safe_image 0.1.0

data/lib/safe_image/optimizer.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "tempfile"
+
+module SafeImage
+  module Optimizer
+    module_function
+
+    MAX_PNGQUANT_SIZE = 500_000
+
+    def optimize(path, mode: :lossless, strip_metadata: true, quality: nil, timeout: Runner::DEFAULT_TIMEOUT, strict: true)
+      path = PathSafety.ensure_regular_file!(path)
+
+      ext = path.extname.delete_prefix(".").downcase
+      ext = "jpg" if ext == "jpeg"
+
+      before = File.size(path)
+      tools = []
+
+      case ext
+      when "jpg"
+        if Runner.available?("jpegoptim")
+          argv = ["jpegoptim", "--quiet"]
+          argv << (strip_metadata ? "--strip-all" : "--strip-none")
+          argv << "--max=#{Integer(quality)}" if quality
+          argv << path.to_s
+          Runner.run!(argv, timeout: timeout)
+          tools << "jpegoptim"
+        else
+          raise Error, "jpegoptim is required for strict JPEG optimisation" if strict
+        end
+      when "png"
+        if mode.to_sym == :lossy && before < MAX_PNGQUANT_SIZE
+          if Runner.available?("pngquant")
+            tmp = Tempfile.new([path.basename(".*").to_s, ".pngquant.png"], path.dirname.to_s)
+            tmp_path = Pathname.new(tmp.path)
+            tmp.close
+            begin
+              argv = ["pngquant", "--force", "--skip-if-larger", "--output", tmp_path.to_s]
+              argv << "--quality=#{quality}" if quality # e.g. "65-90"
+              argv << path.to_s
+              Runner.run!(argv, timeout: timeout)
+              if tmp_path.file? && File.size(tmp_path) < File.size(path)
+                FileUtils.mv(tmp_path, path)
+                tools << "pngquant"
+              end
+            ensure
+              FileUtils.rm_f(tmp_path)
+            end
+          elsif strict
+            raise Error, "pngquant is required for strict lossy PNG optimisation"
+          end
+        end
+
+        if Runner.available?("oxipng")
+          argv = ["oxipng", "--quiet", "-o", "3"]
+          argv.concat(["--strip", strip_metadata ? "safe" : "none"])
+          argv << path.to_s
+          Runner.run!(argv, timeout: timeout)
+          tools << "oxipng"
+        else
+          raise Error, "oxipng is required for strict PNG optimisation" if strict
+        end
+      else
+        raise UnsupportedFormatError, "unsupported optimize format: #{ext.inspect}"
+      end
+
+      after = File.size(path)
+      {
+        format: ext,
+        before_bytes: before,
+        after_bytes: after,
+        saved_bytes: before - after,
+        tools: tools
+      }
+    end
+  end
+end

data/lib/safe_image/path_safety.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "pathname"
+
+module SafeImage
+  module PathSafety
+    SAFE_IMAGEMAGICK_PATH = %r{\A[\w\-\./]+\z}.freeze
+
+    module_function
+
+    def local_path(value)
+      if value.respond_to?(:path) && value.path
+        value.path.to_s
+      else
+        value.to_s
+      end
+    end
+
+    def reject_symlink_components!(path)
+      path = Pathname.new(local_path(path)).expand_path
+      path.ascend do |component|
+        next unless File.exist?(component.to_s)
+        raise UnsafePathError, "symlink paths are not allowed: #{component}" if File.lstat(component.to_s).symlink?
+      end
+      path
+    end
+
+    def ensure_regular_file!(path)
+      path = reject_symlink_components!(path)
+      raise UnsafePathError, "not a file: #{path}" unless path.file?
+      path
+    end
+
+    def ensure_safe_output_path!(path)
+      path = Pathname.new(local_path(path)).expand_path
+      raise UnsafePathError, "path contains NUL" if path.to_s.include?("\0")
+      reject_symlink_components!(path.dirname)
+      if File.exist?(path.to_s)
+        raise UnsafePathError, "output path is a symlink: #{path}" if File.lstat(path.to_s).symlink?
+      end
+      path
+    end
+
+    def ensure_imagemagick_safe!(path)
+      path = local_path(path)
+      raise UnsafePathError, "path contains NUL" if path.include?("\0")
+      raise UnsafePathError, "path must be absolute" unless path.start_with?("/")
+      unless SAFE_IMAGEMAGICK_PATH.match?(path)
+        raise UnsafePathError, "path contains characters unsafe for ImageMagick pseudo-filename parsing"
+      end
+      path
+    end
+
+    def ensure_imagemagick_input_file!(path)
+      # Expand to an absolute path first so callers may pass relative paths
+      # (matching the rest of the public API), then apply the absolute-path and
+      # safe-character checks to the resolved path.
