fixed: robust validation when model downloading #2

2025-12-16 18:02:58 +08:00 · 2025-03-12 21:24:31 +09:00 · 2025-03-12 21:24:31 +09:00 · c3eed981c0
commit c3eed981c0
parent bbb54d4a08
3 changed files with 6 additions and 2 deletions
--- a/glob/manager_core.py
+++ b/glob/manager_core.py
@ -43,7 +43,7 @@ import manager_downloader
 from node_package import InstalledNodePackage


-version_code = [3, 30, 8]
+version_code = [3, 30, 9]
 version_str = f"V{version_code[0]}.{version_code[1]}" + (f'.{version_code[2]}' if len(version_code) > 2 else '')


--- a/glob/manager_server.py
+++ b/glob/manager_server.py
@ -279,6 +279,10 @@ def get_model_dir(data, show_log=False) -> str | None:
    else:
        models_base = folder_paths.models_dir

+    # NOTE: Validate to prevent path traversal.
+    if any(char in data['filename'] for char in {'/', '\\', ':'}):
+        return None
+
    def resolve_custom_node(save_path):
        save_path = save_path[13:] # remove 'custom_nodes/'

--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,7 +1,7 @@
 [project]
 name = "comfyui-manager"
 description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI."
-version = "3.30.8"
+version = "3.30.9"
 license = { file = "LICENSE.txt" }
 dependencies = ["GitPython", "PyGithub", "matrix-client==0.4.0", "transformers", "huggingface-hub>0.20", "typer", "rich", "typing-extensions", "toml", "uv", "chardet"]