fix: resolve critical security vulnerabilities (pickle RCE, XSS, silent failures)fix: resolve critical security vulnerabilities (pickle RCE, XSS, sile…

[zcai7675-bot]

1 fix: resolve critical security vulnerabilities (pickle RCE, XSS, silent failures)

---

📄 PR 描述（复制全部内容）

  1 ## Summary
  2
  3 This PR addresses three critical security vulnerabilities in the Dify codebase:
  4
  5 ### 1. 🔴 CRITICAL: Replace unsafe pickle serialization with JSON
  6 **Files**: `api/models/dataset.py`, `api/core/rag/embedding/cached_embedding.py`
  7
  8 **Problem**: The codebase uses `pickle.dumps()`/`pickle.loads()` to serialize embedding vectors in the database. This is a known Remote Code Execution (RCE)
    vulnerability - if the database is compromised, attackers can inject malicious pickle payloads.
  9
 10 **Solution**: Replace `pickle` with `json.dumps()/.loads()` since embeddings are just float arrays.
Before (VULNERABLE)
self.embedding = pickle.dumps(embedding_data, protocol=pickle.HIGHEST_PROTOCOL)
return pickle.loads(self.embedding)

After (SAFE)
self.embedding = json.dumps(embedding_data).encode("utf-8")
return json.loads(self.embedding.decode("utf-8"))

 1
 2 ### 2. 🟠 HIGH: Add DOMPurify sanitization to Mermaid SVG rendering
 3 **File**: `web/app/components/base/mermaid/index.tsx`
 4
 5 **Problem**: Mermaid-generated SVG is rendered via `dangerouslySetInnerHTML` without sanitization, making it vulnerable to XSS attacks through crafted Mermaid diagrams.
 6
 7 **Solution**: Apply `DOMPurify.sanitize()` before rendering, consistent with existing `svg-gallery` component security practice.
// Before
dangerouslySetInnerHTML={{ __html: svgString }}

// After
dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(svgString) }}

  1
  2 ### 3. 🟡 MEDIUM: Replace empty error handlers with proper logging
  3 **File**: `web/app/components/header/account-setting/model-provider-page/provider-added-card/index.tsx`
  4
  5 **Problem**: Empty `.catch(() => {})` handlers silently swallow errors, making debugging difficult and hiding failures from users.
  6
  7 **Solution**: Add `console.error()` logging to make failures visible.
  8
  9 ## Impact
 10 - **Security**: Eliminates RCE vector in embedding cache (CVE-worthy pattern)
 11 - **Security**: Prevents XSS through SVG injection
 12 - **DX**: Makes errors visible for troubleshooting
 13
 14 ## Checklist
 15 - [x] My code follows the project's code style
 16 - [x] I have performed a self-review of my own code
 17 - [x] I have read the CONTRIBUTING guidelines

---

[github-actions]

Pyrefly Diff

No changes detected.