Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: infrastructure upgrade #13892

Draft
wants to merge 454 commits into
base: main
Choose a base branch
from
Draft

chore: infrastructure upgrade #13892

wants to merge 454 commits into from

Conversation

iamjoel
Copy link
Collaborator

@iamjoel iamjoel commented Feb 18, 2025

Summary

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Tip

Close issue syntax: Fixes #<issue number> or Resolves #<issue number>, see documentation for more details.

Screenshots

Before After
... ...

Checklist

Important

Please review the checklist below before submitting your pull request.

  • This change requires a documentation update, included: Dify Document
  • I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
  • I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
  • I've updated the documentation accordingly.
  • I ran dev/reformat(backend) and cd web && npx lint-staged(frontend) to appease the lint gods

takatost and others added 30 commits November 8, 2024 23:09
@takatost
fix: create basic app causing internal error when default model is no…
f0637ba 
…t exist
@Yeuoly
fix: avoid empty plugin entity
5fd8208
@Yeuoly
Merge branch 'main' into fix/chore-fix
5cdbfe2
@takatost
chore: fix typo
bc0724b
@takatost
fix: hosted moderation
1d2118f
@Yeuoly
feat: add icon and labels to plugin install task
9a69d03
@Yeuoly
Merge branch 'fix/chore-fix' of github.com:langgenius/dify into fix/c…
21fd58c 
…hore-fix
@Yeuoly
feat: export dsl with dependencies
f613642
@Yeuoly
fix: incorrect paths to upgrade plugins
56bd0de
@Yeuoly
fix: uses to check if the tools are already loaded
5828abc
@Yeuoly
feat: support check dependencies through url
183b943
@Yeuoly
feat: support uploading images through plugin
d25e79e
@Yeuoly
feat: support upload bundle
db68ae4
@Yeuoly
feat: sypport batch fetch plugin installations
634cb62
@Yeuoly
Merge branch 'main' into fix/chore-fix
a0543ab
@Yeuoly
fix: rag
6300e50
@Yeuoly
fix: agent
fb4ee81
@Yeuoly
refactor: load tools cache
2cb640d
@Yeuoly
fix: optimize DEFAULT-USER
97a3727
@Yeuoly
fix: convert backwards invocation into BaseBackwardsResponse
8b30099
@Yeuoly
fix: add tenant_id to plugin upload files url
88fac0d
@Yeuoly
fix: remove plugin files
4492295
@Yeuoly
fix: remove signature verify
959d060
@Yeuoly
Merge branch 'main' into fix/chore-fix
2473400
@Yeuoly
fix: ruff
22df86f
@Yeuoly
fix: migration
a700b49
@Yeuoly
fix: add detailed error messages
a6835ac
@Yeuoly
refactor: text-embedding interfaces to returns list[int]
cfa7c89
@Yeuoly
fix
e63ae36
@Yeuoly
optimize: indexing-estimate
1443fd6
zxhlyh and others added 29 commits February 7, 2025 14:04
@zxhlyh
fix: app check dependency (#13320)
a8a8a55
@WTW0313
fix: update Sentry integration methods and upgrade dependencies
802dc15
@WTW0313
Merge branch 'chore/infrastructure-upgrade' of https://github.com/lan…
eeb1ed4 
…ggenius/dify into chore/infrastructure-upgrade
@zxhlyh
fix: plugins task permission (#13330)
7e1d989
@JohnJyong
improve preview document tokenizer (#13328)
d4a0980
@iamjoel
chore: change forward ref to new ref
dbd5e8d
@zxhlyh
fix: models sort in model page (#13334)
fec3bb4
@iamjoel
fix: install installed plugin problem (#13384)
3e9c3d0
@iamjoel
merge plugin/beta
95e2e03
@iamjoel
fix: anchorRef.current may undefined
5e57932
@iamjoel
fix: icon ts problem
688a461
@iamjoel
fix: use ref not set init value
d062519
@iamjoel
chore: jsx to react to jsx
1e4f3bc
@iamjoel
chore: react element to node
acb8e80
@douxc
fix: upgrade @antfu/eslint-config to latest & enable tailwind css rules
fe78f42
@douxc
fix: update eslint config
dcfadbd
@iamjoel
chore: upgrade swr and so on
6653b6e
@iamjoel
chore: remove test code
52f3236
@douxc
fix: disable some tailwindcss eslint rules that cost too much time
cd3d1a8
@douxc
fix: update tailwindcss eslint config
ea7a6e2
@iamjoel
merge
db055b4
@iamjoel
chore: sync to workfows main
e5d43eb
@iamjoel
chore: useless change sync to main and global
79a2a4f
@iamjoel
chore: useless change
6bcb8bc
@iamjoel
chore: sync main
4dbc4b6
@iamjoel
chore: switch ref change
13d3430
@douxc
fix: run eslint-plugin-tailwindcss
52cfe80
@douxc
fix: update tailwindcss cssFiles settings
30dd37a
@iamjoel
chore: make error icons
76a5f66
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 18, 2025
View reviewed changes
web/app/components/header/account-setting/model-provider-page/index.tsx
<Link target="_blank" href={`${MARKETPLACE_URL_PREFIX}`} className='inline-flex items-center system-sm-medium text-text-accent'>
<div className='mb-2 flex items-center pt-2'>
<span className='text-text-tertiary system-sm-regular pr-1'>{t('common.modelProvider.discoverMore')}</span>
<Link target="_blank" href={`${MARKETPLACE_URL_PREFIX}`} className='system-sm-medium text-text-accent inline-flex items-center'>