+      expanded = Pathname.new(local_path(path)).expand_path.to_s
+      ensure_imagemagick_safe!(expanded)
+      ensure_regular_file!(Pathname.new(expanded)).to_s
+    end
+  end
+end

data/lib/safe_image/processor.rb

@@ -0,0 +1,196 @@
+# frozen_string_literal: true
+
+require "fileutils"
+require "pathname"
+require "tempfile"
+
+module SafeImage
+  class Processor
+    SUPPORTED_INPUTS = %w[jpg jpeg png webp heic heif avif].freeze
+    SUPPORTED_OUTPUTS = %w[jpg jpeg png webp avif].freeze
+
+    def initialize(max_pixels: nil, backend: :vips, execution: :inline, encoder: :auto, chroma_subsampling: :auto)
+      @max_pixels = max_pixels
+      @backend = backend.to_sym
+      @execution = execution.to_sym
+      @encoder = encoder.to_sym
+      @chroma_subsampling = chroma_subsampling
+    end
+
+    def probe(path)
+      input = safe_existing_file!(path)
+      info = Native.probe(input.to_s)
+      validate_pixels!(info.fetch(:width), info.fetch(:height))
+      Result.new(
+        input: input.to_s,
+        output: nil,
+        input_format: info.fetch(:format),
+        output_format: nil,
+        width: info.fetch(:width),
+        height: info.fetch(:height),
+        filesize: File.size(input),
+        backend: "libvips-direct",
+        duration_ms: info.fetch(:duration_ms),
+        optimizer: nil
+      )
+    end
+
+    def thumbnail(input:, output:, width:, height:, format: nil, quality: 85, optimize: false, optimize_mode: :lossless)
+      input = safe_existing_file!(input)
+      output = safe_output_path!(output)
+      width = Integer(width)
+      height = Integer(height)
+      quality = Integer(quality)
+      raise ArgumentError, "width and height must be positive" if width <= 0 || height <= 0
+      raise ArgumentError, "quality must be 1..100" unless (1..100).cover?(quality)
+
+      out_format = (format || output.extname.delete_prefix(".")).downcase
+      out_format = "jpg" if out_format == "jpeg"
+      unless SUPPORTED_OUTPUTS.include?(out_format)
+        raise UnsupportedFormatError, "unsupported output format: #{out_format.inspect}"
+      end
+
+      if @execution == :sandbox || @execution == :sandbox_if_available
+        if @execution == :sandbox && !Sandbox.available?
+          raise Error, "sandbox execution requested but Landlock::SafeExec is unavailable"
+        end
+
+        info = Sandbox.thumbnail(
+          input: input.to_s,
+          output: output.to_s,
+          width: width,
+          height: height,
+          format: out_format,
+          quality: quality,
+          max_pixels: @max_pixels,
+          backend: @backend,
+          optimize: optimize,
+          optimize_mode: optimize_mode
+        )
+        if info
+          return Result.new(
+            input: input.to_s,
+            output: output.to_s,
+            input_format: info.fetch(:input_format),
+            output_format: info.fetch(:output_format),
+            width: info.fetch(:width),
+            height: info.fetch(:height),
+            filesize: File.size(output),
+            backend: "sandboxed-#{info.fetch(:backend)}",
+            duration_ms: info.fetch(:duration_ms),
+            optimizer: info[:optimizer]
+          )
+        end
+      end
+
+      output.dirname.mkpath
+      info =
+        if out_format == "jpg" && use_jpegli_for_generated_jpeg?(input)
+          jpegli_thumbnail(input: input, output: output, width: width, height: height, quality: quality, source_format: input.extname.delete_prefix(".").downcase)
+        else
+          case @backend
+          when :vips
+            Native.thumbnail(input.to_s, output.to_s, width, height, out_format, quality, @max_pixels)
+          when :imagemagick, :magick
+            probe_info = Native.probe(input.to_s)
+            validate_pixels!(probe_info.fetch(:width), probe_info.fetch(:height))
+            ImageMagickBackend.thumbnail(
+              input: input.to_s,
+              output: output.to_s,
+              width: width,
+              height: height,
+              format: out_format,
+              quality: quality
+            )
+          else
+            raise ArgumentError, "unknown backend: #{@backend.inspect}"
+          end
+        end
+
+      opt_info = nil
+      if optimize
+        opt_info = Optimizer.optimize(output, mode: optimize_mode, strip_metadata: true, quality: out_format == "jpg" ? quality : nil)
+      end
+
+      Result.new(
+        input: input.to_s,
+        output: output.to_s,
+        input_format: info.fetch(:input_format),
+        output_format: info.fetch(:output_format),
+        width: info.fetch(:width),
+        height: info.fetch(:height),
+        filesize: File.size(output),
+        backend: result_backend(info),
+        duration_ms: info.fetch(:duration_ms),
+        optimizer: opt_info&.fetch(:tools, nil)
+      )
+    end
+
+    private
+
+    def use_jpegli_for_generated_jpeg?(input)
+      case @encoder
+      when :auto
+        @backend == :vips && JpegliBackend.available?
