RubyGems - selma - Versions diffs - 0.2.2 → 0.4.0 - Mend

selma 0.2.2 → 0.4.0

Files changed (14) hide show

checksums.yaml +4 -4
data/Cargo.lock +115 -114
data/README.md +122 -24
data/ext/selma/Cargo.toml +5 -2
data/ext/selma/src/html/element.rs +11 -6
data/ext/selma/src/native_ref_wrap.rs +15 -12
data/ext/selma/src/rewriter.rs +257 -106
data/ext/selma/src/sanitizer.rs +23 -16
data/lib/selma/config.rb +12 -0
data/lib/selma/sanitizer/config/default.rb +1 -1
data/lib/selma/sanitizer/config/relaxed.rb +1 -0
data/lib/selma/sanitizer.rb +6 -1
data/lib/selma/version.rb +1 -1
metadata +8 -7

data/README.md CHANGED Viewed

@@ -76,7 +76,7 @@ attributes: {
 # URL handling protocols to allow in specific attributes. By default, no
 # protocols are allowed. Use :relative in place of a protocol if you want
-# to allow relative URLs sans protocol.
+# to allow relative URLs sans protocol. Set to `:all` to allow any protocol.
 protocols: {
     "a" => { "href" => ["http", "https", "mailto", :relative] },
     "img" => { "href" => ["http", "https"] },
@@ -103,7 +103,11 @@ Here's an example which rewrites the `href` attribute on `a` and the `src` attri
 ```ruby
 class MatchAttribute
-  SELECTOR = Selma::Selector(match_element: %(a[href^="http:"], img[src^="http:"]"))
+  SELECTOR = Selma::Selector.new(match_element: %(a[href^="http:"], img[src^="http:"]"))
+  def selector
+    SELECTOR
+  end
   def handle_element(element)
     if element.tag_name == "a"
@@ -176,40 +180,134 @@ The `element` argument in `handle_element` has the following methods:
 - `after(content, as: content_type)`: Inserts `content` after the text. `content_type` is either `:text` or `:html` and determines how the content will be applied.
 - `replace(content, as: content_type)`: Replaces the text node with `content`. `content_type` is either `:text` or `:html` and determines how the content will be applied.
+## Security
+Theoretically, a malicious user can provide a very large document for processing, which can exhaust the memory of the host machine. To set a limit on how much string content is processed at once, you can provide two options into the `memory` namespace:
+```ruby
+memory: {
+  max_allowed_memory_usage: 1000,
+  preallocated_parsing_buffer_size: 100,
+},
+```
+Note that `preallocated_parsing_buffer_size` must always be less than `max_allowed_memory_usage`. See [the`lol_html` project documentation](https://docs.rs/lol_html/1.2.1/lol_html/struct.MemorySettings.html) to learn more about the default values.
 ## Benchmarks
+When `bundle exec rake benchmark`, two different benchmarks are calculated. Here are those results on my machine.
+### Benchmarks for just the sanitization process
+Comparing Selma against popular Ruby sanitization gems:
+<!-- prettier-ignore-start -->
 <details>
 <pre>
-ruby test/benchmark.rb
-ruby test/benchmark.rb
+input size = 25309 bytes, 0.03 MB
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin23]
 Warming up --------------------------------------
-sanitize-document-huge
-                         1.000  i/100ms
- selma-document-huge     1.000  i/100ms
+         sanitize-sm    16.000 i/100ms
+            selma-sm   214.000 i/100ms
 Calculating -------------------------------------
-sanitize-document-huge
-                          0.257  (± 0.0%) i/s -      2.000  in   7.783398s
- selma-document-huge      4.602  (± 0.0%) i/s -     23.000  in   5.002870s
+         sanitize-sm    171.670 (± 1.2%) i/s -      5.152k in  30.017081s
+            selma-sm      2.146k (± 3.0%) i/s -     64.414k in  30.058470s
+Comparison:
+            selma-sm:     2145.8 i/s
+         sanitize-sm:      171.7 i/s - 12.50x  slower
+input size = 86686 bytes, 0.09 MB
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin23]
 Warming up --------------------------------------
-sanitize-document-medium
-                         2.000  i/100ms
-selma-document-medium
-                        22.000  i/100ms
+         sanitize-md     4.000 i/100ms