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI 5 days ago

To fix the problem, we need to ensure that the MARKETPLACE_URL_PREFIX is properly sanitized before being used in the href attribute. This can be achieved by validating the URL to ensure it is safe and does not contain any malicious content.

The best way to fix this issue without changing existing functionality is to use a well-known library like DOMPurify to sanitize the URL. This will ensure that any potentially harmful content is removed before the URL is used.

Suggested changeset 2
web/app/components/header/account-setting/model-provider-page/index.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/web/app/components/header/account-setting/model-provider-page/index.tsx b/web/app/components/header/account-setting/model-provider-page/index.tsx
--- a/web/app/components/header/account-setting/model-provider-page/index.tsx
+++ b/web/app/components/header/account-setting/model-provider-page/index.tsx
@@ -34,2 +34,3 @@
 import { MARKETPLACE_URL_PREFIX } from '@/config'
+import DOMPurify from 'dompurify'
 import cn from '@/utils/classnames'
@@ -167,3 +168,3 @@
             <span className='text-text-tertiary system-sm-regular pr-1'>{t('common.modelProvider.discoverMore')}</span>
-            <Link target="_blank" href={`${MARKETPLACE_URL_PREFIX}`} className='system-sm-medium text-text-accent inline-flex items-center'>
+            <Link target="_blank" href={DOMPurify.sanitize(`${MARKETPLACE_URL_PREFIX}`)} className='system-sm-medium text-text-accent inline-flex items-center'>
               {t('plugin.marketplace.difyMarketplace')}
EOF
@@ -34,2 +34,3 @@
import { MARKETPLACE_URL_PREFIX } from '@/config'
import DOMPurify from 'dompurify'
import cn from '@/utils/classnames'
@@ -167,3 +168,3 @@
<span className='text-text-tertiary system-sm-regular pr-1'>{t('common.modelProvider.discoverMore')}</span>
<Link target="_blank" href={`${MARKETPLACE_URL_PREFIX}`} className='system-sm-medium text-text-accent inline-flex items-center'>
<Link target="_blank" href={DOMPurify.sanitize(`${MARKETPLACE_URL_PREFIX}`)} className='system-sm-medium text-text-accent inline-flex items-center'>
{t('plugin.marketplace.difyMarketplace')}
web/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/web/package.json b/web/package.json
--- a/web/package.json
+++ b/web/package.json
@@ -122,3 +122,4 @@
         "zundo": "^2.1.0",
-        "zustand": "^4.5.2"
+        "zustand": "^4.5.2",
+        "dompurify": "^3.2.4"
     },
EOF
@@ -122,3 +122,4 @@
"zundo": "^2.1.0",
"zustand": "^4.5.2"
"zustand": "^4.5.2",
"dompurify": "^3.2.4"
},
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.4 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
web/app/components/plugins/marketplace/list/card-wrapper.tsx
<Button
variant='primary'
className='w-[calc(50%-4px)]'
onClick={showInstallFromMarketplace}
>
{t('plugin.detailPanel.operation.install')}
</Button>
<a href={`${getPluginLinkInMarketplace(plugin)}?language=${localeFromLocale}`} target='_blank' className='block flex-1 shrink-0 w-[calc(50%-4px)]'>
<a href={`${getPluginLinkInMarketplace(plugin)}?language=${localeFromLocale}`} target='_blank' className='block w-[calc(50%-4px)] flex-1 shrink-0'>