+      when :cjpegli
+        true
+      when :vips, :imagemagick, :magick
+        false
+      else
+        raise ArgumentError, "unknown encoder: #{@encoder.inspect}"
+      end
+    end
+
+    def jpegli_thumbnail(input:, output:, width:, height:, quality:, source_format:)
+      raise UnsupportedFormatError, "cjpegli is not installed" unless JpegliBackend.available?
+      raise ArgumentError, "encoder: :cjpegli currently requires backend: :vips" unless @backend == :vips
+
+      output.dirname.mkpath
+      Tempfile.create([output.basename(".*").to_s, ".safe-image.png"], output.dirname.to_s) do |tmp|
+        tmp_path = Pathname.new(tmp.path)
+        tmp.close
+        Native.thumbnail(input.to_s, tmp_path.to_s, width, height, "png", 100, @max_pixels)
+        JpegliBackend.encode(
+          input: tmp_path,
+          output: output,
+          quality: quality,
+          chroma_subsampling: JpegliBackend.validate_chroma_subsampling!(@chroma_subsampling, input_format: normalized_source_format(source_format)),
+          input_format: normalized_source_format(source_format)
+        )
+      ensure
+        FileUtils.rm_f(tmp_path) if defined?(tmp_path) && tmp_path
+      end
+    end
+
+    def normalized_source_format(format)
+      format = format.to_s.downcase
+      format == "jpeg" ? "jpg" : format
+    end
+
+    def result_backend(info)
+      if info[:encoder] == "cjpegli"
+        "#{@backend == :vips ? "libvips-direct" : "imagemagick"}+cjpegli"
+      else
+        @backend == :vips ? "libvips-direct" : "imagemagick"
+      end
+    end
+
+    def safe_existing_file!(path)
+      path = PathSafety.ensure_regular_file!(path)
+      ext = path.extname.delete_prefix(".").downcase
+      ext = "jpg" if ext == "jpeg"
+      raise UnsupportedFormatError, "unsupported input format: #{ext.inspect}" unless SUPPORTED_INPUTS.include?(ext)
+      path
+    end
+
+    def safe_output_path!(path)
+      PathSafety.ensure_safe_output_path!(path)
+    end
+
+    def validate_pixels!(width, height)
+      return unless @max_pixels
+      pixels = Integer(width) * Integer(height)
+      raise LimitError, "image has #{pixels} pixels, exceeds #{@max_pixels}" if pixels > @max_pixels
+    end
+  end
+end

data/lib/safe_image/remote.rb

@@ -0,0 +1,309 @@
+# frozen_string_literal: true
+
+require "fileutils"
+require "ipaddr"
+require "net/http"
+require "resolv"
+require "tempfile"
+require "time"
+require "tmpdir"
+require "uri"
+
+module SafeImage
+  module Remote
+    module_function
+
+    DEFAULT_MAX_BYTES = 20 * 1024 * 1024
+    DEFAULT_MAX_REDIRECTS = 3
+    DEFAULT_OPEN_TIMEOUT = 5
+    DEFAULT_READ_TIMEOUT = 10
+    DEFAULT_TOTAL_TIMEOUT = 30
+    DEFAULT_ALLOWED_PORTS = [80, 443].freeze
+    USER_AGENT = "safe_image/#{VERSION}".freeze
+
+    SAFE_CROSS_ORIGIN_REDIRECT_HEADERS = %w[accept accept-encoding user-agent].freeze
+    SAFE_INITIAL_REQUEST_HEADERS = SAFE_CROSS_ORIGIN_REDIRECT_HEADERS
+    FORBIDDEN_REQUEST_HEADERS = %w[
+      host connection keep-alive proxy-authenticate proxy-authorization
+      proxy-connection te trailer transfer-encoding upgrade
+    ].freeze
+
+    CONTENT_TYPE_EXTENSIONS = {
+      "image/jpeg" => ".jpg",
+      "image/jpg" => ".jpg",
+      "image/png" => ".png",
+      "image/gif" => ".gif",
+      "image/webp" => ".webp",
+      "image/heic" => ".heic",
+      "image/heif" => ".heif",
+      "image/avif" => ".avif",
+      "image/x-icon" => ".ico",
+      "image/vnd.microsoft.icon" => ".ico",
+      "image/svg+xml" => ".svg"
+    }.freeze
+
+    EXTENSIONS = %w[.jpg .jpeg .png .gif .webp .heic .heif .avif .ico .svg].freeze
+
+    BLOCKED_IP_RANGES = [
+      # IPv4 special-use / non-public ranges. Default remote fetching is for
+      # public Internet images only; callers probing trusted internal URLs must
+      # opt in with allow_private: true.
