wangbo/ComfyUI-Manager
1
0
Fork 0
mirror of https://github.com/Comfy-Org/ComfyUI-Manager.git synced 2026-05-10 00:52:32 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
3472919604
ComfyUI-Manager/js
History
Dr.Lt.Data 491f847bbc
Some checks failed
Python Linting / Run Ruff (push) Has been cancelled
Details
fix(security): harden CSRF with Content-Type gate and OpenAPI sync (#2819) 
Defense-in-depth over GET→POST alone: reject the three CORS-safelisted
simple-form Content-Types (x-www-form-urlencoded, multipart/form-data,
text/plain) on 5 no-body POST handlers (snapshot/save,
manager/queue/{reset,start,update_comfyui}, manager/reboot) to block
<form method=POST> CSRF that bypasses method-only gating. Convert 10 pure
state-changing endpoints (fetch_updates, queue/{update_all,reset,start,
update_comfyui}, snapshot/{remove,restore,save}, comfyui_switch_version,
reboot) from GET to POST and split 5 config endpoints
(db_mode/preview_method/channel_url_list/policy/{component,update}) into
GET(read) + POST(write, JSON body). Emit the in_progress + done event pair
from the /manager/queue/install sync-enable fast-path so client UI
finalizes (previously only queue/start's empty worker done fired, leaving
item.restart unset and the Enable button visible after a successful enable).
Harden js/custom-nodes-manager.js completion path: await onQueueCompleted
with try/catch (surfaces silent turbogrid stale-item throws), replace the
{}.length == 0 no-op empty guard, set install_context before queue/install
to avoid a sync-completion race, wrap classList/updateCell in try/catch.
Resynchronize openapi.yaml with the converted routes (method → post, query
params → requestBody JSON schema, sibling post on 5 split endpoints).
Update 31 JS fetchApi call sites across 7 files; add
tests/test_csrf_content_type_helper.py covering 5 Content-Type cases via
aiohttp TestClient.

Reported-by: XlabAI Team of Tencent Xuanwu Lab
CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
2026-04-22 05:04:07 +09:00
..
cm-api.js fix(security): harden CSRF with Content-Type gate and OpenAPI sync (#2819) 2026-04-22 05:04:07 +09:00
comfyui-gui-builder.js Changed Main Dialog to match aesthetics and close button location as Original ComfyUI Interface (#2349) 2025-12-19 12:34:20 +09:00
comfyui-manager.js fix(security): harden CSRF with Content-Type gate and OpenAPI sync (#2819) 2026-04-22 05:04:07 +09:00
comfyui-share-common.js Merge branch 'main' into feat/cnr 2025-01-02 02:58:55 +09:00
comfyui-share-copus.js feat: change web icon (#2042) 2025-07-30 18:31:56 +09:00
comfyui-share-openart.js Merge branch 'main' into feat/cnr 2025-01-02 02:58:55 +09:00
comfyui-share-youml.js Merge branch 'main' into feat/cnr 2025-01-02 02:58:55 +09:00
common.js fix(security): harden CSRF with Content-Type gate and OpenAPI sync (#2819) 2026-04-22 05:04:07 +09:00
components-manager.js Fix handleFile monkeypatch for new frontend signature (#2640) 2026-02-27 01:49:20 +09:00
custom-nodes-manager.css Changed Main Dialog to match aesthetics and close button location as Original ComfyUI Interface (#2349) 2025-12-19 12:34:20 +09:00
custom-nodes-manager.js fix(security): harden CSRF with Content-Type gate and OpenAPI sync (#2819) 2026-04-22 05:04:07 +09:00
model-manager.css Changed Main Dialog to match aesthetics and close button location as Original ComfyUI Interface (#2349) 2025-12-19 12:34:20 +09:00
model-manager.js fix(security): harden CSRF with Content-Type gate and OpenAPI sync (#2819) 2026-04-22 05:04:07 +09:00
node_fixer.js Add workaround for delay in link connection (#1873) 2025-05-27 06:27:45 +09:00
popover-helper.js UI improvement (#1625) 2025-03-14 00:51:37 +09:00
README.md docs: fix typos and phrasing in README and docs (en/ko)\n\n- README: grammar, capitalization, option name (--skip-stat-update), double-click, macOS\n- js/README: Copus platform name\n- docs/en: Colab capitalization\n- docs/ko: spacing, wording, typos (예를, 명령, show를, etc.) (#2166) 2025-09-23 07:17:41 +09:00
snapshot.css Changed Main Dialog to match aesthetics and close button location as Original ComfyUI Interface (#2349) 2025-12-19 12:34:20 +09:00
snapshot.js fix(security): harden CSRF with Content-Type gate and OpenAPI sync (#2819) 2026-04-22 05:04:07 +09:00
turbogrid.esm.js Better model manager UI (#802) 2024-06-22 10:12:01 +09:00
workflow-metadata.js Update workflow-metadata.js 2025-04-23 17:24:07 -07:00

README.md

ComfyUI-Manager: Frontend (js)

This directory contains the JavaScript frontend implementation for ComfyUI-Manager, providing the user interface components that interact with the backend API.

Core Components

  • comfyui-manager.js: Main entry point that initializes the manager UI and integrates with ComfyUI.
  • custom-nodes-manager.js: Implements the UI for browsing, installing, and managing custom nodes.
  • model-manager.js: Handles the model management interface for downloading and organizing AI models.
  • components-manager.js: Manages reusable workflow components system.
  • snapshot.js: Implements the snapshot system for backing up and restoring installations.

Sharing Components

  • comfyui-share-common.js: Base functionality for workflow sharing features.
  • comfyui-share-copus.js: Integration with the ComfyUI Copus sharing platform.
  • comfyui-share-openart.js: Integration with the OpenArt sharing platform.
  • comfyui-share-youml.js: Integration with the YouML sharing platform.

Utility Components

  • cm-api.js: Client-side API wrapper for communication with the backend.
  • common.js: Shared utilities and helper functions used across the frontend.
  • node_fixer.js: Utilities for fixing disconnected links and repairing malformed nodes by recreating them while preserving connections.
  • popover-helper.js: UI component for popup tooltips and contextual information.
  • turbogrid.esm.js: Grid component library - https://github.com/cenfun/turbogrid
  • workflow-metadata.js: Handles workflow metadata parsing, validation and cross-repository compatibility including versioning, dependencies tracking, and resource management.

Architecture

The frontend follows a modular component-based architecture:

  1. Integration Layer: Connects with ComfyUI's existing UI system
  2. Manager Components: Individual functional UI components (node manager, model manager, etc.)
  3. Sharing Components: Platform-specific sharing implementations
  4. Utility Layer: Reusable UI components and helpers

Implementation Details

  • The frontend integrates directly with ComfyUI's UI system through app.js
  • Dialog-based UI for most manager functions to avoid cluttering the main interface
  • Asynchronous API calls to handle backend operations without blocking the UI

Styling

CSS files are included for specific components:

  • custom-nodes-manager.css: Styling for the node management UI
  • model-manager.css: Styling for the model management UI

This frontend implementation provides a comprehensive yet user-friendly interface for managing the ComfyUI ecosystem.