- Add path traversal protection in simple_downloader.py
- Sanitize model_type and filename inputs to prevent directory escapes
- Validate file extensions against allowed list
- Restrict model types to whitelisted folders only
- Add URL validation to require HTTPS
- Block SSRF attacks by preventing local/private network downloads
- Add input validation in server.py endpoint
- Ensure all file paths remain within models directory
These changes prevent attackers from:
- Writing files outside the models directory
- Accessing sensitive files via path traversal
- Making requests to internal services (SSRF)
- Executing arbitrary code via malicious filenames
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Implement simple_downloader module with actual download functionality
- Downloads models to correct folders based on model type
- Provides real-time progress tracking
- Handles errors gracefully
- Supports cancellation
The backend now actually downloads models when requested from the frontend.
Downloads are placed in the appropriate ComfyUI model folders.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