+      "0.0.0.0/8",          # current network
+      "10.0.0.0/8",         # RFC1918 private-use
+      "100.64.0.0/10",      # RFC6598 carrier-grade NAT
+      "127.0.0.0/8",        # loopback
+      "169.254.0.0/16",     # RFC3927 link-local
+      "172.16.0.0/12",      # RFC1918 private-use
+      "192.0.0.0/24",       # IETF protocol assignments
+      "192.0.2.0/24",       # TEST-NET-1
+      "192.31.196.0/24",    # AS112-v4
+      "192.52.193.0/24",    # AMT
+      "192.168.0.0/16",     # RFC1918 private-use
+      "192.175.48.0/24",    # direct delegation AS112 service
+      "198.18.0.0/15",      # benchmark testing
+      "198.51.100.0/24",    # TEST-NET-2
+      "203.0.113.0/24",     # TEST-NET-3
+      "224.0.0.0/4",        # multicast
+      "240.0.0.0/4",        # reserved / future-use
+      "255.255.255.255/32", # limited broadcast
+
+      # IPv6 special-use / non-public ranges.
+      "::/128",             # unspecified
+      "::1/128",            # loopback
+      "::/96",              # deprecated IPv4-compatible IPv6
+      "::ffff:0:0/96",      # IPv4-mapped IPv6
+      "64:ff9b::/96",       # well-known NAT64 prefix
+      "64:ff9b:1::/48",     # local-use NAT64 prefix
+      "100::/64",           # discard-only prefix
+      "2001::/23",          # IETF protocol assignments, incl. Teredo/benchmarking
+      "2001:db8::/32",      # documentation
+      "2002::/16",          # 6to4
+      "fc00::/7",           # unique local address
+      "fe80::/10",          # link-local unicast
+      "ff00::/8"            # multicast
+    ].map { |range| IPAddr.new(range) }.freeze
+
+    def fetch(
+      url,
+      max_bytes: DEFAULT_MAX_BYTES,
+      max_redirects: DEFAULT_MAX_REDIRECTS,
+      open_timeout: DEFAULT_OPEN_TIMEOUT,
+      read_timeout: DEFAULT_READ_TIMEOUT,
+      total_timeout: DEFAULT_TOTAL_TIMEOUT,
+      allow_private: false,
+      allowed_ports: DEFAULT_ALLOWED_PORTS,
+      headers: {}
+    )
+      uri = parse_uri(url)
+      started_at = monotonic_time
+
+      Tempfile.create(["safe-image-remote", ".bin"], binmode: true) do |file|
+        response = request(
+          uri,
+          io: file,
+          max_bytes: max_bytes,
+          max_redirects: max_redirects,
+          open_timeout: open_timeout,
+          read_timeout: read_timeout,
+          total_timeout: total_timeout,
+          started_at: started_at,
+          allow_private: allow_private,
+          allowed_ports: allowed_ports,
+          headers: headers
+        )
+        file.flush
+
+        ext = extension_for(response.fetch(:uri), response.fetch(:content_type))
+        path = file.path
+        if File.extname(path) != ext
+          renamed = path.sub(/\.bin\z/, ext)
+          FileUtils.mv(path, renamed)
+          begin
+            validate_downloaded_image!(renamed, ext)
+            yield renamed
+          ensure
+            FileUtils.rm_f(renamed)
+          end
+        else
+          validate_downloaded_image!(path, ext)
+          yield path
+        end
+      end
+    end
+
+    def info(url, max_bytes: DEFAULT_MAX_BYTES, max_redirects: DEFAULT_MAX_REDIRECTS, open_timeout: DEFAULT_OPEN_TIMEOUT, read_timeout: DEFAULT_READ_TIMEOUT, total_timeout: DEFAULT_TOTAL_TIMEOUT, allow_private: false, allowed_ports: DEFAULT_ALLOWED_PORTS, headers: {}, max_pixels: nil, animated: false, orientation: false)
+      fetch(url, max_bytes: max_bytes, max_redirects: max_redirects, open_timeout: open_timeout, read_timeout: read_timeout, total_timeout: total_timeout, allow_private: allow_private, allowed_ports: allowed_ports, headers: headers) do |path|
+        SafeImage.info(path, max_pixels: max_pixels, animated: animated, orientation: orientation)
