- Disable aiohttp auto-redirects and re-validate every Location target
against the same allowlist used for the initial URL, closing an SSRF
vector where an allowed host could redirect to an arbitrary internal
endpoint.
- Accept subdomains of allowlisted hosts so Hugging Face's LFS CDN
(cdn-lfs.huggingface.co et al.) keeps working under the stricter
redirect handling.
- Pass an explicit ClientTimeout (connect/sock_read) so hung remotes
surface as errors instead of blocking the request handler forever.
- Log the exception value alongside the traceback on the 500 fallback.
- Add positive coverage for normalize_model_relative_path, Civitai URL
allowlisting, and the redirect-following / SSRF-rejection branches of
open_model_download_response.
Co-authored-by: Cursor <cursoragent@cursor.com>
* add LoadImageOutput node
* add route for input/output/temp files
* update node_typing.py
* use literal type for image_folder field
* mark node as beta
* Add /logs/raw and /logs/subscribe for getting logs on frontend
Hijacks stderr/stdout to send all output data to the client on flush
* Use existing send sync method
* Fix get_logs should return string
* Fix bug
* pass no server
* fix tests
* Fix output flush on linux
* Add route for getting output logs
* Include ComfyUI version
* Move to own function
* Changed to memory logger
* Unify logger setup logic
* Fix get version git fallback
---------
Co-authored-by: pythongosssss <125205205+pythongosssss@users.noreply.github.com>
* Create internal route table.
* List files.
* Add GET /internal/files.
Retrieves list of files in models, output, and user directories.
* Refactor file names.
* Use typing_extensions for Python 3.8
* Fix tests.
* Remove print statements.
* Update README.
* Add output and user to valid directory test.
* Add missing type hints.
