wangbo/ComfyUI-Manager
1
0
Fork 0
mirror of https://github.com/Comfy-Org/ComfyUI-Manager.git synced 2026-06-22 15:59:18 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
6288fb0e2a
ComfyUI-Manager/CHANGELOG.md
Dr.Lt.Data 6288fb0e2a feat(security): add dedicated install flags decoupled from security_level 
Gate 'install via git URL' and 'install via pip' with dedicated opt-in
boolean flags (allow_git_url_install / allow_pip_install) in config.ini
[default], fully replacing the security_level term on those surfaces
(REPLACE, not AND — a strict level no longer denies when the flag is on;
a weak level no longer allows when the flag is off).

- glob/manager_server.py: pure predicate is_dedicated_install_allowed
  (flag AND loopback, request-time args.listen); REPLACE gates at
  /customnode/install/git_url and /customnode/install/pip; batch
  unknown-URL arm routes through the same full predicate at the risky
  position (loopback term is load-bearing — the middle entry gate has
  no network-position term; the entry gate itself stays in force);
  unknown-pip in batch stays unconditionally blocked; new
  SECURITY_MESSAGE_FLAG_* denial constants name the responsible flag;
  security_403_response gains flag_token (comfyui_outdated keeps precedence)
- glob/manager_core.py: register both keys (read via get_bool default-false,
  write list, exception fallback); "true"-only truthy; restart-only activation
- js/common.js: 403 dialog copy names the responsible flag at the two
  install call sites
- README.md: security-policy docs for both flags (per-surface scope incl.
  the batch entry-gate qualifier, REPLACE decoupling, loopback bound,
  opt-in config snippet, default-deny + migration note); stale tier lists
  corrected against the actual gates
- CHANGELOG.md: opt-in migration note + accepted residual risk (flags
  bypass the forced-strong outdated-ComfyUI hardening on loopback,
  opt-in only), decoupling claim qualified for the batch entry gate

Tests: unit suite (predicate truth table, REPLACE litmus both directions,
AST binding-proofs against live handlers, subprocess-isolated config
contract) plus a real-server E2E suite that mounts the Manager-under-test
via git worktree (exact-SHA pin, detached) against a real ComfyUI and
exercises both flag surfaces and both arms — deny arms (403 + flag-naming
body/log + no install artifact), git-URL allow arm (real clone), pip allow
arm as a two-phase reservation oracle — with zero-residual self-clean.
Module skips without E2E_COMFYUI_ROOT; unit suite unaffected.

The manager-v4 branch ships the identical policy (shared invariants +
config contract); this tree uses the degraded predicate 'flag AND
loopback' (no personal_cloud-equivalent mode here).
2026-06-15 02:44:26 +09:00

2.8 KiB
Raw Blame History

Changelog

Unreleased

Security policy: dedicated install flags (allow_git_url_install / allow_pip_install)

Two new boolean keys in config.ini ([default] section), both defaulting to false, now govern the arbitrary-install surfaces:

Flag Governs
allow_git_url_install POST /customnode/install/git_url and the unknown-git-URL arm of POST /manager/queue/install (incl. reinstall delegation) — the entire install transaction, transitive dependency pip installs included. On the batch queue path the flag applies in addition to the queue's security_level entry gate (see below)
allow_pip_install POST /customnode/install/pip only

These surfaces additionally require a loopback listener (--listen on a local IP); the flags never open a non-loopback deployment. On the two direct endpoints (POST /customnode/install/git_url and POST /customnode/install/pip), the flags fully decouple the surface from security_level: it no longer has any effect in either direction — a strict level cannot deny them when the flag is true, and a weak level cannot allow them when the flag is false. On the batch queue path (POST /manager/queue/install), the flag is necessary but not sufficient: it gates the unknown-git-URL arm at the risky position, while the queue's normal security_level entry gate (middle) remains in force — at security_level = strong, batch unknown-URL installs stay denied even with the flag set to true. security_level continues to govern every other gated endpoint unchanged. Only the case-insensitive string true enables a flag; a missing or malformed key reads as false.

Migration note (no auto-seed)

There is no automatic migration from security_level. Users who previously relied on security_level = weak (or normal-) to use install-via-git-URL / install-pip must now opt in explicitly by adding to config.ini:

[default]
allow_git_url_install = true
allow_pip_install = true

Changes take effect after a restart (no hot reload).

Residual-risk note — outdated ComfyUI behavior change

On outdated ComfyUI versions (no system-user API), the manager previously forced security_level = strong, which unconditionally denied the git-URL/pip install surfaces. After this change those surfaces are governed by the new flags instead: an operator who explicitly sets a flag to true on a loopback listener can now perform installs on outdated ComfyUI where the forced-strong policy previously denied them. This is an accepted, deliberate trade-off: it requires explicit operator opt-in, remains bounded to loopback listeners, and the flag-deny path on outdated ComfyUI still surfaces the comfyui_outdated notice. If you operate an outdated ComfyUI deployment, leave both flags at their default false and update ComfyUI.