wangbo/ComfyUI
1
0
Fork 0
mirror of https://github.com/comfyanonymous/ComfyUI.git synced 2026-02-07 03:52:32 +08:00
Code Issues Actions 15 Packages Projects Releases Wiki Activity

Fix path traversal validation to return 400 instead of 500

Browse Source 
Catch ValueError from resolve_destination_from_tags in the upload
endpoint so that invalid path components like '..' return a 400
BAD_REQUEST error instead of falling through to the 500 handler.

Amp-Thread-ID: https://ampcode.com/threads/T-019c2af2-7c87-7263-88b0-9feca1c31b3c
Co-authored-by: Amp <amp@ampcode.com>
This commit is contained in:
Luke Mino-Altherr 2026-02-04 15:24:51 -08:00
parent abeec3072b
commit 16b5d9112b
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/assets/api/routes.py
View File

@ -386,6 +386,9 @@ async def upload_asset(request: web.Request) -> web.Response:
except AssetValidationError as e: except AssetValidationError as e:
_delete_temp_file_if_exists(parsed.tmp_path) _delete_temp_file_if_exists(parsed.tmp_path)
return _build_error_response(400, e.code, str(e)) return _build_error_response(400, e.code, str(e))
except ValueError as e:
_delete_temp_file_if_exists(parsed.tmp_path)
return _build_error_response(400, "BAD_REQUEST", str(e))
except HashMismatchError as e: except HashMismatchError as e:
_delete_temp_file_if_exists(parsed.tmp_path) _delete_temp_file_if_exists(parsed.tmp_path)
return _build_error_response(400, "HASH_MISMATCH", str(e)) return _build_error_response(400, "HASH_MISMATCH", str(e))