportedFormatError, "unsupported ImageMagick input format: #{ext.inspect}" }
+      argv = [command, *IMAGEMAGICK_LIMIT_ARGS, "#{decoder}:#{input}[0]", "-auto-orient", output_spec(ext, output)]
+      run_image_command(argv, output, ext, ext, timeout)
+    end
+
+    def output_spec(format, output)
+      ext = File.extname(output).delete_prefix(".").downcase
+      ext = "jpg" if ext == "jpeg"
+      normalized = format.to_s.downcase
+      normalized = "jpg" if normalized == "jpeg"
+      raise UnsupportedFormatError, "output extension #{ext.inspect} does not match format #{normalized.inspect}" unless ext == normalized
+
+      coder = {
+        "jpg" => "jpeg",
+        "png" => "png",
+        "gif" => "gif",
+        "webp" => "webp",
+        "avif" => "avif",
+        "ico" => "ico"
+      }.fetch(normalized) { raise UnsupportedFormatError, "unsupported ImageMagick output format: #{normalized.inspect}" }
+      "#{coder}:#{output}"
+    end
+
+    def validate_quality!(quality)
+      return nil if quality.nil?
+      quality = Integer(quality)
+      raise ArgumentError, "quality must be 1..100" unless (1..100).cover?(quality)
+      quality
+    end
+
+    def validate_dimensions!(dimensions)
+      dimensions = dimensions.to_s
+      patterns = [
+        /\A\d+(?:\.\d+)?%\z/,
+        /\A\d+x\d+[!<>^]?\z/,
+        /\A\d+@\z/
+      ]
+      raise ArgumentError, "unsupported ImageMagick geometry: #{dimensions.inspect}" unless patterns.any? { |pattern| pattern.match?(dimensions) }
+      dimensions
+    end
+
+    def convert_command
+      Runner.available?("magick") ? "magick" : Runner.resolve_executable!("convert") && "convert"
+    rescue UnsupportedFormatError
+      raise UnsupportedFormatError, "ImageMagick convert/magick not available"
+    end
+
+    def run_image_command(argv, output, input_format, output_format, timeout)
+      started = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+      Runner.run!(argv, timeout: timeout)
+      duration_ms = (Process.clock_gettime(Process::CLOCK_MONOTONIC) - started) * 1000
+
+      info = Native.probe(output)
+      {
+        input_format: input_format == "jpeg" ? "jpg" : input_format,
+        output_format: output_format == "jpeg" ? "jpg" : output_format,
+        width: info.fetch(:width),
+        height: info.fetch(:height),
+        duration_ms: duration_ms
+      }
+    end
+  end
+end

data/lib/safe_image/imagemagick_policy/policy.xml

@@ -0,0 +1,22 @@
+<policymap>
+  <!-- Defensive ImageMagick policy for safe_image compatibility
+       backend. We only need raster image coders used explicitly by this gem. -->
+  <policy domain="delegate" rights="none" pattern="*" />
+  <policy domain="filter" rights="none" pattern="*" />
+  <policy domain="path" rights="none" pattern="@*" />
+
+  <policy domain="coder" rights="none" pattern="*" />
+  <policy domain="coder" rights="read|write" pattern="{JPEG,JPG,PNG,GIF,WEBP,HEIC,HEIF,AVIF,ICO,ICC,ICM,XC}" />
+
+  <!-- Ghostscript-backed / document / vector-ish formats: deny explicitly even
+       if a broader system policy is present. -->
+  <policy domain="coder" rights="none" pattern="{PS,PS2,PS3,EPS,EPSF,PDF,XPS,PCL,MSL,MVG,HTTPS,HTTP,URL,TEXT,LABEL}" />
+  <policy domain="module" rights="none" pattern="{PS,PS2,PS3,EPS,EPSF,PDF,XPS,PCL,MSL,MVG,HTTPS,HTTP,URL}" />
+
+  <policy domain="resource" name="memory" value="512MiB" />
+  <policy domain="resource" name="map" value="512MiB" />
+  <policy domain="resource" name="disk" value="1GiB" />
+  <policy domain="resource" name="file" value="128" />
+  <policy domain="resource" name="thread" value="2" />
+  <policy domain="resource" name="time" value="30" />
+</policymap>