+            selma-md    56.000 i/100ms
 Calculating -------------------------------------
-sanitize-document-medium
-                         28.676  (± 3.5%) i/s -    144.000  in   5.024669s
-selma-document-medium
-                        121.500  (±22.2%) i/s -    594.000  in   5.135410s
+         sanitize-md     44.397 (± 2.3%) i/s -      1.332k in  30.022430s
+            selma-md    558.448 (± 1.4%) i/s -     16.800k in  30.089196s
+Comparison:
+            selma-md:      558.4 i/s
+         sanitize-md:       44.4 i/s - 12.58x  slower
+input size = 7172510 bytes, 7.17 MB
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin23]
+Warming up --------------------------------------
+         sanitize-lg     1.000 i/100ms
+            selma-lg     1.000 i/100ms
+Calculating -------------------------------------
+         sanitize-lg      0.163 (± 0.0%) i/s -      6.000 in  37.375628s
+            selma-lg      6.750 (± 0.0%) i/s -    203.000 in  30.080976s
+Comparison:
+            selma-lg:        6.7 i/s
+         sanitize-lg:        0.2 i/s - 41.32x  slower
+</pre>
+</details>
+<!-- prettier-ignore-end -->
+### Benchmarks for just the rewriting process
+Comparing Selma against popular Ruby HTML parsing gems:
+<!-- prettier-ignore-start -->
+<details>
+<pre>input size = 25309 bytes, 0.03 MB
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin23]
+Warming up --------------------------------------
+         nokogiri-sm   107.000 i/100ms
+       nokolexbor-sm   340.000 i/100ms
+            selma-sm   380.000 i/100ms
+Calculating -------------------------------------
+         nokogiri-sm      1.073k (± 2.1%) i/s -     32.207k in  30.025474s
+       nokolexbor-sm      3.300k (±13.2%) i/s -     27.540k in  36.788212s
+            selma-sm      3.779k (± 3.4%) i/s -    113.240k in  30.013908s
+Comparison:
+            selma-sm:     3779.4 i/s
+       nokolexbor-sm:     3300.1 i/s - same-ish: difference falls within error
+         nokogiri-sm:     1073.1 i/s - 3.52x  slower
+input size = 86686 bytes, 0.09 MB
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin23]
+Warming up --------------------------------------
+         nokogiri-md    11.000 i/100ms
+       nokolexbor-md    48.000 i/100ms
+            selma-md    53.000 i/100ms
+Calculating -------------------------------------
+         nokogiri-md    103.998 (± 5.8%) i/s -      3.113k in  30.029932s
+       nokolexbor-md    428.928 (± 7.9%) i/s -     12.816k in  30.066662s
+            selma-md    492.190 (± 6.9%) i/s -     14.734k in  30.082943s
+Comparison:
+            selma-md:      492.2 i/s
+       nokolexbor-md:      428.9 i/s - same-ish: difference falls within error
+         nokogiri-md:      104.0 i/s - 4.73x  slower
+input size = 7172510 bytes, 7.17 MB
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin23]
 Warming up --------------------------------------
-sanitize-document-small
-                        10.000  i/100ms
-selma-document-small    20.000  i/100ms
+         nokogiri-lg     1.000 i/100ms
+       nokolexbor-lg     1.000 i/100ms
+            selma-lg     1.000 i/100ms
 Calculating -------------------------------------
-sanitize-document-small
-                        107.280  (± 0.9%) i/s -    540.000  in   5.033850s
-selma-document-small    118.867  (±31.1%) i/s -    540.000  in   5.080726s
+         nokogiri-lg      0.874 (± 0.0%) i/s -     27.000 in  30.921090s
+       nokolexbor-lg      2.227 (± 0.0%) i/s -     67.000 in  30.137903s
+            selma-lg      8.354 (± 0.0%) i/s -    251.000 in  30.075227s
+Comparison:
+            selma-lg:        8.4 i/s
+       nokolexbor-lg:        2.2 i/s - 3.75x  slower
+         nokogiri-lg:        0.9 i/s - 9.56x  slower
 </pre>
 </details>
+<!-- prettier-ignore-end -->
 ## Contributing

data/ext/selma/Cargo.toml CHANGED Viewed

@@ -6,9 +6,12 @@ rust-version = "1.75.0"
 publish = false
 [dependencies]
-enum-iterator = "1.4"
+enum-iterator = "2.1"
 escapist = "0.0.2"
-magnus = "0.6"
