mirror of
https://github.com/Comfy-Org/ComfyUI-Manager.git
synced 2026-06-20 14:59:22 +08:00
fca7ef149d
Some checks failed
Python Linting / Run Ruff (push) Has been cancelled
* feat(security): dedicated install flags decouple git_url/pip from security_level
Install via git URL and pip install are no longer gated by
security_level. Each surface gets a dedicated config.ini flag —
allow_git_url_install / allow_pip_install (both default false, secure
by default) — that fully REPLACES the security-level term for these two
features. The network-position invariant is retained: a non-local
listener stays denied regardless of the flags unless
network_mode = personal_cloud.
- New pure predicate is_dedicated_install_allowed() in
common/manager_security (no config access; callers resolve config)
- Legacy endpoints /v2/customnode/install/git_url and .../pip switch
from is_allowed_security_level('high+') to the flag gate; batch
installs of unknown git URLs likewise (middle+ entry gate unchanged,
unknown-pip 'block' stays unconditional; response shapes preserved)
- Config readers/writers (glob + legacy) parse and persist the flags;
denial logs and frontend 403 messages name the responsible flag and
note the non-local-listener requirement (network_mode=personal_cloud)
- No auto-seed from security_level — users previously on weak/normal-
must opt in explicitly (see CHANGELOG migration notes; README
documents the new contract)
- Update the pre-existing permissive E2E harness
(start_comfyui_permissive.sh + test_e2e_legacy_real_ops.py) to the
new contract: it now also sets allow_git_url_install /
allow_pip_install = true, since security_level = normal- alone no
longer opens the git_url/pip endpoints
Tests: predicate truth table proving security_level independence in
both directions, dual-reader config contract, security-level-matrix
freeze guards, legacy gate regression guards (121 unit), plus 22
real-server E2E tests incl. URL-form pip install with self-clean.
* test(e2e): fix fresh-env failures in customnode_info and git_clone harnesses
Two pre-existing harness defects that fail deterministically on a fresh
E2E environment (unrelated to the dedicated-install-flags change):
- test_e2e_customnode_info: TestInstalledPacks asserted the seed pack
ComfyUI_SigmoidOffsetScheduler is installed, but nothing seeded it —
the installing module (test_e2e_endpoint) runs alphabetically later
and uninstalls it at the end. Add a module-scoped autouse fixture
that installs the pack via cm-cli BEFORE the server starts (the
imported-mode test asserts against the startup-frozen snapshot, so
API-based seeding after boot cannot work) and removes it on teardown
only if the fixture installed it.
- test_e2e_git_clone: _ensure_cache ran cm-cli update-cache with a
120s timeout; the full DB download routinely exceeds that on slow
links, erroring the whole module at setup. Raise to 600s.
Verified from a fresh state (seed pack absent): both modules pass
(13 tests, incl. previously-failing TestInstalledPacks 2 and
TestNightlyInstallCycle 3).
87 lines
3.8 KiB
Bash
Executable File
87 lines
3.8 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# start_comfyui_permissive.sh — Launch ComfyUI in PERMISSIVE security mode
