safe_image 0.2.0 → 0.3.0

data/lib/safe_image/svg_css.rb

@@ -0,0 +1,314 @@
+# frozen_string_literal: true
+
+require "strscan"
+
+module SafeImage
+  # Allowlist sanitizer for the small CSS subset SVG files legitimately use
+  # (Inkscape writes style="" attributes, Illustrator writes class rules in
+  # <style> elements). Output is constructed from validated tokens, never
+  # echoed from the input, so nothing outside the vocabulary below can appear
+  # in it. Anything the grammar does not recognise — escapes, quotes,
+  # at-rules, comments, unknown properties or functions, non-fragment url() —
+  # drops the declaration rather than being decoded.
+  module SvgCss
+    NO_FUNCTIONS = [].freeze
+    URL_FUNCTIONS = %w[url].freeze
+    COLOR_FUNCTIONS = %w[rgb rgba hsl hsla].freeze
+    PAINT_FUNCTIONS = (COLOR_FUNCTIONS + URL_FUNCTIONS).freeze
+    # Lowercase: function names are matched and emitted case-insensitively.
+    TRANSFORM_FUNCTIONS = %w[matrix translate translatex translatey scale rotate skewx skewy].freeze
+
+    # A CSS property is allowed exactly when its presentation-attribute twin is
+    # in SvgSanitizer::ALLOWED_ATTRIBUTES (a test asserts this); the value is the
+    # list of functions that property's values may call. The only functions that
+    # reach a resource are url(...) — and those are constrained to same-document
+    # #fragment references — so the URL surface is exactly the url()-bearing
+    # rows below (paint servers, clip/mask, and markers), all fragment-only.
+    ALLOWED_PROPERTIES = {
+      # Paint and color. url() = paint-server reference (gradient/pattern).
+      "fill" => PAINT_FUNCTIONS,
+      "stroke" => PAINT_FUNCTIONS,
+      "stop-color" => COLOR_FUNCTIONS,
+      "color" => COLOR_FUNCTIONS,  # currentColor resolution; Inkscape/Illustrator
+      "opacity" => NO_FUNCTIONS,
+      "fill-opacity" => NO_FUNCTIONS,
+      "stroke-opacity" => NO_FUNCTIONS,
+      "stop-opacity" => NO_FUNCTIONS,
+      "fill-rule" => NO_FUNCTIONS,
+      "clip-rule" => NO_FUNCTIONS,
+      # Stroke geometry. stroke-dasharray/dashoffset are how every dashed line
+      # is expressed; vector-effect:non-scaling-stroke is an Inkscape default.
+      "stroke-width" => NO_FUNCTIONS,
+      "stroke-linecap" => NO_FUNCTIONS,
+      "stroke-linejoin" => NO_FUNCTIONS,
+      "stroke-miterlimit" => NO_FUNCTIONS,
+      "stroke-dasharray" => NO_FUNCTIONS,
+      "stroke-dashoffset" => NO_FUNCTIONS,
+      "vector-effect" => NO_FUNCTIONS,
+      # Geometry references. url() = clipPath/mask/marker element by #id.
+      "clip-path" => URL_FUNCTIONS,
+      "mask" => URL_FUNCTIONS,
+      "marker" => URL_FUNCTIONS,
+      "marker-start" => URL_FUNCTIONS,
+      "marker-mid" => URL_FUNCTIONS,
+      "marker-end" => URL_FUNCTIONS,
+      "transform" => TRANSFORM_FUNCTIONS,
+      # Visibility and rendering hints. Keywords/numbers only.
+      "display" => NO_FUNCTIONS,
+      "visibility" => NO_FUNCTIONS,
+      "overflow" => NO_FUNCTIONS,
+      "paint-order" => NO_FUNCTIONS,
+      "mix-blend-mode" => NO_FUNCTIONS,
+      "isolation" => NO_FUNCTIONS,
+      "shape-rendering" => NO_FUNCTIONS,
+      "image-rendering" => NO_FUNCTIONS,
+      "color-interpolation" => NO_FUNCTIONS,
+      # Text. Keywords/lengths only; no url() anywhere in text styling.
+      "font-family" => NO_FUNCTIONS,
+      "font-size" => NO_FUNCTIONS,
+      "font-weight" => NO_FUNCTIONS,
+      "font-style" => NO_FUNCTIONS,
+      "font-variant" => NO_FUNCTIONS,
+      "font-stretch" => NO_FUNCTIONS,
+      "text-anchor" => NO_FUNCTIONS,
+      "text-decoration" => NO_FUNCTIONS,
+      "letter-spacing" => NO_FUNCTIONS,
+      "word-spacing" => NO_FUNCTIONS,
+      "dominant-baseline" => NO_FUNCTIONS,
+      "baseline-shift" => NO_FUNCTIONS,
+      "writing-mode" => NO_FUNCTIONS,
+      "direction" => NO_FUNCTIONS
+    }.freeze
+
+    # Every character a declaration may contain. The exclusions do the work:
+    # no backslash (CSS escapes re-form tokens after any pattern check), no
+    # quotes (no strings, so no string-URL functions), no "@" (no at-rules),
+    # no "*" — which keeps CSS comments (/* */) structurally impossible even
+    # though "/" is admitted for modern color alpha (rgb(R G B / A)). A "/"
+    # survives to output only via the color-function parser below; anywhere
+    # else it fails tokenisation and the declaration drops.
+    DECLARATION_CHARSET = %r{\A[a-zA-Z0-9 #%+.,()/:-]*\z}.freeze