+magnus = { version = "0.6", features = ["rb-sys"] }
+rb-sys = { version = "*", default-features = false, features = [
+    "stable-api-compiled-fallback",
+] }
 lol_html = "1.2"
 [lib]

data/ext/selma/src/html/element.rs CHANGED Viewed

@@ -119,11 +119,13 @@ impl SelmaHTMLElement {
                 .iter()
                 .for_each(|attr| match hash.aset(attr.name(), attr.value()) {
                     Ok(_) => {}
-                    Err(err) => Err(Error::new(
-                        exception::runtime_error(),
-                        format!("AttributeNameError: {err:?}"),
-                    ))
-                    .unwrap(),
+                    Err(err) => panic!(
+                        "{:?}",
+                        Error::new(
+                            exception::runtime_error(),
+                            format!("AttributeNameError: {err:?}"),
+                        )
+                    ),
                 });
         }
         Ok(hash)
@@ -139,7 +141,10 @@ impl SelmaHTMLElement {
             .for_each(|ancestor| match array.push(RString::new(ancestor)) {
                 Ok(_) => {}
                 Err(err) => {
-                    Err(Error::new(exception::runtime_error(), format!("{err:?}"))).unwrap()
+                    panic!(
+                        "{:?}",
+                        Error::new(exception::runtime_error(), format!("{err:?}"))
+                    )
                 }
             });

data/ext/selma/src/native_ref_wrap.rs CHANGED Viewed

@@ -1,15 +1,17 @@
-use std::{cell::Cell, marker::PhantomData, rc::Rc};
+use std::{
+    marker::PhantomData,
+    sync::{Arc, Mutex},
+};
-// NOTE: My Rust isn't good enough to know what any of this does,
-// but it was taken from https://github.com/cloudflare/lol-html/blob/1a1ab2e2bf896f815fe8888ed78ccdf46d7c6b85/js-api/src/lib.rs#LL38
+// NOTE: this was taken from https://github.com/cloudflare/lol-html/blob/1a1ab2e2bf896f815fe8888ed78ccdf46d7c6b85/js-api/src/lib.rs#LL38
 pub struct Anchor<'r> {
-    poisoned: Rc<Cell<bool>>,
+    poisoned: Arc<Mutex<bool>>,
     lifetime: PhantomData<&'r mut ()>,
 }
 impl<'r> Anchor<'r> {
-    pub fn new(poisoned: Rc<Cell<bool>>) -> Self {
+    pub fn new(poisoned: Arc<Mutex<bool>>) -> Self {
         Anchor {
             poisoned,
             lifetime: PhantomData,
@@ -19,7 +21,7 @@ impl<'r> Anchor<'r> {
 // impl Drop for Anchor<'_> {
 //     fn drop(&mut self) {
-//         self.poisoned.replace(true);
+//         *self.poisoned.lock().unwrap() = true;
 //     }
 // }
@@ -31,17 +33,17 @@ impl<'r> Anchor<'r> {
 // object results in exception.
 pub struct NativeRefWrap<R> {
     inner_ptr: *mut R,
-    poisoned: Rc<Cell<bool>>,
+    poisoned: Arc<Mutex<bool>>,
 }
 impl<R> NativeRefWrap<R> {
     pub fn wrap<I>(inner: &I) -> (Self, Anchor) {
         let wrap = NativeRefWrap {
             inner_ptr: inner as *const I as *mut R,
-            poisoned: Rc::new(Cell::new(false)),
+            poisoned: Arc::new(Mutex::new(false)),
         };
-        let anchor = Anchor::new(Rc::clone(&wrap.poisoned));
+        let anchor = Anchor::new(Arc::clone(&wrap.poisoned));
         (wrap, anchor)
     }
@@ -49,10 +51,10 @@ impl<R> NativeRefWrap<R> {
     pub fn wrap_mut<I>(inner: &mut I) -> (Self, Anchor) {
         let wrap = NativeRefWrap {
             inner_ptr: inner as *mut I as *mut R,
-            poisoned: Rc::new(Cell::new(false)),
+            poisoned: Arc::new(Mutex::new(false)),
         };
-        let anchor = Anchor::new(Rc::clone(&wrap.poisoned));
+        let anchor = Anchor::new(Arc::clone(&wrap.poisoned));
         (wrap, anchor)
     }
@@ -70,7 +72,8 @@ impl<R> NativeRefWrap<R> {
     }
     fn assert_not_poisoned(&self) -> Result<(), &'static str> {
-        if self.poisoned.get() {
+        let lock = self.poisoned.lock().unwrap();
+        if *lock {
             Err("The object has been freed and can't be used anymore.")
         } else {
             Ok(())