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI 5 days ago

To fix the problem, we need to ensure that the URL used in the href attribute is properly sanitized to prevent XSS attacks. One way to achieve this is by using a library like DOMPurify to sanitize the URL before using it. This will ensure that any potentially harmful content is removed from the URL.

  1. Install the DOMPurify library.
  2. Import DOMPurify in the relevant file.
  3. Use DOMPurify to sanitize the URL before using it in the href attribute.
Suggested changeset 2
web/app/components/plugins/marketplace/list/card-wrapper.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/web/app/components/plugins/marketplace/list/card-wrapper.tsx b/web/app/components/plugins/marketplace/list/card-wrapper.tsx
--- a/web/app/components/plugins/marketplace/list/card-wrapper.tsx
+++ b/web/app/components/plugins/marketplace/list/card-wrapper.tsx
@@ -12,2 +12,3 @@
 import { useTags } from '@/app/components/plugins/hooks'
+import DOMPurify from 'dompurify'
 
@@ -57,3 +58,3 @@
               </Button>
-              <a href={`${getPluginLinkInMarketplace(plugin)}?language=${localeFromLocale}`} target='_blank' className='block w-[calc(50%-4px)] flex-1 shrink-0'>
+              <a href={DOMPurify.sanitize(`${getPluginLinkInMarketplace(plugin)}?language=${localeFromLocale}`)} target='_blank' className='block w-[calc(50%-4px)] flex-1 shrink-0'>
                 <Button
@@ -85,3 +86,3 @@
       className='group relative inline-block cursor-pointer rounded-xl'
-      href={getPluginLinkInMarketplace(plugin)}
+      href={DOMPurify.sanitize(getPluginLinkInMarketplace(plugin))}
     >
EOF
@@ -12,2 +12,3 @@
import { useTags } from '@/app/components/plugins/hooks'
import DOMPurify from 'dompurify'

@@ -57,3 +58,3 @@
</Button>
<a href={`${getPluginLinkInMarketplace(plugin)}?language=${localeFromLocale}`} target='_blank' className='block w-[calc(50%-4px)] flex-1 shrink-0'>
<a href={DOMPurify.sanitize(`${getPluginLinkInMarketplace(plugin)}?language=${localeFromLocale}`)} target='_blank' className='block w-[calc(50%-4px)] flex-1 shrink-0'>
<Button
@@ -85,3 +86,3 @@
className='group relative inline-block cursor-pointer rounded-xl'
href={getPluginLinkInMarketplace(plugin)}
href={DOMPurify.sanitize(getPluginLinkInMarketplace(plugin))}
>
web/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/web/package.json b/web/package.json
--- a/web/package.json
+++ b/web/package.json
@@ -122,3 +122,4 @@
         "zundo": "^2.1.0",
-        "zustand": "^4.5.2"
+        "zustand": "^4.5.2",
+        "dompurify": "^3.2.4"
     },
EOF
@@ -122,3 +122,4 @@
"zundo": "^2.1.0",
"zustand": "^4.5.2"
"zustand": "^4.5.2",
"dompurify": "^3.2.4"
},
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.4 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
web/app/components/plugins/plugin-detail-panel/operation-dropdown.tsx
>{t('plugin.detailPanel.operation.checkUpdate')}</div>
)}
{(source === PluginSource.marketplace || source === PluginSource.github) && (
<a href={detailUrl} target='_blank' className='flex items-center px-3 py-1.5 rounded-lg text-text-secondary system-md-regular cursor-pointer hover:bg-state-base-hover'>
<a href={detailUrl} target='_blank' className='text-text-secondary system-md-regular hover:bg-state-base-hover flex cursor-pointer items-center rounded-lg px-3 py-1.5'>

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI 6 days ago

To fix the problem, we need to ensure that the detailUrl is properly sanitized before being used in the anchor tag's href attribute. This can be achieved by using a library like DOMPurify to sanitize the URL and prevent any malicious scripts from being executed.