+
+    # CSS priority flag. Parsed out of the value structurally and re-emitted
+    # canonically, so "!" never enters the value tokeniser.
+    IMPORTANT = /\s*!\s*important\s*\z/i.freeze
+
+    # url() may only reference the current document; same fragment shape
+    # SvgSanitizer.dangerous_value? accepts.
+    FRAGMENT = /#[A-Za-z][\w.-]*/.freeze
+
+    HEX_COLOR = /#\h{3,8}/.freeze
+    NUMBER = /[+-]?(?:\d+\.\d+|\.\d+|\d+)(?:%|px|pt|pc|em|rem|ex|ch|cm|mm|in|deg|rad|grad|turn)?/.freeze
+    IDENT = /[a-zA-Z][a-zA-Z0-9-]*/.freeze
+    FUNCTION_NAME = /[a-zA-Z][a-zA-Z0-9-]*(?=\()/.freeze
+    SEPARATOR = /\s*,\s*|\s+/.freeze
+
+    # Selectors: type/.class/#id compounds joined by descendant or child
+    # combinators, in comma lists. The charset shuts out pseudo-classes (:),
+    # attribute selectors ([), and everything the declaration charset already
+    # excludes.
+    SELECTOR_CHARSET = /\A[a-zA-Z0-9_ #.,*>-]*\z/.freeze
+    SELECTOR_TYPE = /\*|[a-zA-Z][a-zA-Z0-9-]*/.freeze
+    SELECTOR_QUALIFIER = /[.#][A-Za-z_][\w-]*/.freeze
+    COMBINATOR = /\s*>\s*|\s+/.freeze
+
+    module_function
+
+    # Prefixes a bare id/fragment name with the document namespace, unless it is
+    # already prefixed (so re-sanitising is a fixed point). A nil namespace is a
+    # no-op, preserving the document-scoped (non-inline) behaviour.
+    def apply_namespace(namespace, name)
+      return name if namespace.nil? || name.start_with?("#{namespace}-")
+
+      "#{namespace}-#{name}"
+    end
+
+    # Sanitizes a style="" declaration list. When a namespace is given, url(#id)
+    # references are rewritten to url(#namespace-id) so they keep pointing at the
+    # namespaced ids in the same document. Returns the constructed declaration
+    # list, or nil when no declaration survives.
+    def sanitize_declarations(css, namespace: nil)
+      declarations = normalize(css).split(";").filter_map { |declaration| sanitize_declaration(declaration, namespace) }
+      declarations.empty? ? nil : declarations.join(";")
+    end
+
+    # Sanitizes a <style> element's stylesheet. The structure scan accepts
+    # only a flat list of "selectors { declarations }" rules — at-rules,
+    # nested blocks, and unbalanced braces fail the whole sheet closed rather
+    # than surviving in degraded form. Within a well-formed sheet, individual
+    # selectors and declarations drop independently. Returns the constructed
+    # stylesheet, or nil when no rule survives.
+    def sanitize_stylesheet(css, namespace: nil)
+      css = normalize(css)
+      # At-rules (@import, @media, @font-face, @keyframes, ...) have no place in
+      # the allowed subset, and "@" appears nowhere else in it. Rejecting it up
+      # front fails the whole element closed — the rule-by-rule scan below would
+      # otherwise drop only the at-rule and keep later rules, which contradicts
+      # the documented guarantee and risks parser edge cases at the boundary.
+      return nil if css.include?("@")
+
+      scanner = StringScanner.new(css)
+      rules = []
+      until scanner.eos?
+        scanner.skip(/\s+/)
+        break if scanner.eos?
+
+        selectors_src = scanner.scan(/[^{}]+/)
+        return nil unless selectors_src && scanner.skip(/\{/)
+
+        body = scanner.scan(/[^{}]*/)
+        return nil unless scanner.skip(/\}/)
+
+        selectors = sanitize_selectors(selectors_src, namespace)
+        declarations = sanitize_declarations(body, namespace: namespace)
+        rules << "#{selectors}{#{declarations}}" if selectors && declarations
+      end
+      rules.empty? ? nil : rules.join
+    end
+
+    def sanitize_selectors(src, namespace = nil)
+      selectors = src.split(",").filter_map { |selector| sanitize_selector(selector.strip, namespace) }
+      selectors.empty? ? nil : selectors.join(",")
+    end
+
+    def sanitize_selector(selector, namespace = nil)
+      return nil if selector.empty? || !selector.match?(SELECTOR_CHARSET)
+
+      scanner = StringScanner.new(selector)
+      out = +""
+      loop do
+        compound = scan_compound(scanner, namespace)
+        return nil unless compound
+
+        out << compound
+        break if scanner.eos?
+
+        combinator = scanner.scan(COMBINATOR)
+        return nil if combinator.nil? || scanner.eos?
+
+        out << (combinator.include?(">") ? ">" : " ")
+      end
+      scope_selector(namespace, out)
