wangbo/ComfyUI
1
0
Fork 0
mirror of https://github.com/comfyanonymous/ComfyUI.git synced 2026-04-24 01:12:37 +08:00
Code Issues Actions 19 Packages Projects Releases Wiki Activity

Merge 29c078e87c into 138571da95

Browse Source
This commit is contained in:
orbisai0security 2026-04-19 10:31:45 +05:30 committed by GitHub
commit eaacfc9f83
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
tests-unit/assets_test/conftest.py
View File

@ -102,6 +102,24 @@ def comfy_url_and_proc(comfy_tmp_base_dir: Path, request: pytest.FixtureRequest)
if not (comfy_root / "main.py").is_file(): if not (comfy_root / "main.py").is_file():
raise FileNotFoundError(f"main.py not found under {comfy_root}") raise FileNotFoundError(f"main.py not found under {comfy_root}")
# Sanitize environment variables to prevent injection attacks via env var manipulation.
# Strip known-dangerous variables that can redirect code execution or hijack the runtime.
_DANGEROUS_ENV_VARS = {
"LD_PRELOAD",
"LD_LIBRARY_PATH",
"DYLD_INSERT_LIBRARIES",
"DYLD_LIBRARY_PATH",
"PYTHONSTARTUP",
"PYTHONINSPECT",
"PYTHONPATH",
"PYTHONEXECUTABLE",
"BROWSER",
"CDPATH",
"ENV",
"BASH_ENV",
}
safe_env = {k: v for k, v in os.environ.items() if k not in _DANGEROUS_ENV_VARS}
proc = subprocess.Popen( proc = subprocess.Popen(
args=[ args=[
sys.executable, sys.executable,
@ -118,7 +136,7 @@ def comfy_url_and_proc(comfy_tmp_base_dir: Path, request: pytest.FixtureRequest)
stdout=out_log, stdout=out_log,
stderr=err_log, stderr=err_log,
cwd=str(comfy_root), cwd=str(comfy_root),
env={**os.environ}, env=safe_env,
) )
for _ in range(50): for _ in range(50):