safe_image 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (42) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +21 -12
  3. data/README.md +140 -287
  4. data/SECURITY.md +22 -11
  5. data/docs/architecture.md +63 -0
  6. data/ext/safe_image_vips_helper/extconf.rb +43 -0
  7. data/ext/safe_image_vips_helper/safe_image_vips_helper.c +1007 -0
  8. data/lib/safe_image/api/metadata.rb +85 -0
  9. data/lib/safe_image/api/transform.rb +152 -0
  10. data/lib/safe_image/backend_label.rb +24 -0
  11. data/lib/safe_image/formats.rb +96 -0
  12. data/lib/safe_image/ico.rb +42 -40
  13. data/lib/safe_image/image_magick_backend.rb +219 -162
  14. data/lib/safe_image/jpegli_backend.rb +64 -44
  15. data/lib/safe_image/metadata_operations.rb +155 -0
  16. data/lib/safe_image/native.rb +96 -290
  17. data/lib/safe_image/native_helper.rb +281 -0
  18. data/lib/safe_image/operation_backends/base.rb +83 -0
  19. data/lib/safe_image/operation_backends/image_magick.rb +123 -0
  20. data/lib/safe_image/operation_backends/vips.rb +251 -0
  21. data/lib/safe_image/operation_backends.rb +27 -0
  22. data/lib/safe_image/operation_set.rb +22 -0
  23. data/lib/safe_image/optimizer.rb +225 -98
  24. data/lib/safe_image/path_safety.rb +11 -0
  25. data/lib/safe_image/processor.rb +122 -85
  26. data/lib/safe_image/quality_defaults.rb +23 -0
  27. data/lib/safe_image/remote.rb +248 -144
  28. data/lib/safe_image/result.rb +71 -23
  29. data/lib/safe_image/runner.rb +60 -23
  30. data/lib/safe_image/sandbox.rb +44 -218
  31. data/lib/safe_image/staged_output.rb +44 -0
  32. data/lib/safe_image/svg_metadata.rb +74 -69
  33. data/lib/safe_image/transform_operations.rb +139 -0
  34. data/lib/safe_image/version.rb +1 -1
  35. data/lib/safe_image/vips_backend.rb +13 -12
  36. data/lib/safe_image.rb +62 -306
  37. metadata +43 -37
  38. data/lib/safe_image/discourse_compat.rb +0 -441
  39. data/lib/safe_image/svg_css.rb +0 -314
  40. data/lib/safe_image/svg_sanitizer.rb +0 -583
  41. data/lib/safe_image/vips_glue.rb +0 -361
  42. data/lib/safe_image/zygote.rb +0 -619
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ce9a76b504fa826aef4164c5748c800a95828ef7fda6bda3a00e7e85f0134f38
4
- data.tar.gz: 61c5ebac14806e8e3445c3e7aa73bb1ab5191cc414e1af311b752ad0be492bc7
3
+ metadata.gz: 1f73bfd1e95c6fbb93ad43254cbff0b2d14cf1d667b5af58daf3e7f2311e3240
4
+ data.tar.gz: 598bc5111672e82b922bfc134c168488ad9348b2b85cf5d6f3ac6d12c959ddfc
5
5
  SHA512:
6
- metadata.gz: 5d15f34ca4de05f1ca4618695bc3993a000ce38a7de54afde86ac87497c0288ad0ed37493ca31431669341be10991bbcdb5192796ea6bdb3af016943adfac2bc
7
- data.tar.gz: e71a59800452d4d396741e4e28134c47403490100233e803644a90a0ca967abd74fb5572a936a7af247411cb2055378982bccad89085085184aa92c66ca94d0d
6
+ metadata.gz: d3dd059f65b1f5d5ad43290aaf3e654817eca8d5127f90717cbf91739c31b92c9674c5fcc73c5b61a5b2be724c5b8053e298a35f6063cd880959a3ccfb9916c8
7
+ data.tar.gz: 5eeb7da08494d4e76f6ba5e9aa6479b083c8e1cd8f40fa7779537c00884a0e5cb068714b6fbf6ece00fc82fcdc39919c458c2fadcc4740b1348786a88871fb7a
data/CHANGELOG.md CHANGED
@@ -5,6 +5,19 @@ All notable changes to this project will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [0.4.0 - 2026-06-18]
9
+
10
+ ### Removed (breaking)
11
+
12
+ - Removed `SafeImage.sanitize_svg!` and the internal SVG/CSS sanitizer
13
+ implementation. Safe Image still supports bounded SVG metadata probing for
14
+ local and remote `.svg` files, but applications that need to clean or inline
15
+ user-supplied SVG content must use a dedicated sanitizer outside this gem.
16
+ - Removed the compatibility/in-place file-writing APIs. `resize`, `crop`,
17
+ `downsize`, `convert`, `fix_orientation`, `convert_favicon_to_png`, and
18
+ `optimize` now require explicit, distinct `input:` and `output:` paths;
19
+ `optimize_image!` and `convert_to_jpeg` are gone.
20
+
8
21
  ## [0.3.0 - 2026-06-12]
9
22
 