+    end
+
+    # Confines a selector to the namespaced document by anchoring it under the
+    # root's scope class, so a preserved <style> cannot reach a host page if the
+    # SVG is inlined. Universal/type/class selectors that would otherwise match
+    # host elements only match descendants of this document's root. Idempotent:
+    # an already-scoped selector is returned unchanged.
+    def scope_selector(namespace, selector)
+      return selector if namespace.nil?
+
+      scope = ".#{namespace}-scope"
+      selector.start_with?("#{scope} ") ? selector : "#{scope} #{selector}"
+    end
+
+    def scan_compound(scanner, namespace = nil)
+      out = +""
+      if (type = scanner.scan(SELECTOR_TYPE))
+        out << type
+      end
+      while (qualifier = scanner.scan(SELECTOR_QUALIFIER))
+        out << namespace_qualifier(namespace, qualifier)
+      end
+      out.empty? ? nil : out
+    end
+
+    # Prefix an id (#x) or class (.x) selector's name with the namespace so it
+    # matches only this document's namespaced ids/classes, never a host element's.
+    # Type and universal selectors are left alone (they are confined by the root
+    # scope class instead). Idempotent via apply_namespace.
+    def namespace_qualifier(namespace, qualifier)
+      return qualifier if namespace.nil?
+
+      "#{qualifier[0]}#{apply_namespace(namespace, qualifier[1..])}"
+    end
+
+    def normalize(css)
+      css.to_s.tr("\t\r\n\f\v", " ")
+    end
+
+    def sanitize_declaration(declaration, namespace = nil)
+      important = ""
+      if declaration.match?(IMPORTANT)
+        declaration = declaration.sub(IMPORTANT, "")
+        important = "!important"
+      end
+      return nil unless declaration.match?(DECLARATION_CHARSET)
+
+      property, value = declaration.split(":", 2)
+      return nil if value.nil?
+
+      property = property.strip.downcase
+      functions = ALLOWED_PROPERTIES[property]
+      return nil unless functions
+
+      value = sanitize_value(value.strip, functions, namespace)
+      value && "#{property}:#{value}#{important}"
+    end
+
+    # A value is a comma- or space-separated list of tokens: keywords, numbers
+    # with an allowlisted unit, hex colors, and allowlisted functions. The
+    # output is reassembled from the matched tokens.
+    def sanitize_value(value, functions, namespace = nil)
+      scanner = StringScanner.new(value)
+      out = +""
+      loop do
+        token = scan_token(scanner, functions, namespace)
+        return nil unless token
+
+        out << token
+        break if scanner.eos?
+
+        separator = scanner.scan(SEPARATOR)
+        return nil if separator.nil? || scanner.eos?
+
+        out << (separator.include?(",") ? "," : " ")
+      end
+      out
+    end
+
+    def scan_token(scanner, functions, namespace = nil)
+      if (name = scanner.scan(FUNCTION_NAME))
+        scan_function(scanner, name.downcase, functions, namespace)
+      else
+        scanner.scan(HEX_COLOR) || scanner.scan(NUMBER) || scanner.scan(IDENT)
+      end
+    end
+
+    # The scanner is positioned at the "(". url() takes exactly one
+    # same-document fragment; every other allowed function takes numbers.
+    def scan_function(scanner, name, functions, namespace = nil)
+      return nil unless functions.include?(name)
+
+      scanner.skip(/\(\s*/)
+      if name == "url"
+        fragment = scanner.scan(FRAGMENT)
+        return nil unless fragment && scanner.skip(/\s*\)/)
+
+        "url(##{apply_namespace(namespace, fragment[1..])})"
+      else
+        args = []
+        loop do
+          arg = scanner.scan(NUMBER)
+          return nil unless arg
+
+          args << arg
+          break if scanner.skip(/\s*\)/)
+          # Modern color syntax: rgb(R G B / A). The slash separates the alpha,
+          # and is accepted only here, only for color functions — the single
+          # path by which "/" can reach output. Re-emitted in the space form
+          # (mixing commas with "/" is invalid CSS), so the result is valid.
+          if COLOR_FUNCTIONS.include?(name) && scanner.skip(%r{\s*/\s*})
+            alpha = scanner.scan(NUMBER)
+            return nil unless alpha && scanner.skip(/\s*\)/)
+
+            return "#{name}(#{args.join(" ")} / #{alpha})"
+          end
+          return nil unless scanner.skip(SEPARATOR)
+        end
+        "#{name}(#{args.join(",")})"
+      end
+    end
+  end
+end

