From cf43a3a63e633c9e77bde0a6e1d8ef6fc0ed4f9d Mon Sep 17 00:00:00 2001
From: jakelodwick <jakelodwick@users.noreply.github.com>
Date: Sun, 5 Apr 2026 19:16:52 -0600
Subject: [PATCH] Use commonpath for path traversal check

Matches the pattern used in folder_paths.py and server.py. The
startswith approach is vulnerable to sibling directory bypasses.
---
 comfy_extras/nodes_dataset.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/comfy_extras/nodes_dataset.py b/comfy_extras/nodes_dataset.py
index f7d9afbff..6a64b2166 100644
--- a/comfy_extras/nodes_dataset.py
+++ b/comfy_extras/nodes_dataset.py
@@ -1453,7 +1453,9 @@ class LoadTrainingDataset(io.ComfyNode):
         output_dir = folder_paths.get_output_directory()
         dataset_dir = os.path.join(output_dir, folder_name)
         # Prevent path traversal (e.g. folder_name="../../etc")
-        if not os.path.realpath(dataset_dir).startswith(os.path.realpath(output_dir)):
+        real_output_dir = os.path.realpath(output_dir)
+        real_dataset_dir = os.path.realpath(dataset_dir)
+        if os.path.commonpath((real_output_dir, real_dataset_dir)) != real_output_dir:
             raise ValueError(f"Invalid folder_name: path traversal detected")
 
         if not os.path.exists(dataset_dir):