+      end
+    end
+
+    def size(url, **kwargs)
+      info(url, **kwargs).size
+    end
+
+    def type(url, **kwargs)
+      info(url, **kwargs).type
+    end
+
+    def animated?(url, max_bytes: DEFAULT_MAX_BYTES, max_redirects: DEFAULT_MAX_REDIRECTS, open_timeout: DEFAULT_OPEN_TIMEOUT, read_timeout: DEFAULT_READ_TIMEOUT, total_timeout: DEFAULT_TOTAL_TIMEOUT, allow_private: false, allowed_ports: DEFAULT_ALLOWED_PORTS, headers: {}, max_pixels: nil)
+      fetch(url, max_bytes: max_bytes, max_redirects: max_redirects, open_timeout: open_timeout, read_timeout: read_timeout, total_timeout: total_timeout, allow_private: allow_private, allowed_ports: allowed_ports, headers: headers) do |path|
+        SafeImage.animated?(path, max_pixels: max_pixels)
+      end
+    end
+
+    def request(uri, io:, max_bytes:, max_redirects:, open_timeout:, read_timeout:, total_timeout:, started_at:, allow_private:, allowed_ports:, headers: {})
+      raise ArgumentError, "too many redirects" if max_redirects < 0
+      check_deadline!(started_at, total_timeout)
+      ipaddr = validate_uri!(uri, allow_private: allow_private, allowed_ports: allowed_ports)
+
+      http = Net::HTTP.new(uri.host, uri.port, nil)
+      http.ipaddr = ipaddr if ipaddr
+      http.use_ssl = uri.scheme == "https"
+      http.open_timeout = open_timeout
+      http.read_timeout = read_timeout
+
+      request = Net::HTTP::Get.new(uri)
+      request["User-Agent"] = USER_AGENT
+      request["Accept"] = "image/*,*/*;q=0.1"
+      request["Accept-Encoding"] = "identity"
+      initial_headers(headers).each { |key, value| request[key.to_s] = value.to_s }
+
+      bytes = 0
+      content_type = nil
+
+      http.request(request) do |response|
+        check_deadline!(started_at, total_timeout)
+
+        case response
+        when Net::HTTPRedirection
+          location = response["location"] or raise Error, "redirect without Location"
+          redirected = parse_uri(uri.merge(location).to_s)
+          if uri.scheme == "https" && redirected.scheme == "http"
+            raise UnsafePathError, "refusing HTTPS to HTTP redirect"
+          end
+          return request(
+            redirected,
+            io: io,
+            max_bytes: max_bytes,
+            max_redirects: max_redirects - 1,
+            open_timeout: open_timeout,
+            read_timeout: read_timeout,
+            total_timeout: total_timeout,
+            started_at: started_at,
+            allow_private: allow_private,
+            allowed_ports: allowed_ports,
+            headers: redirect_headers(headers, from: uri, to: redirected)
+          )
+        when Net::HTTPSuccess
+          content_length = response["content-length"].to_i
+          raise LimitError, "remote image exceeds #{max_bytes} bytes" if content_length > max_bytes
+
+          content_type = response["content-type"].to_s.split(";", 2).first.to_s.downcase
+          response.read_body do |chunk|
+            check_deadline!(started_at, total_timeout)
+            bytes += chunk.bytesize
+            raise LimitError, "remote image exceeds #{max_bytes} bytes" if bytes > max_bytes
+            io.write(chunk)
+          end
+        else
+          raise Error, "remote image request failed: HTTP #{response.code}"
+        end
+      end
+
+      { uri: uri, content_type: content_type, bytes: bytes }
+    end
+
+    def parse_uri(url)
+      uri = URI.parse(url.to_s)
+      raise ArgumentError, "remote image URL must be http or https" unless %w[http https].include?(uri.scheme)
+      raise ArgumentError, "remote image URL must include a host" if uri.host.to_s.empty?