data/lib/safe_image/svg_metadata.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
 require "pathname"
-require "rexml/document"
-require "rexml/parsers/pullparser"
 
 module SafeImage
   module SvgMetadata
@@ -14,10 +12,55 @@ module SafeImage
     MAX_SVG_ATTRIBUTES = 50_000
     MAX_SVG_DIMENSION = 100_000
     MAX_SVG_PIXELS = 100_000_000
+    # Upper bound on the render tree the document instantiates. The caps above
+    # bound the *source* document, but several allowlisted features replicate
+    # referenced content at render time, so a small source can cost a consumer
+    # (browser/rasterizer) orders of magnitude more work:
+    #   * <use href="#id"> deep-copies its target subtree — a chain of doubling
+    #     groups fans a few dozen nodes into billions ("use bomb"), and a cyclic
+    #     reference expands forever.
+    #   * a <marker> is drawn once per vertex of every path/line/polyline/polygon
+    #     that references it, so (vertex count) x (marker subtree size) draws — a
+    #     dense `d` (~200k vertices fit in 1 MB) times a non-trivial marker is a
+    #     linear-but-huge "draw bomb" no node/byte/element cap can see.
+    # SvgSanitizer charges both against this single budget over the sanitized
+    # tree (renderer-free static accounting) and rejects when it is exceeded.
+    MAX_SVG_RENDER_UNITS = 1_000_000
 
     LENGTH_PATTERN = /\A\s*([+]?(?:\d+(?:\.\d+)?|\.\d+))(?:px)?\s*\z/i.freeze
     VIEWBOX_SPLIT = /[\s,]+/.freeze
 
