wangbo/ComfyUI-Manager
1
0
Fork 0
mirror of https://github.com/Comfy-Org/ComfyUI-Manager.git synced 2026-05-09 00:22:51 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
manager-v4
ComfyUI-Manager/tests/playwright
History
Dr.Lt.Data 4410ebc6a6
Some checks are pending
Publish to PyPI / build-and-publish (push) Waiting to run
Details
Python Linting / Run Ruff (push) Waiting to run
Details
fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818) 
Defense-in-depth over GET→POST alone: reject the three CORS-safelisted
simple-form Content-Types (x-www-form-urlencoded, multipart/form-data,
text/plain) on 16 no-body POST handlers (glob + legacy) to block
<form method=POST> CSRF that bypasses method-only gating. Move
comfyui_switch_version to a JSON body so the preflight requirement applies.
Split db_mode/policy/update/channel_url_list into GET(read) + POST(write).
Tighten do_fix (high → high+) and gate three previously-ungated config
setters at middle. Resynchronize openapi.yaml (27 paths, 30 operations,
ComfyUISwitchVersionParams as a shared $ref component). Add E2E harness
variants, Playwright config, CSRF/secgate suites, 39-endpoint coverage,
and a CHANGELOG.

Breaking: legacy per-op POST routes (install/uninstall/fix/disable/update/
reinstall/abort_current) are removed; callers already use queue/batch.
Legacy /manager/notice (v1) is removed; /v2/manager/notice is retained.

Reported-by: XlabAI Team of Tencent Xuanwu Lab
CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
2026-04-22 05:04:30 +09:00
..
helpers.ts fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818) 2026-04-22 05:04:30 +09:00
legacy-ui-custom-nodes.spec.ts fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818) 2026-04-22 05:04:30 +09:00
legacy-ui-install.spec.ts fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818) 2026-04-22 05:04:30 +09:00
legacy-ui-manager-menu.spec.ts fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818) 2026-04-22 05:04:30 +09:00
legacy-ui-model-manager.spec.ts fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818) 2026-04-22 05:04:30 +09:00
legacy-ui-navigation.spec.ts fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818) 2026-04-22 05:04:30 +09:00
legacy-ui-snapshot.spec.ts fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818) 2026-04-22 05:04:30 +09:00
README.md fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818) 2026-04-22 05:04:30 +09:00
TEST_SCENARIOS.md fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818) 2026-04-22 05:04:30 +09:00

README.md

Playwright E2E Tests — Legacy Manager UI

Browser-based E2E tests for the ComfyUI-Manager legacy UI.

Prerequisites

  1. E2E environment built via python tests/e2e/scripts/setup_e2e_env.py
  2. Playwright installed: npx playwright install chromium
  3. ComfyUI running with legacy UI enabled:
E2E_ROOT=/tmp/e2e_full_test
PORT=8199
$E2E_ROOT/venv/bin/python $E2E_ROOT/comfyui/main.py \
  --listen 127.0.0.1 --port $PORT \
  --enable-manager-legacy-ui \
  --cpu

Running Tests

# With server already running:
PORT=8199 npx playwright test

# Single file:
PORT=8199 npx playwright test tests/playwright/legacy-ui-manager-menu.spec.ts

# Headed (visible browser):
PORT=8199 npx playwright test --headed

# Debug mode:
PORT=8199 npx playwright test --debug

Test Files

File Scenarios
legacy-ui-manager-menu.spec.ts Menu dialog rendering, settings dropdowns, API round-trip
legacy-ui-custom-nodes.spec.ts Node list grid, filter, search, footer buttons
legacy-ui-model-manager.spec.ts Model list grid, filter, search
legacy-ui-snapshot.spec.ts Snapshot list, save, remove
legacy-ui-navigation.spec.ts Dialog open/close, nested navigation, no duplicates