mirror of
https://github.com/Comfy-Org/ComfyUI-Manager.git
synced 2026-01-10 22:20:50 +08:00
ef8703a3d7
- Add is_safe_path_target() and get_safe_file_path() utilities - Validate history id and snapshot target parameters in API endpoints - Sanitize config string values to prevent CRLF injection
68 lines
2.6 KiB
Python
68 lines
2.6 KiB
Python
from comfyui_manager.glob import manager_core as core
|
|
from comfy.cli_args import args
|
|
from comfyui_manager.data_models import SecurityLevel, RiskLevel, ManagerDatabaseSource
|
|
from comfyui_manager.common.manager_security import (
|
|
is_loopback,
|
|
is_safe_path_target,
|
|
get_safe_file_path,
|
|
)
|
|
|
|
# Re-export for backward compatibility
|
|
__all__ = ['is_loopback', 'is_safe_path_target', 'get_safe_file_path', 'is_allowed_security_level', 'get_risky_level']
|
|
|
|
|
|
def is_allowed_security_level(level):
|
|
is_local_mode = is_loopback(args.listen)
|
|
is_personal_cloud = core.get_config()['network_mode'].lower() == 'personal_cloud'
|
|
|
|
if level == RiskLevel.block.value:
|
|
return False
|
|
elif level == RiskLevel.high_.value:
|
|
if is_local_mode:
|
|
return core.get_config()['security_level'] in [SecurityLevel.weak.value, SecurityLevel.normal_.value]
|
|
elif is_personal_cloud:
|
|
return core.get_config()['security_level'] == SecurityLevel.weak.value
|
|
else:
|
|
return False
|
|
elif level == RiskLevel.high.value:
|
|
if is_local_mode:
|
|
return core.get_config()['security_level'] in [SecurityLevel.weak.value, SecurityLevel.normal_.value]
|
|
else:
|
|
return core.get_config()['security_level'] == SecurityLevel.weak.value
|
|
elif level == RiskLevel.middle_.value:
|
|
if is_local_mode or is_personal_cloud:
|
|
return core.get_config()['security_level'] in [SecurityLevel.weak.value, SecurityLevel.normal.value, SecurityLevel.normal_.value]
|
|
else:
|
|
return False
|
|
elif level == RiskLevel.middle.value:
|
|
return core.get_config()['security_level'] in [SecurityLevel.weak.value, SecurityLevel.normal.value, SecurityLevel.normal_.value]
|
|
else:
|
|
return True
|
|
|
|
|
|
async def get_risky_level(files, pip_packages):
|
|
json_data1 = await core.get_data_by_mode(ManagerDatabaseSource.local.value, "custom-node-list.json")
|
|
json_data2 = await core.get_data_by_mode(
|
|
ManagerDatabaseSource.cache.value,
|
|
"custom-node-list.json",
|
|
channel_url="https://raw.githubusercontent.com/ltdrdata/ComfyUI-Manager/main",
|
|
)
|
|
|
|
all_urls = set()
|
|
for x in json_data1["custom_nodes"] + json_data2["custom_nodes"]:
|
|
all_urls.update(x.get("files", []))
|
|
|
|
for x in files:
|
|
if x not in all_urls:
|
|
return RiskLevel.high_.value
|
|
|
|
all_pip_packages = set()
|
|
for x in json_data1["custom_nodes"] + json_data2["custom_nodes"]:
|
|
all_pip_packages.update(x.get("pip", []))
|
|
|
|
for p in pip_packages:
|
|
if p not in all_pip_packages:
|
|
return RiskLevel.block.value
|
|
|
|
return RiskLevel.middle_.value
|