+    # Byte-order marks for the multi-byte encodings whose ASCII characters our
+    # byte-level scans below cannot see through. XML mandates a BOM for UTF-16
+    # and UTF-32, so a document in one of these encodings either carries a BOM
+    # here or contains NUL bytes for its ASCII characters (caught separately).
+    # Order matters: the UTF-32 LE mark begins with the UTF-16 LE mark.
+    NON_UTF8_BOMS = [
+      "\xFF\xFE\x00\x00".b, # UTF-32 LE
+      "\x00\x00\xFE\xFF".b, # UTF-32 BE
+      "\xFF\xFE".b,         # UTF-16 LE
+      "\xFE\xFF".b          # UTF-16 BE
+    ].freeze
+
+    UTF8_BOM = "\xEF\xBB\xBF".b.freeze
+    # Declared encodings we accept: UTF-8/ASCII plus the single-byte,
+    # ASCII-transparent legacy charsets (ISO-8859-*, Windows-125x). Their bytes
+    # below 0x80 decode to identical ASCII, so the byte scans below see the same
+    # markup any decoder (REXML or a browser) does; and being single-byte, no
+    # lead byte can swallow a following quote the way Shift-JIS, GBK, or Big5
+    # can. Multi-byte (Shift-JIS, GBK, EUC-*, ISO-2022-*), transforming (UTF-7:
+    # "+ADw-" decodes to "<"), and NUL-interleaved (UTF-16/32) encodings are
+    # deliberately excluded — they let bytes our ASCII scans cannot see become
+    # markup the parser acts on. The shape match alone is not airtight:
+    # "utf8" or "windows-1259" fit the pattern yet name no real encoding, so a
+    # name must also resolve via Encoding.find to pass — lookalikes fail
+    # closed here instead of leaking REXML's bare ArgumentError to the caller.
+    SAFE_DECLARED_ENCODING =
+      /\A(?:utf-?8|us-ascii|ascii|iso-?8859-?\d{1,2}|(?:windows|cp)-?125\d)\z/i.freeze
+    # ASCII-only so it matches the binary buffer; the optional BOM is stripped
+    # before matching rather than embedded here (which would make this UTF-8).
+    XML_DECL_ENCODING = /\A\s*<\?xml\b[^>]*?\bencoding\s*=\s*["']([^"']+)["']/i.freeze
+
     def probe(path, max_pixels: nil, max_bytes: MAX_SVG_BYTES)
       started = Process.clock_gettime(Process::CLOCK_MONOTONIC)
       path = safe_svg_path(path)
@@ -34,6 +77,14 @@ module SafeImage
     def dimensions(path, max_pixels: nil, max_bytes: MAX_SVG_BYTES)
       xml = read_svg(path, max_bytes: max_bytes)
       _name, attributes = scan_svg!(xml)
+      dimensions_from_attributes(attributes, max_pixels: max_pixels)
+    end
+
+    # Computes and validates the document dimensions from the already-scanned
+    # root attributes, so a caller that has run scan_svg! does not re-read or
+    # re-scan the file. Same width/height-then-viewBox fallback and limits as
+    # dimensions above.
+    def dimensions_from_attributes(attributes, max_pixels: nil)
       width = parse_length(attributes["width"])
       height = parse_length(attributes["height"])
 
@@ -46,27 +97,12 @@ module SafeImage
       validate_dimensions!(width, height, max_pixels: max_pixels)
     end
 
-    # Builds the full REXML tree. Used only by the SVG sanitizer, which needs to
-    # walk and rewrite the document; metadata reads go through the DOM-free
-    # streaming path above. The streaming validation runs first so a document
-    # that breaches the structural caps is rejected before the tree is built.
-    def parse(path, max_bytes: MAX_SVG_BYTES)
-      xml = read_svg(path, max_bytes: max_bytes)
-      scan_svg!(xml)
-      doc = REXML::Document.new(xml)
-      raise InvalidImageError, "SVG root required" unless doc.root&.name == "svg"
-
-      doc
-    rescue REXML::ParseException => e
-      raise InvalidImageError, "invalid SVG: #{e.message}"
-    end
-
     def read_svg(path, max_bytes: MAX_SVG_BYTES)
       path = safe_svg_path(path)
       size = File.size(path)
       raise LimitError, "SVG exceeds #{max_bytes} bytes" if size > max_bytes
 
