mirror of
https://github.com/Comfy-Org/ComfyUI-Manager.git
synced 2026-05-09 00:22:51 +08:00
4410ebc6a6
Defense-in-depth over GET→POST alone: reject the three CORS-safelisted simple-form Content-Types (x-www-form-urlencoded, multipart/form-data, text/plain) on 16 no-body POST handlers (glob + legacy) to block <form method=POST> CSRF that bypasses method-only gating. Move comfyui_switch_version to a JSON body so the preflight requirement applies. Split db_mode/policy/update/channel_url_list into GET(read) + POST(write). Tighten do_fix (high → high+) and gate three previously-ungated config setters at middle. Resynchronize openapi.yaml (27 paths, 30 operations, ComfyUISwitchVersionParams as a shared $ref component). Add E2E harness variants, Playwright config, CSRF/secgate suites, 39-endpoint coverage, and a CHANGELOG. Breaking: legacy per-op POST routes (install/uninstall/fix/disable/update/ reinstall/abort_current) are removed; callers already use queue/batch. Legacy /manager/notice (v1) is removed; /v2/manager/notice is retained. Reported-by: XlabAI Team of Tencent Xuanwu Lab CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
57 lines
2.5 KiB
Python
57 lines
2.5 KiB
Python
|
|
SECURITY_MESSAGE_MIDDLE = "ERROR: To use this action, a security_level of `normal or below` is required. Please contact the administrator.\nReference: https://github.com/ltdrdata/ComfyUI-Manager#security-policy"
|
|
SECURITY_MESSAGE_MIDDLE_P = "ERROR: To use this action, security_level must be `normal or below`, and network_mode must be set to `personal_cloud`. Please contact the administrator.\nReference: https://github.com/ltdrdata/ComfyUI-Manager#security-policy"
|
|
SECURITY_MESSAGE_HIGH_P = "ERROR: To use this action, '--listen' must be set to a local IP and security_level must be 'normal-' or lower. Please contact the administrator.\nReference: https://github.com/ltdrdata/ComfyUI-Manager#security-policy"
|
|
SECURITY_MESSAGE_NORMAL_MINUS = "ERROR: To use this feature, you must either set '--listen' to a local IP and set the security level to 'normal-' or lower, or set the security level to 'middle' or 'weak'. Please contact the administrator.\nReference: https://github.com/ltdrdata/ComfyUI-Manager#security-policy"
|
|
SECURITY_MESSAGE_GENERAL = "ERROR: This installation is not allowed in this security_level. Please contact the administrator.\nReference: https://github.com/ltdrdata/ComfyUI-Manager#security-policy"
|
|
SECURITY_MESSAGE_NORMAL_MINUS_MODEL = "ERROR: Downloading models that are not in '.safetensors' format is only allowed for models registered in the 'default' channel at this security level. If you want to download this model, set the security level to 'normal-' or lower."
|
|
|
|
|
|
def is_loopback(address):
|
|
import ipaddress
|
|
|
|
try:
|
|
return ipaddress.ip_address(address).is_loopback
|
|
except ValueError:
|
|
return False
|
|
|
|
|
|
model_dir_name_map = {
|
|
"checkpoints": "checkpoints",
|
|
"checkpoint": "checkpoints",
|
|
"unclip": "checkpoints",
|
|
"text_encoders": "text_encoders",
|
|
"clip": "text_encoders",
|
|
"vae": "vae",
|
|
"lora": "loras",
|
|
"t2i-adapter": "controlnet",
|
|
"t2i-style": "controlnet",
|
|
"controlnet": "controlnet",
|
|
"clip_vision": "clip_vision",
|
|
"gligen": "gligen",
|
|
"upscale": "upscale_models",
|
|
"embedding": "embeddings",
|
|
"embeddings": "embeddings",
|
|
"unet": "diffusion_models",
|
|
"diffusion_model": "diffusion_models",
|
|
}
|
|
|
|
# List of all model directory names used for checking installed models
|
|
MODEL_DIR_NAMES = [
|
|
"checkpoints",
|
|
"loras",
|
|
"vae",
|
|
"text_encoders",
|
|
"diffusion_models",
|
|
"clip_vision",
|
|
"embeddings",
|
|
"diffusers",
|
|
"vae_approx",
|
|
"controlnet",
|
|
"gligen",
|
|
"upscale_models",
|
|
"hypernetworks",
|
|
"photomaker",
|
|
"classifiers",
|
|
]
|