mirror of
https://github.com/Comfy-Org/ComfyUI-Manager.git
synced 2026-05-09 00:22:51 +08:00
4410ebc6a6
Defense-in-depth over GET→POST alone: reject the three CORS-safelisted simple-form Content-Types (x-www-form-urlencoded, multipart/form-data, text/plain) on 16 no-body POST handlers (glob + legacy) to block <form method=POST> CSRF that bypasses method-only gating. Move comfyui_switch_version to a JSON body so the preflight requirement applies. Split db_mode/policy/update/channel_url_list into GET(read) + POST(write). Tighten do_fix (high → high+) and gate three previously-ungated config setters at middle. Resynchronize openapi.yaml (27 paths, 30 operations, ComfyUISwitchVersionParams as a shared $ref component). Add E2E harness variants, Playwright config, CSRF/secgate suites, 39-endpoint coverage, and a CHANGELOG. Breaking: legacy per-op POST routes (install/uninstall/fix/disable/update/ reinstall/abort_current) are removed; callers already use queue/batch. Legacy /manager/notice (v1) is removed; /v2/manager/notice is retained. Reported-by: XlabAI Team of Tencent Xuanwu Lab CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
75 lines
1.8 KiB
YAML
75 lines
1.8 KiB
YAML
name: "E2E Tests on Multiple Platforms"
|
|
on:
|
|
push:
|
|
branches: [main, feat/*, fix/*]
|
|
paths:
|
|
- "comfyui_manager/**"
|
|
- "cm_cli/**"
|
|
- "tests/e2e/**"
|
|
- ".github/workflows/e2e.yml"
|
|
pull_request:
|
|
branches: [main]
|
|
paths:
|
|
- "comfyui_manager/**"
|
|
- "cm_cli/**"
|
|
- "tests/e2e/**"
|
|
- ".github/workflows/e2e.yml"
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
e2e:
|
|
name: "E2E (${{ matrix.os }}, py${{ matrix.python-version }})"
|
|
runs-on: ${{ matrix.os }}
|
|
timeout-minutes: 15
|
|
env:
|
|
PYTHONIOENCODING: "utf8"
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [ubuntu-latest, windows-latest, macos-latest]
|
|
python-version: ["3.10"]
|
|
|
|
steps:
|
|
- name: Check out code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: ${{ matrix.python-version }}
|
|
|
|
- name: Install uv
|
|
uses: astral-sh/setup-uv@v4
|
|
|
|
- name: Set E2E_ROOT
|
|
shell: bash
|
|
run: |
|
|
if [[ "$RUNNER_OS" == "Windows" ]]; then
|
|
echo "E2E_ROOT=$RUNNER_TEMP\\e2e_env" >> "$GITHUB_ENV"
|
|
else
|
|
echo "E2E_ROOT=$RUNNER_TEMP/e2e_env" >> "$GITHUB_ENV"
|
|
fi
|
|
|
|
- name: Setup E2E environment
|
|
shell: bash
|
|
env:
|
|
MANAGER_ROOT: ${{ github.workspace }}
|
|
run: |
|
|
python tests/e2e/scripts/setup_e2e_env.py
|
|
|
|
- name: Run E2E tests
|
|
shell: bash
|
|
run: |
|
|
if [[ "$RUNNER_OS" == "Windows" ]]; then
|
|
VENV_PY="$E2E_ROOT/venv/Scripts/python.exe"
|
|
else
|
|
VENV_PY="$E2E_ROOT/venv/bin/python"
|
|
fi
|
|
uv pip install --python "$VENV_PY" pytest pytest-timeout
|
|
|
|
"$VENV_PY" -m pytest tests/cli/test_uv_compile.py -v -s --timeout=300
|