10
23
  ### Changed (breaking)
@@ -81,8 +94,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
81
94
  allowlist, all TCP denied on ABI ≥ 4, abstract-unix-socket/signal scopes on
82
95
  ABI ≥ 6), and — when the installed `landlock` gem exposes
83
96
  `seccomp_deny_network!` — the helper's deny-all-network seccomp filter
84
- (blocking sockets of every family, closing the UDP gap the in-process
85
- Landlock policy alone leaves open), *before* touching untrusted input, and
97
+ (blocking sockets of every family), *before* touching untrusted input, and
86
98
  exits after the operation. Workers are pooled so N threads run N sandboxed
87
99
  operations at once (the single zygote would serialise them): the pool grows
88
100
  on demand to `SAFE_IMAGE_ZYGOTE_WORKERS` (default 8) and offered concurrency
@@ -284,18 +296,15 @@ between backends.
284
296
  - Graceful operation without libvips: the new `SafeImage::VipsUnavailableError`
285
297
  (a subclass of `UnsupportedFormatError`) makes `backend: :auto` route through
286
298
  ImageMagick on hosts without the library, while explicit `backend: :vips`
287
- calls fail closed. `SafeImage::VipsGlue.available?` reports the state.
299
+ calls fail closed. `SafeImage::Native.available?` reports the state.
288
300
  - `docker/run.sh`: containerised validation against Debian bookworm's packaged
289
- libvips 8.14 with no toolchain installed.
301
+ libvips 8.14 and native-helper build/install.
290
302
 
291
303
  ### Changed
292
304
 
293
- - **The compiled C extension is gone.** libvips is now bound at runtime
294
- through a minimal Fiddle binding (`SafeImage::VipsGlue`) that exposes only
295
- the operations the gem invokes. Nothing compiles at gem install time; the
296
- only gem dependencies are `fiddle` and `rexml`. Minimum libvips is 8.13
297
- (Debian bookworm's 8.14 package is tested); `SAFE_IMAGE_LIBVIPS` overrides
298
- the library name.
305
+ - **The compiled C helper owns libvips execution.** libvips is initialized in
306
+ the bundled helper process, which exposes only the operations the gem invokes.
307
+ Minimum libvips is 8.13 (Debian bookworm's 8.14 package is tested).
299
308
  - All transform defaults are now native-first: `resize`, `crop`, `downsize`,
300
309
  `convert` and `thumbnail` default to `backend: :auto` (previously
301
310
  ImageMagick for the first three and `:vips` fail-closed for `thumbnail`).
@@ -337,8 +346,8 @@ between backends.
337
346
  untrusted-operation block: JPEG XL is part of the supported input surface,
338
347
  and inputs still pass extension routing, pixel caps and (optionally) the
339
348
  Landlock sandbox.
340
- - The Fiddle binding doubles as an operation allowlist, and a leak-loop test
341
- guards GObject reference handling.
349
+ - The native helper doubles as an operation allowlist, and a leak-loop test
350
+ guards helper request handling.
342
351
 
343
352
  ## [0.1.0] - 2026-06-09
344
353