From e66b614aedd5a496b0a51c72a386f44c237525b9 Mon Sep 17 00:00:00 2001
From: Andrey Glushkov <aglushkov@shakuro.com>
Date: Wed, 20 Dec 2023 16:59:03 +0300
Subject: [PATCH] Add vips_block_untrusted_set and vips_operation_block_set
 methods

---
 lib/vips/operation.rb         |  5 +++++
 spec/block_operations_spec.rb | 34 ++++++++++++++++++++++++++++++++++
 spec/image_spec.rb            |  4 ----
 spec/spec_helper.rb           |  8 ++++++++
 4 files changed, 47 insertions(+), 4 deletions(-)
 create mode 100644 spec/block_operations_spec.rb

diff --git a/lib/vips/operation.rb b/lib/vips/operation.rb
index 9bc14d8..ddaa1b2 100644
--- a/lib/vips/operation.rb
+++ b/lib/vips/operation.rb
@@ -8,6 +8,11 @@
 require "set"
 
 module Vips
+  if at_least_libvips?(8, 13)
+    attach_function :vips_block_untrusted_set, [:bool], :void
+    attach_function :vips_operation_block_set, %i[string bool], :void
+  end
+
   private
 
   attach_function :vips_operation_new, [:string], :pointer
diff --git a/spec/block_operations_spec.rb b/spec/block_operations_spec.rb
new file mode 100644
index 0000000..44f0faa
--- /dev/null
+++ b/spec/block_operations_spec.rb
@@ -0,0 +1,34 @@
+require "spec_helper"
+
+RSpec.describe Vips, version: [8, 13] do
+  let(:svg_image) { simg("lion.svg") }
+  let(:jpg_image) { simg("wagon.jpg") }
+
+  if has_svg?
+    it "can block untrusted operations", svg: true do
+      untrusted_image = svg_image # svgload operation is known as untrusted
+
+      # Block
+      Vips.vips_block_untrusted_set(true)
+      expect { Vips::Image.new_from_file(untrusted_image) }.to raise_error Vips::Error, /svgload/
+
+      # Unblock
+      Vips.vips_block_untrusted_set(false)
+      expect { Vips::Image.new_from_file(untrusted_image) }.not_to raise_error
+    end
+  end
+
+  if has_jpeg? && has_svg?
+    it "can block specific operations" do
+      # Block all loaders except jpeg
+      Vips.vips_operation_block_set("VipsForeignLoad", true)
+      Vips.vips_operation_block_set("VipsForeignLoadJpeg", false)
+      expect { Vips::Image.new_from_file(svg_image) }.to raise_error Vips::Error, /svgload/
+      expect { Vips::Image.new_from_file(jpg_image) }.not_to raise_error
+
+      # Unblock all loaders
+      Vips.vips_operation_block_set("VipsForeignLoad", false)
+      expect { Vips::Image.new_from_file(svg_image) }.not_to raise_error
+    end
+  end
+end
diff --git a/spec/image_spec.rb b/spec/image_spec.rb
index 2fe5721..38fdb29 100644
--- a/spec/image_spec.rb
+++ b/spec/image_spec.rb
@@ -1,9 +1,5 @@
 require "spec_helper"
 
-def has_jpeg?
-  Vips.type_find("VipsOperation", "jpegload") != nil
-end
-
 RSpec.describe Vips::Image do
   it "can save an image to a file" do
     filename = timg "x.v"
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 2bb5693..76227b0 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -22,6 +22,14 @@ def timg(name)
   File.join(@temp_dir, name)
 end
 
+def has_jpeg?
+  Vips.type_find("VipsOperation", "jpegload") != nil
+end
+
+def has_svg?
+  Vips.type_find("VipsOperation", "svgload") != nil
+end
+
 RSpec.configure do |config|
   config.around do |example|
     Dir.mktmpdir("ruby-vips-spec-") do |dir|