+      uri
+    rescue URI::InvalidURIError => e
+      raise ArgumentError, "invalid remote image URL: #{e.message}"
+    end
+
+    def validate_uri!(uri, allow_private:, allowed_ports: DEFAULT_ALLOWED_PORTS)
+      unless allow_private || allowed_ports.nil? || allowed_ports.include?(uri.port)
+        raise UnsafePathError, "remote image URL uses a disallowed port"
+      end
+      return nil if allow_private
+
+      resolver = Resolv::DNS.new
+      resolver.timeouts = [2, 2]
+      addresses = resolver.getaddresses(uri.host).map(&:to_s)
+      raise UnsafePathError, "remote image host did not resolve" if addresses.empty?
+
+      addresses.each do |address|
+        ip = IPAddr.new(address)
+        if blocked_ip?(ip)
+          raise UnsafePathError, "remote image host resolves to a non-public address"
+        end
+      end
+
+      # Pin the socket to a vetted address so validation and connection cannot
+      # observe different DNS answers. Prefer IPv4 first for compatibility with
+      # common hosts, but either family is fine because every address above was
+      # checked.
+      addresses.sort_by { |address| address.include?(":") ? 1 : 0 }.first
+    end
+
+    def blocked_ip?(ip)
+      BLOCKED_IP_RANGES.any? { |range| range.include?(ip) }
+    end
+
+    def filtered_headers(headers)
+      headers.reject { |key, _| FORBIDDEN_REQUEST_HEADERS.include?(key.to_s.downcase) }
+    end
+
+    def initial_headers(headers)
+      filtered_headers(headers).select { |key, _| SAFE_INITIAL_REQUEST_HEADERS.include?(key.to_s.downcase) }
+    end
+
+    def redirect_headers(headers, from:, to:)
+      headers = filtered_headers(headers)
+      return headers if same_origin?(from, to)
+
+      headers.select { |key, _| SAFE_CROSS_ORIGIN_REDIRECT_HEADERS.include?(key.to_s.downcase) }
+    end
+
+    def same_origin?(a, b)
+      a.scheme.to_s.downcase == b.scheme.to_s.downcase &&
+        a.host.to_s.downcase == b.host.to_s.downcase &&
+        a.port == b.port
+    end
+
+    def check_deadline!(started_at, total_timeout)
+      return unless total_timeout
+      raise Error, "remote image request timed out" if monotonic_time - started_at > total_timeout
+    end
+
+    def monotonic_time
+      Process.clock_gettime(Process::CLOCK_MONOTONIC)
+    end
+
+    def extension_for(uri, content_type)
+      content_ext = CONTENT_TYPE_EXTENSIONS[content_type]
+      raise UnsupportedFormatError, "remote image has unsupported or missing content type: #{content_type.inspect}" unless content_ext
+
+      ext = File.extname(uri.path).downcase
+      if EXTENSIONS.include?(ext)
+        normalized_ext = ext == ".jpeg" ? ".jpg" : ext
+        normalized_content_ext = content_ext == ".jpeg" ? ".jpg" : content_ext
+        unless normalized_ext == normalized_content_ext
+          raise UnsupportedFormatError, "remote image extension #{ext.inspect} does not match content type #{content_type.inspect}"
+        end
+        return ext
+      end
+
+      content_ext
+    end
+
+    def validate_downloaded_image!(path, ext)
+      if ext == ".svg"
+        SvgMetadata.probe(path)
+      else
+        SafeImage.probe(path)
+      end
+    end
+  end
+end

data/lib/safe_image/result.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module SafeImage
+  Info = Data.define(
+    :path,
+    :type,
+    :width,
+    :height,
+    :size,
+    :animated,
+    :orientation
+  )
+
+  Result = Data.define(
+    :input,
+    :output,
+    :input_format,
+    :output_format,
+    :width,
+    :height,
+    :filesize,
+    :backend,
+    :duration_ms,
+    :optimizer
+  ) do
+    def success? = true
+  end
+end