chore(api): enhance ruff rules to disallow dangerous functions and modules (#16461)

api/.ruff.toml

@@ -37,6 +37,12 @@ select = [
     "UP", # pyupgrade rules
     "W191", # tab-indentation
     "W605", # invalid-escape-sequence
+    # security related linting rules
+    # RCE proctection (sort of)
+    "S102", # exec-builtin, disallow use of `exec`
+    "S307", # suspicious-eval-usage, disallow use of `eval` and `ast.literal_eval`
+    "S301", # suspicious-pickle-usage, disallow use of `pickle` and its wrappers.
+    "S302", # suspicious-marshal-usage, disallow use of `marshal` module
 ]
 
 ignore = [

api/models/dataset.py

@@ -910,7 +910,7 @@ class Embedding(db.Model):  # type: ignore[name-defined]
         self.embedding = pickle.dumps(embedding_data, protocol=pickle.HIGHEST_PROTOCOL)
 
     def get_embedding(self) -> list[float]:
-        return cast(list[float], pickle.loads(self.embedding))
+        return cast(list[float], pickle.loads(self.embedding))  # noqa: S301
 
 
 class DatasetCollectionBinding(db.Model):  # type: ignore[name-defined]