-      xml = File.binread(path, max_bytes + 1)
+      xml = File.binread(path, max_bytes + 1) || "".b
       raise LimitError, "SVG exceeds #{max_bytes} bytes" if xml.bytesize > max_bytes
       reject_unsafe_xml!(xml)
       xml
@@ -79,10 +115,41 @@ module SafeImage
     end
 
     def reject_unsafe_xml!(xml)
+      # The DOCTYPE/PI scans below are ASCII byte regexes; they only see what
+      # they expect when the bytes we scan decode to the same markup the XML
+      # parser sees. That holds for UTF-8 and single-byte ASCII-transparent
+      # charsets but not for UTF-16/32 or multi-byte/transforming encodings, so
+      # reject those first.
+      reject_unsafe_encoding!(xml)
       raise InvalidImageError, "doctype is not allowed in SVG" if xml.match?(/<!DOCTYPE/i)
       raise InvalidImageError, "XML processing instructions are not allowed in SVG" if xml.match?(/<\?(?!xml\s)/i)
     end
 
+    def reject_unsafe_encoding!(xml)
+      bytes = xml.b
+      # UTF-16/UTF-32 interleave NUL bytes between ASCII characters, hiding
+      # "<!DOCTYPE" from the ASCII scans while the XML parser still decodes and
+      # honours it. (NUL is invalid in XML 1.0 regardless, so this also rejects
+      # garbage.)
+      if NON_UTF8_BOMS.any? { |bom| bytes.start_with?(bom) } || bytes.include?("\x00".b)
+        raise InvalidImageError, "SVG must use a single-byte or UTF-8 encoding"
+      end
+
+      bytes = bytes.byteslice(UTF8_BOM.bytesize..) if bytes.start_with?(UTF8_BOM)
+      match = bytes.match(XML_DECL_ENCODING)
+      return unless match
+      return if match[1].match?(SAFE_DECLARED_ENCODING) && known_encoding?(match[1])
+
+      raise InvalidImageError, "unsupported SVG encoding: #{match[1]}"
+    end
+
+    def known_encoding?(name)
+      Encoding.find(name)
+      true
+    rescue ArgumentError
+      false
+    end
+
     def parse_length(value)
       value = value.to_s
       match = LENGTH_PATTERN.match(value)
@@ -119,44 +186,103 @@ module SafeImage
       [width.ceil, height.ceil]
     end
 
-    # Streams the document with a pull parser, enforcing the structural caps as
-    # events arrive, so a hostile "millions of tiny elements" document is
-    # rejected at the cap without ever retaining the multi-million-object DOM
-    # that a parse-then-validate approach would build first. Returns the root
-    # element's name and its attributes hash.
+    # Streams the document with a SAX parser, enforcing the structural caps as
+    # events arrive (see cap_scanner_class), so a hostile "millions of tiny
+    # elements" document is rejected at the cap without ever retaining the
+    # multi-million-object DOM a parse-then-validate approach would build.
+    # Returns the root element's local name and a localname=>value hash of its
+    # attributes, matching the contract dimensions_from_attributes consumes.
+    #
+    # SAX does NOT raise on malformed XML even with recovery disabled — it
+    # reports through the error callback and keeps going — so well-formedness is
+    # enforced by recording any reported error and rejecting after the parse.
+    # This reproduces the old REXML pull-parser's reject set (unclosed/mismatched
+    # tags, trailing junk) and is strictly stricter on multiple root elements,
+    # which is a safe direction for a gate.
     def scan_svg!(xml)
-      parser = REXML::Parsers::PullParser.new(xml)
-      depth = -1
-      elements = 0
-      attributes = 0
-      root_name = nil
-      root_attributes = nil
-
-      while parser.has_next?
-        event = parser.pull
-        if event.start_element?
-          depth += 1
-          raise LimitError, "SVG nesting exceeds #{MAX_SVG_DEPTH}" if depth > MAX_SVG_DEPTH
-
-          elements += 1
-          raise LimitError, "SVG has too many elements" if elements > MAX_SVG_ELEMENTS
-
-          attributes += event[1].size
-          raise LimitError, "SVG has too many attributes" if attributes > MAX_SVG_ATTRIBUTES
-
-          if root_name.nil?
-            root_name = event[0]
-            root_attributes = event[1]
-          end
-        elsif event.end_element?
-          depth -= 1
-        end
+      require_nokogiri
+      handler = cap_scanner_class.new
+      parser = Nokogiri::XML::SAX::Parser.new(handler)
+      begin
+        # recovery: false — do not silently repair malformed markup. Errors still
+        # arrive via the error callback rather than as exceptions, so they are
+        # checked explicitly below.
+        parser.parse(xml) { |ctx| ctx.recovery = false }
+      rescue LimitError, InvalidImageError
+        raise # our own cap/validation rejections, surfaced from a callback
+      rescue StandardError => e
+        # Nokogiri rejects some inputs by raising rather than via the error
+        # callback (e.g. empty input -> "input string cannot be empty"). Keep
+        # untrusted-input failures inside our error hierarchy.
+        raise InvalidImageError, "invalid SVG: #{e.message}"
       end
 