  1. Install the DOMPurify library.
  2. Import DOMPurify in the relevant file.
  3. Use DOMPurify to sanitize the detailUrl before using it in the anchor tag.
Suggested changeset 2
web/app/components/plugins/plugin-detail-panel/operation-dropdown.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/web/app/components/plugins/plugin-detail-panel/operation-dropdown.tsx b/web/app/components/plugins/plugin-detail-panel/operation-dropdown.tsx
--- a/web/app/components/plugins/plugin-detail-panel/operation-dropdown.tsx
+++ b/web/app/components/plugins/plugin-detail-panel/operation-dropdown.tsx
@@ -14,2 +14,3 @@
 import cn from '@/utils/classnames'
+import DOMPurify from 'dompurify'
 
@@ -42,2 +43,4 @@
 
+  const sanitizedDetailUrl = DOMPurify.sanitize(detailUrl)
+
   return (
@@ -80,3 +83,3 @@
           {(source === PluginSource.marketplace || source === PluginSource.github) && (
-            <a href={detailUrl} target='_blank' className='text-text-secondary system-md-regular hover:bg-state-base-hover flex cursor-pointer items-center rounded-lg px-3 py-1.5'>
+            <a href={sanitizedDetailUrl} target='_blank' className='text-text-secondary system-md-regular hover:bg-state-base-hover flex cursor-pointer items-center rounded-lg px-3 py-1.5'>
               <span className='grow'>{t('plugin.detailPanel.operation.viewDetail')}</span>
EOF
@@ -14,2 +14,3 @@
import cn from '@/utils/classnames'
import DOMPurify from 'dompurify'

@@ -42,2 +43,4 @@

const sanitizedDetailUrl = DOMPurify.sanitize(detailUrl)

return (
@@ -80,3 +83,3 @@
{(source === PluginSource.marketplace || source === PluginSource.github) && (
<a href={detailUrl} target='_blank' className='text-text-secondary system-md-regular hover:bg-state-base-hover flex cursor-pointer items-center rounded-lg px-3 py-1.5'>
<a href={sanitizedDetailUrl} target='_blank' className='text-text-secondary system-md-regular hover:bg-state-base-hover flex cursor-pointer items-center rounded-lg px-3 py-1.5'>
<span className='grow'>{t('plugin.detailPanel.operation.viewDetail')}</span>
web/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/web/package.json b/web/package.json
--- a/web/package.json
+++ b/web/package.json
@@ -122,3 +122,4 @@
         "zundo": "^2.1.0",
-        "zustand": "^4.5.2"
+        "zustand": "^4.5.2",
+        "dompurify": "^3.2.4"
     },
EOF
@@ -122,3 +122,4 @@
"zundo": "^2.1.0",
"zustand": "^4.5.2"
"zustand": "^4.5.2",
"dompurify": "^3.2.4"
},
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.4 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
web/app/components/workflow/block-selector/market-place-plugin/action.tsx
<a href={`${MARKETPLACE_URL_PREFIX}/plugins/${author}/${name}`} target='_blank' className='block px-3 py-1.5 rounded-lg text-text-secondary system-md-regular cursor-pointer hover:bg-state-base-hover'>{t('common.operation.viewDetails')}</a>
<div className='bg-components-panel-bg-blur border-components-panel-border w-[112px] rounded-xl border-[0.5px] p-1 shadow-lg'>
<div onClick={handleDownload} className='text-text-secondary system-md-regular hover:bg-state-base-hover cursor-pointer rounded-lg px-3 py-1.5'>{t('common.operation.download')}</div>
<a href={`${MARKETPLACE_URL_PREFIX}/plugins/${author}/${name}`} target='_blank' className='text-text-secondary system-md-regular hover:bg-state-base-hover block cursor-pointer rounded-lg px-3 py-1.5'>{t('common.operation.viewDetails')}</a>

