chore(api): enhance ruff rules to disallow dangerous functions and modules (#16461)

2025-08-12 03:49:04 +08:00 · 2025-03-21 17:49:35 +08:00 · 2025-03-21 17:49:35 +08:00 · 383af7bf76
commit 383af7bf76
parent ac910ed200
2 changed files with 7 additions and 1 deletions
--- a/api/.ruff.toml
+++ b/api/.ruff.toml
@ -37,6 +37,12 @@ select = [
    "UP", # pyupgrade rules
    "W191", # tab-indentation
    "W605", # invalid-escape-sequence
+    # security related linting rules
+    # RCE proctection (sort of)
+    "S102", # exec-builtin, disallow use of `exec`
+    "S307", # suspicious-eval-usage, disallow use of `eval` and `ast.literal_eval`
+    "S301", # suspicious-pickle-usage, disallow use of `pickle` and its wrappers.
+    "S302", # suspicious-marshal-usage, disallow use of `marshal` module
 ]

 ignore = [
--- a/api/models/dataset.py
+++ b/api/models/dataset.py
@ -910,7 +910,7 @@ class Embedding(db.Model):  # type: ignore[name-defined]
        self.embedding = pickle.dumps(embedding_data, protocol=pickle.HIGHEST_PROTOCOL)

    def get_embedding(self) -> list[float]:
-        return cast(list[float], pickle.loads(self.embedding))
+        return cast(list[float], pickle.loads(self.embedding))  # noqa: S301


 class DatasetCollectionBinding(db.Model):  # type: ignore[name-defined]