From c3eed981c0663db61a5cbbe1e1b4a0e427c76ad5 Mon Sep 17 00:00:00 2001 From: "Dr.Lt.Data" Date: Wed, 12 Mar 2025 21:24:31 +0900 Subject: [PATCH] fixed: robust validation when model downloading #2 --- glob/manager_core.py | 2 +- glob/manager_server.py | 4 ++++ pyproject.toml | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/glob/manager_core.py b/glob/manager_core.py index 515bdcdd..c5d3f467 100644 --- a/glob/manager_core.py +++ b/glob/manager_core.py @@ -43,7 +43,7 @@ import manager_downloader from node_package import InstalledNodePackage -version_code = [3, 30, 8] +version_code = [3, 30, 9] version_str = f"V{version_code[0]}.{version_code[1]}" + (f'.{version_code[2]}' if len(version_code) > 2 else '') diff --git a/glob/manager_server.py b/glob/manager_server.py index 6cb81aa2..ec5167a1 100644 --- a/glob/manager_server.py +++ b/glob/manager_server.py @@ -279,6 +279,10 @@ def get_model_dir(data, show_log=False) -> str | None: else: models_base = folder_paths.models_dir + # NOTE: Validate to prevent path traversal. + if any(char in data['filename'] for char in {'/', '\\', ':'}): + return None + def resolve_custom_node(save_path): save_path = save_path[13:] # remove 'custom_nodes/' diff --git a/pyproject.toml b/pyproject.toml index 8f2e56d3..3b9390f2 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,7 +1,7 @@ [project] name = "comfyui-manager" description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI." -version = "3.30.8" +version = "3.30.9" license = { file = "LICENSE.txt" } dependencies = ["GitPython", "PyGithub", "matrix-client==0.4.0", "transformers", "huggingface-hub>0.20", "typer", "rich", "typing-extensions", "toml", "uv", "chardet"]