wangbo/ComfyUI-Manager
1
0
Fork 0
mirror of https://github.com/Comfy-Org/ComfyUI-Manager.git synced 2026-05-10 00:52:32 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
e0032dd2f0
ComfyUI-Manager/glob
History
Dr.Lt.Data 491f847bbc
Some checks failed
Python Linting / Run Ruff (push) Has been cancelled
Details
fix(security): harden CSRF with Content-Type gate and OpenAPI sync (#2819) 
Defense-in-depth over GET→POST alone: reject the three CORS-safelisted
simple-form Content-Types (x-www-form-urlencoded, multipart/form-data,
text/plain) on 5 no-body POST handlers (snapshot/save,
manager/queue/{reset,start,update_comfyui}, manager/reboot) to block
<form method=POST> CSRF that bypasses method-only gating. Convert 10 pure
state-changing endpoints (fetch_updates, queue/{update_all,reset,start,
update_comfyui}, snapshot/{remove,restore,save}, comfyui_switch_version,
reboot) from GET to POST and split 5 config endpoints
(db_mode/preview_method/channel_url_list/policy/{component,update}) into
GET(read) + POST(write, JSON body). Emit the in_progress + done event pair
from the /manager/queue/install sync-enable fast-path so client UI
finalizes (previously only queue/start's empty worker done fired, leaving
item.restart unset and the Enable button visible after a successful enable).
Harden js/custom-nodes-manager.js completion path: await onQueueCompleted
with try/catch (surfaces silent turbogrid stale-item throws), replace the
{}.length == 0 no-op empty guard, set install_context before queue/install
to avoid a sync-completion race, wrap classList/updateCell in try/catch.
Resynchronize openapi.yaml with the converted routes (method → post, query
params → requestBody JSON schema, sibling post on 5 split endpoints).
Update 31 JS fetchApi call sites across 7 files; add
tests/test_csrf_content_type_helper.py covering 5 Content-Type cases via
aiohttp TestClient.

Reported-by: XlabAI Team of Tencent Xuanwu Lab
CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
2026-04-22 05:04:07 +09:00
..
cm_global.py fixed: robust initial caching 2025-03-01 01:06:17 +09:00
cnr_utils.py fixed: cnr_utils – fixed improper behavior of bypass_ssl 2025-07-24 02:15:31 +09:00
git_utils.py fixed: Issue where cloning Comfy-Org/ComfyUI-Manager would cause mismatches with ltdrdata/ComfyUI-Manager, resulting in it not being recognized properly. 2025-06-08 06:24:19 +09:00
manager_core.py fix(security): harden CSRF with Content-Type gate and OpenAPI sync (#2819) 2026-04-22 05:04:07 +09:00
manager_downloader.py modified: download_url - provide more informative error messages 2025-07-24 02:30:07 +09:00
manager_migration.py improved: display a more user-friendly message 2025-12-05 07:01:01 +09:00
manager_server.py fix(security): harden CSRF with Content-Type gate and OpenAPI sync (#2819) 2026-04-22 05:04:07 +09:00
manager_util.py improved: display a more user-friendly message 2025-12-05 07:01:01 +09:00
node_package.py ruff check 2024-12-22 01:52:20 +09:00
README.md [docs] Add README for glob directory (#1852) 2025-05-21 21:44:24 +09:00
security_check.py fix(security): add litellm supply chain attack detection and improve pip matching (#2731) 2026-03-26 04:17:46 +09:00
share_3rdparty.py fixed: ruff check 2025-07-25 07:26:48 +09:00

README.md

ComfyUI-Manager: Core Backend (glob)

This directory contains the Python backend modules that power ComfyUI-Manager, handling the core functionality of node management, downloading, security, and server operations.

Core Modules

  • manager_core.py: The central implementation of management functions, handling configuration, installation, updates, and node management.
  • manager_server.py: Implements server functionality and API endpoints for the web interface to interact with the backend.
  • manager_downloader.py: Handles downloading operations for models, extensions, and other resources.
  • manager_util.py: Provides utility functions used throughout the system.

Specialized Modules

  • cm_global.py: Maintains global variables and state management across the system.
  • cnr_utils.py: Helper utilities for interacting with the custom node registry (CNR).
  • git_utils.py: Git-specific utilities for repository operations.
  • node_package.py: Handles the packaging and installation of node extensions.
  • security_check.py: Implements the multi-level security system for installation safety.
  • share_3rdparty.py: Manages integration with third-party sharing platforms.

Architecture

The backend follows a modular design pattern with clear separation of concerns:

  1. Core Layer: Manager modules provide the primary API and business logic
  2. Utility Layer: Helper modules provide specialized functionality
  3. Integration Layer: Modules that connect to external systems

Security Model

The system implements a comprehensive security framework with multiple levels:

  • Block: Highest security - blocks most remote operations
  • High: Allows only specific trusted operations
  • Middle: Standard security for most users
  • Normal-: More permissive for advanced users
  • Weak: Lowest security for development environments

Implementation Details

  • The backend is designed to work seamlessly with ComfyUI
  • Asynchronous task queuing is implemented for background operations
  • The system supports multiple installation modes
  • Error handling and risk assessment are integrated throughout the codebase

API Integration

The backend exposes a REST API via manager_server.py that enables:

  • Custom node management (install, update, disable, remove)
  • Model downloading and organization
  • System configuration
  • Snapshot management
  • Workflow component handling