From dcad3b988c435e9f6b75f5077d47f1305da5cf90 Mon Sep 17 00:00:00 2001
From: orbisai0security <mediratta01.pally@gmail.com>
Date: Fri, 12 Jun 2026 08:38:58 +0000
Subject: [PATCH] fix: V-002 security vulnerability

Automated security fix generated by OrbisAI Security
---
 execution.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/execution.py b/execution.py
index 9e16e451d..3d23136e1 100644
--- a/execution.py
+++ b/execution.py
@@ -196,15 +196,17 @@ def get_input_data(inputs, class_def, unique_id, execution_list=None, dynprompt=
                 hidden_inputs_v3[io.Hidden.extra_pnginfo] = extra_data.get('extra_pnginfo', None)
             if io.Hidden.unique_id.name in hidden:
                 hidden_inputs_v3[io.Hidden.unique_id] = unique_id
+            _is_trusted = getattr(class_def, '__module__', '').startswith('comfy_api_nodes')
             if io.Hidden.auth_token_comfy_org.name in hidden:
-                hidden_inputs_v3[io.Hidden.auth_token_comfy_org] = extra_data.get("auth_token_comfy_org", None)
+                hidden_inputs_v3[io.Hidden.auth_token_comfy_org] = extra_data.get("auth_token_comfy_org", None) if _is_trusted else None
             if io.Hidden.api_key_comfy_org.name in hidden:
-                hidden_inputs_v3[io.Hidden.api_key_comfy_org] = extra_data.get("api_key_comfy_org", None)
+                hidden_inputs_v3[io.Hidden.api_key_comfy_org] = extra_data.get("api_key_comfy_org", None) if _is_trusted else None
             if io.Hidden.comfy_usage_source.name in hidden:
                 hidden_inputs_v3[io.Hidden.comfy_usage_source] = extra_data.get("comfy_usage_source", None)
     else:
         if "hidden" in valid_inputs:
             h = valid_inputs["hidden"]
+            _is_trusted = getattr(class_def, '__module__', '').startswith('comfy_api_nodes')
             for x in h:
                 if h[x] == "PROMPT":
                     input_data_all[x] = [dynprompt.get_original_prompt() if dynprompt is not None else {}]
@@ -215,9 +217,9 @@ def get_input_data(inputs, class_def, unique_id, execution_list=None, dynprompt=
                 if h[x] == "UNIQUE_ID":
                     input_data_all[x] = [unique_id]
                 if h[x] == "AUTH_TOKEN_COMFY_ORG":
-                    input_data_all[x] = [extra_data.get("auth_token_comfy_org", None)]
+                    input_data_all[x] = [extra_data.get("auth_token_comfy_org", None) if _is_trusted else None]
                 if h[x] == "API_KEY_COMFY_ORG":
-                    input_data_all[x] = [extra_data.get("api_key_comfy_org", None)]
+                    input_data_all[x] = [extra_data.get("api_key_comfy_org", None) if _is_trusted else None]
                 if h[x] == "COMFY_USAGE_SOURCE":
                     input_data_all[x] = [extra_data.get("comfy_usage_source", None)]
     v3_data["hidden_inputs"] = hidden_inputs_v3