data/lib/safe_image/jpegli_backend.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+require "fileutils"
+require "pathname"
+require "tempfile"
+
+module SafeImage
+  module JpegliBackend
+    module_function
+
+    DIRECT_INPUTS = %w[png].freeze
+    CHROMA_SUBSAMPLING = %w[420 422 444].freeze
+    DEFAULT_QUALITY = 85
+
+    def available?
+      Runner.available?("cjpegli")
+    end
+
+    def suitable_direct_input?(input)
+      DIRECT_INPUTS.include?(normalized_ext(input))
+    end
+
+    def convert(input:, output:, quality: DEFAULT_QUALITY, chroma_subsampling: :auto, timeout: Runner::DEFAULT_TIMEOUT)
+      raise UnsupportedFormatError, "cjpegli is not installed" unless available?
+
+      input = PathSafety.ensure_regular_file!(input)
+      output = PathSafety.ensure_safe_output_path!(output).to_s
+      ensure_jpeg_output!(output)
+
+      input_format = normalized_ext(input)
+      unless DIRECT_INPUTS.include?(input_format)
+        raise UnsupportedFormatError, "cjpegli direct input format is unsupported: #{input_format.inspect}"
+      end
+
+      quality = validate_quality!(quality)
+      chroma_subsampling = validate_chroma_subsampling!(chroma_subsampling, input_format: input_format)
+      encode(input: input, output: output, quality: quality, chroma_subsampling: chroma_subsampling, timeout: timeout, input_format: input_format)
+    end
+
+    def encode(input:, output:, quality: DEFAULT_QUALITY, chroma_subsampling: "420", timeout: Runner::DEFAULT_TIMEOUT, input_format: nil)
+      raise UnsupportedFormatError, "cjpegli is not installed" unless available?
+
+      input = PathSafety.ensure_regular_file!(input)
+      output_path = PathSafety.ensure_safe_output_path!(output)
+      ensure_jpeg_output!(output_path)
+      output_path.dirname.mkpath
+
+      input_format ||= normalized_ext(input)
+      quality = validate_quality!(quality)
+      chroma_subsampling = validate_chroma_subsampling!(chroma_subsampling, input_format: input_format)
+
+      tmp = Tempfile.new([output_path.basename(".*").to_s, ".cjpegli.jpg"], output_path.dirname.to_s)
+      tmp_path = Pathname.new(tmp.path)
+      tmp.close
+
+      begin
+        argv = [
+          "cjpegli",
+          input.to_s,
+          tmp_path.to_s,
+          "--quality=#{quality}",
+          "--chroma_subsampling=#{chroma_subsampling}"
+        ]
+        Runner.run!(argv, timeout: timeout, read: [input.to_s], write: [output_path.dirname.to_s])
+        raise Error, "cjpegli did not create output" unless tmp_path.file? && File.size(tmp_path).positive?
+        FileUtils.mv(tmp_path, output_path)
+
+        info = Native.probe(output_path.to_s)
+        {
+          input_format: input_format,
+          output_format: "jpg",
+          width: info.fetch(:width),
+          height: info.fetch(:height),
+          duration_ms: info.fetch(:duration_ms),
+          encoder: "cjpegli",
+          chroma_subsampling: chroma_subsampling
+        }
+      ensure
+        FileUtils.rm_f(tmp_path)
+      end
+    end
+
+    def validate_quality!(quality)
+      quality = DEFAULT_QUALITY if quality.nil?
+      quality = Integer(quality)
+      raise ArgumentError, "quality must be 1..100" unless (1..100).cover?(quality)
+      quality
+    end
+
+    def validate_chroma_subsampling!(value, input_format: nil)
+      value = :auto if value.nil?
+      value = "444" if value.to_sym == :auto && input_format.to_s == "png"
+      value = "420" if value.to_sym == :auto
+      value = value.to_s
+      raise ArgumentError, "chroma_subsampling must be one of #{CHROMA_SUBSAMPLING.join(", ")}" unless CHROMA_SUBSAMPLING.include?(value)
+      value
+    end
+
+    def ensure_jpeg_output!(output)
+      ext = normalized_ext(output)
+      raise UnsupportedFormatError, "cjpegli only outputs jpg/jpeg, got #{ext.inspect}" unless ext == "jpg"
+    end
+
+    def normalized_ext(path)
+      ext = File.extname(path.to_s).delete_prefix(".").downcase
+      ext == "jpeg" ? "jpg" : ext
+    end
+  end
+end

data/lib/safe_image/native.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require "safe_image_native"