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI 5 days ago

To fix the problem, we need to ensure that the value of MARKETPLACE_URL_PREFIX is properly sanitized before being used in the href attribute. One way to achieve this is by using a library like DOMPurify to sanitize the URL. This will ensure that any potentially malicious content is removed before the URL is used.

  1. Install the DOMPurify library.
  2. Import DOMPurify in the relevant file.
  3. Use DOMPurify to sanitize the MARKETPLACE_URL_PREFIX before using it in the href attribute.
Suggested changeset 2
web/app/components/workflow/block-selector/market-place-plugin/action.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/web/app/components/workflow/block-selector/market-place-plugin/action.tsx b/web/app/components/workflow/block-selector/market-place-plugin/action.tsx
--- a/web/app/components/workflow/block-selector/market-place-plugin/action.tsx
+++ b/web/app/components/workflow/block-selector/market-place-plugin/action.tsx
@@ -16,2 +16,3 @@
 import { downloadFile } from '@/utils/format'
+import DOMPurify from 'dompurify'
 
@@ -62,2 +63,3 @@
   }, [blob])
+  const sanitizedMarketplaceUrlPrefix = DOMPurify.sanitize(MARKETPLACE_URL_PREFIX)
   return (
@@ -80,3 +82,3 @@
           <div onClick={handleDownload} className='text-text-secondary system-md-regular hover:bg-state-base-hover cursor-pointer rounded-lg px-3 py-1.5'>{t('common.operation.download')}</div>
-          <a href={`${MARKETPLACE_URL_PREFIX}/plugins/${author}/${name}`} target='_blank' className='text-text-secondary system-md-regular hover:bg-state-base-hover block cursor-pointer rounded-lg px-3 py-1.5'>{t('common.operation.viewDetails')}</a>
+          <a href={`${sanitizedMarketplaceUrlPrefix}/plugins/${author}/${name}`} target='_blank' className='text-text-secondary system-md-regular hover:bg-state-base-hover block cursor-pointer rounded-lg px-3 py-1.5'>{t('common.operation.viewDetails')}</a>
         </div>
EOF
@@ -16,2 +16,3 @@
import { downloadFile } from '@/utils/format'
import DOMPurify from 'dompurify'

@@ -62,2 +63,3 @@
}, [blob])
const sanitizedMarketplaceUrlPrefix = DOMPurify.sanitize(MARKETPLACE_URL_PREFIX)
return (
@@ -80,3 +82,3 @@
<div onClick={handleDownload} className='text-text-secondary system-md-regular hover:bg-state-base-hover cursor-pointer rounded-lg px-3 py-1.5'>{t('common.operation.download')}</div>
<a href={`${MARKETPLACE_URL_PREFIX}/plugins/${author}/${name}`} target='_blank' className='text-text-secondary system-md-regular hover:bg-state-base-hover block cursor-pointer rounded-lg px-3 py-1.5'>{t('common.operation.viewDetails')}</a>
<a href={`${sanitizedMarketplaceUrlPrefix}/plugins/${author}/${name}`} target='_blank' className='text-text-secondary system-md-regular hover:bg-state-base-hover block cursor-pointer rounded-lg px-3 py-1.5'>{t('common.operation.viewDetails')}</a>
</div>
web/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/web/package.json b/web/package.json
--- a/web/package.json
+++ b/web/package.json
@@ -122,3 +122,4 @@
         "zundo": "^2.1.0",
-        "zustand": "^4.5.2"
+        "zustand": "^4.5.2",
+        "dompurify": "^3.2.4"
     },
EOF
@@ -122,3 +122,4 @@
"zundo": "^2.1.0",
"zustand": "^4.5.2"
"zustand": "^4.5.2",
"dompurify": "^3.2.4"
},
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.4 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.