- Add path traversal protection in simple_downloader.py
- Sanitize model_type and filename inputs to prevent directory escapes
- Validate file extensions against allowed list
- Restrict model types to whitelisted folders only
- Add URL validation to require HTTPS
- Block SSRF attacks by preventing local/private network downloads
- Add input validation in server.py endpoint
- Ensure all file paths remain within models directory
These changes prevent attackers from:
- Writing files outside the models directory
- Accessing sensitive files via path traversal
- Making requests to internal services (SSRF)
- Executing arbitrary code via malicious filenames
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Implement simple_downloader module with actual download functionality
- Downloads models to correct folders based on model type
- Provides real-time progress tracking
- Handles errors gracefully
- Supports cancellation
The backend now actually downloads models when requested from the frontend.
Downloads are placed in the appropriate ComfyUI model folders.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Created startup script to use custom frontend from ComfyUI_frontend repo
- Commented out model_downloader import (module was removed)
- Added placeholder API endpoints for model downloads
- Successfully tested integration with frontend at port 8190
The custom frontend includes the missingModelsDownloader extension which adds
download buttons to the Missing Models dialog.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Backend changes:
- Restored model download API endpoints in server.py
- Supports download, pause, resume, cancel operations
- Tracks download progress and history
Frontend extension package:
- Created standalone extension for ComfyUI frontend repository
- Automatically adds "Download" buttons to Missing Models dialog
- Includes repository of known model URLs (SDXL, SD1.5, VAEs, LoRAs, etc.)
- Shows real-time download progress in button (percentage)
- Supports custom URLs for unknown models
- "Download All" button for bulk downloads
The extension works with the separated frontend repository structure.
When missing models are detected, users can now download them directly
from the dialog without manually finding and moving files.
Installation instructions included in frontend_extensions/missingModelsDownloader/README.md
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Adds installed and required workflow templates version information to the
/system_stats endpoint, allowing the frontend to detect and notify users
when their templates package is outdated.
- Add get_installed_templates_version() and get_required_templates_version()
methods to FrontendManager
- Include templates version info in system_stats response
- Add comprehensive unit tests for the new functionality
When unloading models in load_models_gpu(), the model finalizer was not
being explicitly detached, leading to a memory leak. This caused
linear memory consumption increase over time as models are repeatedly
loaded and unloaded.
This change prevents orphaned finalizer references from accumulating in
memory during model switching operations.
* flux: Do the xq and xk ropes one at a time
This was doing independendent interleaved tensor math on the q and k
tensors, leading to the holding of more than the minimum intermediates
in VRAM. On a bad day, it would VRAM OOM on xk intermediates.
Do everything q and then everything k, so torch can garbage collect
all of qs intermediates before k allocates its intermediates.
This reduces peak VRAM usage for some WAN2.2 inferences (at least).
* wan: Optimize qkv intermediates on attention
As commented. The former logic computed independent pieces of QKV in
parallel which help more inference intermediates in VRAM spiking
VRAM usage. Fully roping Q and garbage collecting the intermediates
before touching K reduces the peak inference VRAM usage.