|
|
# for WI-YY real-E2E tests of `high+` gated endpoints.
|
|
#
|
|
# Patches `security_level = normal-` into the manager config.ini before
|
|
# launching (with backup of original value), then delegates to
|
|
# start_comfyui.sh with ENABLE_LEGACY_UI=1 (wi-037 and wi-038 are
|
|
# legacy-only routes). The corresponding stop_comfyui.sh teardown should
|
|
# be paired with restore_config() inside the pytest fixture — this
|
|
# script does NOT restore on its own, so fixture teardown MUST cleanup.
|
|
#
|
|
# Why permissive mode is needed:
|
|
# - wi-014 POST /v2/comfyui_manager/comfyui_switch_version checks
|
|
# is_allowed_security_level('high+'): at is_local_mode=True
|
|
# (127.0.0.1 listen) the gate requires security_level ∈ {weak,
|
|
# normal-}. Default `security_level = normal` fails (403).
|
|
# - wi-037 POST /v2/customnode/install/git_url and
|
|
# wi-038 POST /v2/customnode/install/pip are gated by the dedicated
|
|
# config.ini flags `allow_git_url_install` / `allow_pip_install`
|
|
# (goal265 / #2962) — independent of security_level, default false
|
|
# (403).
|
|
# Patching security_level = normal- plus both flags = true allows real
|
|
# E2E execution of these endpoints with fixed, trusted inputs (never
|
|
# test-input-derived URLs).
|
|
#
|
|
# SECURITY NOTE:
|
|
# The endpoints are gated at high+ because they execute arbitrary remote
|
|
# code (git clone / pip install / version switch). This harness opens
|
|
# the gate ONLY in the E2E sandbox with HARDCODED trusted inputs
|
|
# (ComfyUI_examples repo; text-unidecode package). Never use with
|
|
# user-input-derived inputs — the 403 contract at default security is
|
|
# the positive-path security behavior we want to preserve in production.
|
|
#
|
|
# Input env vars (forwarded to start_comfyui.sh):
|
|
# E2E_ROOT — required
|
|
# PORT — default 8199
|
|
# TIMEOUT — default 120
|
|
#
|
|
# Output (last line on success, inherited from start_comfyui.sh):
|
|
# COMFYUI_PID=<pid> PORT=<port>
|
|
#
|
|
# Exit: 0=ready, 1=timeout/failure
|
|
#
|
|
# Side effect: $E2E_ROOT/comfyui/user/__manager/config.ini gets
|
|
# `security_level = normal-`, `allow_git_url_install = true` and
|
|
# `allow_pip_install = true`. The original config is preserved at
|
|
# config.ini.before-permissive for the fixture to restore on teardown.
|
|
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
[[ -n "${E2E_ROOT:-}" ]] || { echo "[start_comfyui_permissive] ERROR: E2E_ROOT is not set" >&2; exit 1; }
|
|
|
|
CONFIG="$E2E_ROOT/comfyui/user/__manager/config.ini"
|
|
BACKUP="$CONFIG.before-permissive"
|
|
|
|
[[ -f "$CONFIG" ]] || { echo "[start_comfyui_permissive] ERROR: config not found at $CONFIG" >&2; exit 1; }
|
|
|
|
# Preserve original config so the fixture can restore it on teardown.
|
|
# If a previous run left a backup, do NOT overwrite.
|
|
if [[ ! -f "$BACKUP" ]]; then
|
|
cp "$CONFIG" "$BACKUP"
|
|
echo "[start_comfyui_permissive] Backed up original config to $BACKUP"
|
|
fi
|
|
|
|
# Patch security_level to normal- (idempotent).
|
|
if grep -qE '^security_level\s*=' "$CONFIG"; then
|
|
sed -i -E 's/^security_level\s*=.*/security_level = normal-/' "$CONFIG"
|
|
else
|
|
sed -i -E '/^\[default\]/a security_level = normal-' "$CONFIG"
|
|
fi
|
|
echo "[start_comfyui_permissive] Patched security_level = normal- in $CONFIG"
|
|
|
|
# Patch the dedicated install flags (goal265 / #2962): install/git_url and
|
|
# install/pip are gated by these flags instead of security_level (idempotent).
|
|
for flag in allow_git_url_install allow_pip_install; do
|
|
if grep -qE "^${flag}\s*=" "$CONFIG"; then
|
|
sed -i -E "s/^${flag}\s*=.*/${flag} = true/" "$CONFIG"
|
|
else
|
|
sed -i -E "/^\[default\]/a ${flag} = true" "$CONFIG"
|
|
fi
|
|
done
|
|
echo "[start_comfyui_permissive] Patched allow_git_url_install/allow_pip_install = true in $CONFIG"
|
|
|
|
exec env ENABLE_LEGACY_UI=1 bash "$SCRIPT_DIR/start_comfyui.sh" "$@"
|