mirror of https://github.com/comfyanonymous/ComfyUI.git synced 2026-06-17 21:39:45 +08:00

History

adv0r 15d49a61b8 Address review feedback on /internal/models/download - Disable aiohttp auto-redirects and re-validate every Location target against the same allowlist used for the initial URL, closing an SSRF vector where an allowed host could redirect to an arbitrary internal endpoint. - Accept subdomains of allowlisted hosts so Hugging Face's LFS CDN (cdn-lfs.huggingface.co et al.) keeps working under the stricter redirect handling. - Pass an explicit ClientTimeout (connect/sock_read) so hung remotes surface as errors instead of blocking the request handler forever. - Log the exception value alongside the traceback on the 500 fallback. - Add positive coverage for normalize_model_relative_path, Civitai URL allowlisting, and the redirect-following / SSRF-rejection branches of open_model_download_response. Co-authored-by: Cursor <cursoragent@cursor.com>		2026-05-19 11:26:53 +02:00
..
__init__.py	Add GET /internal/files. (#4295 )	2024-08-21 01:25:06 -04:00
internal_routes.py	Address review feedback on /internal/models/download	2026-05-19 11:26:53 +02:00
README.md	Add GET /internal/files. (#4295 )	2024-08-21 01:25:06 -04:00

README.md

ComfyUI Internal Routes

All routes under the /internal path are designated for internal use by ComfyUI only. These routes are not intended for use by external applications may change at any time without notice.