Matt Miller
e4eb7f2698
security: address review feedback on GHSA-779p fixes
...
- Fix Windows CI failure in test_get_annotated_filepath: compare against
os.path.abspath(...) to match the intentional abspath normalization added
by the traversal hardening (abspath prepends the drive letter on Windows).
- origin_check: narrow the bare `except:` in is_loopback() to ValueError so
genuine interrupts aren't swallowed (review nit).
- origin_check: guard .port access in is_cross_origin_forbidden() so a
malformed/out-of-range port (e.g. Origin: http://127.0.0.1:99999 ) fails
closed with a 403 instead of surfacing an uncaught 500 in the middleware.
- server /view: escape backslash/quote in the Content-Disposition filename
(RFC 6266 quoted-string) so a filename containing a double quote can't
malform the response header.
2026-07-02 19:58:06 -07:00
Matt Miller
ae4fcaaf41
security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4)
...
- CVE-2026-56670: force download of SVG/XML responses on /view to prevent stored XSS
- CVE-2026-56671: contain /experiment/models/preview reads within the model folder
- CVE-2026-56672: stop inline rendering of uploaded /userdata/{file} content
- CVE-2026-56673: prevent path traversal in get_annotated_filepath (LoadImage /prompt input)
- CVE-2026-56674: reject opaque/null Origin to close the CSRF middleware bypass
Adds regression tests under tests-unit/security_test/ covering all five.
2026-07-02 19:10:30 -07:00
comfyanonymous
0be87b082a
Update logging level for invalid version format ( #13526 )
Python Linting / Run Ruff (push) Waiting to run
Python Linting / Run Pylint (push) Waiting to run
Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.10, [self-hosted Linux], stable) (push) Waiting to run
Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.11, [self-hosted Linux], stable) (push) Waiting to run
Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.12, [self-hosted Linux], stable) (push) Waiting to run
Execution Tests / test (macos-latest) (push) Waiting to run
Execution Tests / test (ubuntu-latest) (push) Waiting to run
Execution Tests / test (windows-latest) (push) Waiting to run
Full Comfy CI Workflow Runs / test-unix-nightly (12.1, , linux, 3.11, [self-hosted Linux], nightly) (push) Waiting to run
Test server launches without errors / test (push) Waiting to run
Unit Tests / test (macos-latest) (push) Waiting to run
Unit Tests / test (ubuntu-latest) (push) Waiting to run
Unit Tests / test (windows-2022) (push) Waiting to run
2026-04-22 20:21:43 -04:00
Jin Yi
225c52f6a4
fix: register image/svg+xml MIME type for .svg files ( #13186 )
...
Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.11, [self-hosted Linux], stable) (push) Waiting to run
Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.12, [self-hosted Linux], stable) (push) Waiting to run
Full Comfy CI Workflow Runs / test-unix-nightly (12.1, , linux, 3.11, [self-hosted Linux], nightly) (push) Waiting to run
Unit Tests / test (ubuntu-latest) (push) Waiting to run
Execution Tests / test (macos-latest) (push) Waiting to run
Unit Tests / test (windows-2022) (push) Waiting to run
Execution Tests / test (ubuntu-latest) (push) Waiting to run
Python Linting / Run Ruff (push) Waiting to run
Execution Tests / test (windows-latest) (push) Waiting to run
Python Linting / Run Pylint (push) Waiting to run
Test server launches without errors / test (push) Waiting to run
Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.10, [self-hosted Linux], stable) (push) Waiting to run
Unit Tests / test (macos-latest) (push) Waiting to run
The /view endpoint returns text/plain for .svg files on some platforms
because Python's mimetypes module does not always include SVG by default.
Explicitly register image/svg+xml so <img> tags can render SVGs correctly.
