mirror of
https://github.com/Comfy-Org/ComfyUI-Manager.git
synced 2026-05-09 00:22:51 +08:00
4410ebc6a6
Defense-in-depth over GET→POST alone: reject the three CORS-safelisted simple-form Content-Types (x-www-form-urlencoded, multipart/form-data, text/plain) on 16 no-body POST handlers (glob + legacy) to block <form method=POST> CSRF that bypasses method-only gating. Move comfyui_switch_version to a JSON body so the preflight requirement applies. Split db_mode/policy/update/channel_url_list into GET(read) + POST(write). Tighten do_fix (high → high+) and gate three previously-ungated config setters at middle. Resynchronize openapi.yaml (27 paths, 30 operations, ComfyUISwitchVersionParams as a shared $ref component). Add E2E harness variants, Playwright config, CSRF/secgate suites, 39-endpoint coverage, and a CHANGELOG. Breaking: legacy per-op POST routes (install/uninstall/fix/disable/update/ reinstall/abort_current) are removed; callers already use queue/batch. Legacy /manager/notice (v1) is removed; /v2/manager/notice is retained. Reported-by: XlabAI Team of Tencent Xuanwu Lab CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) |
||
|---|---|---|
| .. | ||
| common | ||
| data_models | ||
| glob | ||
| js | ||
| legacy | ||
| __init__.py | ||
| alter-list.json | ||
| channels.list.template | ||
| custom-node-list.json | ||
| extension-node-map.json | ||
| extras.json | ||
| github-stats.json | ||
| model-list.json | ||
| prestartup_script.py | ||
| README.md | ||
ComfyUI-Manager: Core Backend (glob)
This directory contains the Python backend modules that power ComfyUI-Manager, handling the core functionality of node management, downloading, security, and server operations.
Directory Structure
- glob/ - code for new cacheless ComfyUI-Manager
- legacy/ - code for legacy ComfyUI-Manager
Core Modules
- manager_core.py: The central implementation of management functions, handling configuration, installation, updates, and node management.
- manager_server.py: Implements server functionality and API endpoints for the web interface to interact with the backend.
Specialized Modules
- share_3rdparty.py: Manages integration with third-party sharing platforms.
Architecture
The backend follows a modular design pattern with clear separation of concerns:
- Core Layer: Manager modules provide the primary API and business logic
- Utility Layer: Helper modules provide specialized functionality
- Integration Layer: Modules that connect to external systems
Security Model
The system implements a comprehensive security framework with multiple levels:
- Block: Highest security - blocks most remote operations
- High: Allows only specific trusted operations
- Middle: Standard security for most users
- Normal-: More permissive for advanced users
- Weak: Lowest security for development environments
Implementation Details
- The backend is designed to work seamlessly with ComfyUI
- Asynchronous task queuing is implemented for background operations
- The system supports multiple installation modes
- Error handling and risk assessment are integrated throughout the codebase
API Integration
The backend exposes a REST API via manager_server.py that enables:
- Custom node management (install, update, disable, remove)
- Model downloading and organization
- System configuration
- Snapshot management
- Workflow component handling