-      raise InvalidImageError, "SVG root required" unless root_name == "svg"
-      [root_name, root_attributes]
-    rescue REXML::ParseException => e
-      raise InvalidImageError, "invalid SVG: #{e.message}"
+      raise InvalidImageError, "invalid SVG: #{handler.parse_error}" if handler.parse_error
+      raise InvalidImageError, "SVG root required" unless handler.root_name == "svg"
+
+      [handler.root_name, handler.root_attributes]
+    end
+
+    # Loaded on first SVG use, not at file load: keeping the XML library off the
+    # hot path of every non-SVG operation (and every sandbox worker boot) where
+    # it would otherwise be paid for nothing.
+    def require_nokogiri
+      require "nokogiri"
+    end
+
+    # The SAX cap-enforcement handler, built lazily and memoised the first time
+    # an SVG is scanned. It subclasses Nokogiri::XML::SAX::Document, so it cannot
+    # be declared at file-load time without forcing nokogiri to load eagerly and
+    # defeating the lazy require above. A breached cap raises LimitError straight
+    # out of a callback; libxml2 propagates it at the next event boundary, so the
+    # parse aborts promptly rather than scanning to the end (verified: rejection
+    # time grows far slower than input size).
+    def cap_scanner_class
+      @cap_scanner_class ||= Class.new(Nokogiri::XML::SAX::Document) do
+        attr_reader :root_name, :root_attributes, :parse_error
+
+        def initialize
+          super
+          @depth = -1
+          @elements = 0
+          @attributes = 0
+          @root_name = nil
+          @root_attributes = nil
+          @parse_error = nil
+        end
+
+        # attrs: array of Nokogiri::XML::SAX::Parser::Attribute (localname/value),
+        # NOT including namespace declarations; `ns` carries the xmlns decls. Both
+        # count toward the attribute cap so the bound cannot be sidestepped by
+        # spraying namespace declarations.
+        def start_element_namespace(name, attrs = [], _prefix = nil, _uri = nil, ns = [])
+          @depth += 1
+          raise LimitError, "SVG nesting exceeds #{MAX_SVG_DEPTH}" if @depth > MAX_SVG_DEPTH
+
+          @elements += 1
+          raise LimitError, "SVG has too many elements" if @elements > MAX_SVG_ELEMENTS
+
+          @attributes += attrs.length + ns.length
+          raise LimitError, "SVG has too many attributes" if @attributes > MAX_SVG_ATTRIBUTES
+
+          return unless @root_name.nil?
+
+          @root_name = name
+          @root_attributes = attrs.each_with_object({}) { |attr, hash| hash[attr.localname] = attr.value }
+        end
+
+        def end_element_namespace(_name, _prefix = nil, _uri = nil)
+          @depth -= 1
+        end
+
+        # libxml2 reports well-formedness violations here rather than raising;
+        # record the first so scan_svg! can reject on it.
+        def error(message)
+          @parse_error ||= message.to_s.strip
+        end
+
+        def warning(_message); end
+      end
     end
   end
 end