Amp-Thread-ID: https://ampcode.com/threads/T-019d2da7-6a64-726a-af91-bd9c44e7f43c
2026-03-26 22:13:29 -07:00
Luke Mino-Altherr
29b24cb517
refactor(assets): modular architecture + async two-phase scanner & background seeder ( #12621 )
Python Linting / Run Ruff (push) Waiting to run
Python Linting / Run Pylint (push) Waiting to run
Build package / Build Test (3.10) (push) Waiting to run
Build package / Build Test (3.11) (push) Waiting to run
Build package / Build Test (3.12) (push) Waiting to run
Build package / Build Test (3.13) (push) Waiting to run
Build package / Build Test (3.14) (push) Waiting to run
Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.10, [self-hosted Linux], stable) (push) Waiting to run
Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.11, [self-hosted Linux], stable) (push) Waiting to run
Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.12, [self-hosted Linux], stable) (push) Waiting to run
Full Comfy CI Workflow Runs / test-unix-nightly (12.1, , linux, 3.11, [self-hosted Linux], nightly) (push) Waiting to run
Execution Tests / test (macos-latest) (push) Waiting to run
Execution Tests / test (ubuntu-latest) (push) Waiting to run
Execution Tests / test (windows-latest) (push) Waiting to run
Test server launches without errors / test (push) Waiting to run
Unit Tests / test (macos-latest) (push) Waiting to run
Unit Tests / test (ubuntu-latest) (push) Waiting to run
Unit Tests / test (windows-2022) (push) Waiting to run
Generate Pydantic Stubs from api.comfy.org / generate-models (push) Has been cancelled
2026-03-07 20:37:25 -05:00
comfyanonymous
17106cb124
Move parsing of requirements logic to function. ( #12701 )
2026-02-28 22:21:32 -05:00
pythongosssss
50c605e957
Add support for sqlite database ( #8444 )
...
* Add support for sqlite database
* fix
2025-06-11 16:43:39 -04:00
Robin Huang
29d4384a75
Normalize extra_model_config.yaml paths to prevent duplicates. ( #6885 )
...
* Normalize extra_model_config.yaml paths before adding.
* Fix tests.
* Fix tests.
2025-02-20 07:09:45 -05:00
Robin Huang
042a905c37
Open yaml files with utf-8 encoding for extra_model_paths.yaml ( #6807 )
...
* Using utf-8 encoding for yaml files.
* Fix test assertion.
2025-02-13 20:39:04 -05:00
Chenlei Hu
a058f52090
[i18n] Add /i18n endpoint to provide all custom node translations ( #6558 )
...
* [i18n] Add /i18n endpoint to provide all custom node translations
* Sort glob result for deterministic ordering
* Update comment
2025-01-22 17:15:45 -05:00
Alexander Piskun
b9d9bcba14
fixed a bug where a relative path was not converted to a full path ( #6395 )
...
Signed-off-by: bigcat88 <bigcat88@icloud.com>
2025-01-11 19:19:51 -05:00
Alexander Piskun
cdc3b97dd5
resolve relative paths in YAML configuration for extra model paths ( #5847 )
...
Signed-off-by: bigcat88 <bigcat88@icloud.com>
2024-12-03 06:02:01 -05:00
Alex "mcmonkey" Goodwin
68bb885d22
add 'is_default' to model paths config ( #4979 )
...
* add 'is_default' to model paths config
including impl and doc in example file
* update weirdly overspecific test expectations
* oh there's two
* sigh
2024-09-19 08:59:55 -04:00
Robin Huang
d247bc5a9c
Expand variables in base_path for extra_config_paths.yaml. ( #4893 )
...
* Expand variables in base_path for extra_config_paths.yaml.
* Fix comments.
2024-09-12 01:52:06 -04:00
Robin Huang
9fa8faa44a
Expand user directory for basepath in extra_models_paths.yaml ( #4857 )
...
* Expand user path.
* Add test.
* Add unit test for expanding base path.
* Simplify unit test.
* Remove comment.
* Remove comment.
* Checkpoints.
* Refactor.
2024-09-10 00:33:44 -04:00