mirror of https://github.com/Comfy-Org/ComfyUI-Manager.git synced 2026-05-10 09:02:30 +08:00

History

Dr.Lt.Data 8eb773e39b fix(security): register extension.manager.supports_csrf_post feature flag (4.2.1) Expose CSRF-POST backend capability as a semantic contract via ComfyUI core's feature_flags mechanism, so frontends (ComfyUI_frontend, extensions) can detect it without parsing version strings. Pre-4.2.1 Manager does not set the flag — clients observe its absence and should treat the backend as "incompatible with POST-only state-mutation endpoints" and prompt the user to upgrade. Follow-up patch to 4.2 (PR #2818); no endpoint or security behavior change. Reported-by: XlabAI Team of Tencent Xuanwu Lab CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)		2026-04-22 09:24:19 +09:00
..
common	fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818 )	2026-04-22 05:04:30 +09:00
data_models	fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818 )	2026-04-22 05:04:30 +09:00
glob	fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818 )	2026-04-22 05:04:30 +09:00
js	fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818 )	2026-04-22 05:04:30 +09:00
legacy	fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818 )	2026-04-22 05:04:30 +09:00
__init__.py	fix(security): register extension.manager.supports_csrf_post feature flag (4.2.1)	2026-04-22 09:24:19 +09:00
alter-list.json	Merge branch 'main' into draft-v4	2025-09-03 01:24:47 +09:00
channels.list.template	fixed: missing channels.list.template	2025-04-23 08:58:47 +09:00
custom-node-list.json	Merge branch 'main' into manager-v4	2025-11-26 22:14:11 +09:00
extension-node-map.json	Merge branch 'main' into manager-v4	2025-11-26 22:14:11 +09:00
extras.json	Merge branch 'main' into draft-v4	2025-09-03 01:24:47 +09:00
github-stats.json	Merge branch 'main' into manager-v4	2025-11-26 22:14:11 +09:00
model-list.json	Merge branch 'main' into manager-v4	2025-11-26 22:14:11 +09:00
prestartup_script.py	feat(deps): add unified dependency resolver using uv pip compile (#2589 )	2026-03-07 06:51:53 +09:00
README.md	Merge branch 'main' into draft-v4	2025-06-01 06:23:11 +09:00

README.md

ComfyUI-Manager: Core Backend (glob)

This directory contains the Python backend modules that power ComfyUI-Manager, handling the core functionality of node management, downloading, security, and server operations.

Directory Structure

glob/ - code for new cacheless ComfyUI-Manager
legacy/ - code for legacy ComfyUI-Manager

Core Modules

manager_core.py: The central implementation of management functions, handling configuration, installation, updates, and node management.
manager_server.py: Implements server functionality and API endpoints for the web interface to interact with the backend.

Specialized Modules

share_3rdparty.py: Manages integration with third-party sharing platforms.

Architecture

The backend follows a modular design pattern with clear separation of concerns:

Core Layer: Manager modules provide the primary API and business logic
Utility Layer: Helper modules provide specialized functionality
Integration Layer: Modules that connect to external systems

Security Model

The system implements a comprehensive security framework with multiple levels:

Block: Highest security - blocks most remote operations
High: Allows only specific trusted operations
Middle: Standard security for most users
Normal-: More permissive for advanced users
Weak: Lowest security for development environments

Implementation Details

The backend is designed to work seamlessly with ComfyUI
Asynchronous task queuing is implemented for background operations
The system supports multiple installation modes
Error handling and risk assessment are integrated throughout the codebase

API Integration

The backend exposes a REST API via manager_server.py that enables:

Custom node management (install, update, disable, remove)
Model downloading and organization
System configuration
Snapshot management
Workflow component handling