mirror of
https://github.com/comfyanonymous/ComfyUI.git
synced 2026-03-16 14:47:33 +08:00
6aa0b838a0
Extends pyisolate process isolation with wheel-based dependency management, sandbox mode policy, and compatibility fixes validated against DA3 as the first complex isolated custom node. - Add sandbox_mode policy (required/disabled) with COMFY_HOST_POLICY_PATH env override for host security configuration - Plumb cuda_wheels config and standardize child environment detection - Add PLY, NPZ, File3D, VIDEO serializers for core save nodes - Register isolated extension web directories on host side (sandbox_mode=disabled) for frontend JS widget serving - Capture ACCEPT_ALL_INPUTS from child node class to prevent @classproperty trigger on proxy class - Serialize NodeOutput with ui/expand/block_execution through JSON-RPC - Cherry-pick V3 python_module metadata fix (e4592190) - Remove improperly committed cache artifacts
108 lines
3.3 KiB
Python
108 lines
3.3 KiB
Python
# pylint: disable=logging-fstring-interpolation
|
|
from __future__ import annotations
|
|
|
|
import logging
|
|
import os
|
|
from pathlib import Path
|
|
from typing import Dict, List, TypedDict
|
|
|
|
try:
|
|
import tomllib
|
|
except ImportError:
|
|
import tomli as tomllib # type: ignore[no-redef]
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
HOST_POLICY_PATH_ENV = "COMFY_HOST_POLICY_PATH"
|
|
VALID_SANDBOX_MODES = frozenset({"required", "disabled"})
|
|
|
|
|
|
class HostSecurityPolicy(TypedDict):
|
|
sandbox_mode: str
|
|
allow_network: bool
|
|
writable_paths: List[str]
|
|
readonly_paths: List[str]
|
|
whitelist: Dict[str, str]
|
|
|
|
|
|
DEFAULT_POLICY: HostSecurityPolicy = {
|
|
"sandbox_mode": "required",
|
|
"allow_network": False,
|
|
"writable_paths": ["/dev/shm", "/tmp"],
|
|
"readonly_paths": [],
|
|
"whitelist": {},
|
|
}
|
|
|
|
|
|
def _default_policy() -> HostSecurityPolicy:
|
|
return {
|
|
"sandbox_mode": DEFAULT_POLICY["sandbox_mode"],
|
|
"allow_network": DEFAULT_POLICY["allow_network"],
|
|
"writable_paths": list(DEFAULT_POLICY["writable_paths"]),
|
|
"readonly_paths": list(DEFAULT_POLICY["readonly_paths"]),
|
|
"whitelist": dict(DEFAULT_POLICY["whitelist"]),
|
|
}
|
|
|
|
|
|
def load_host_policy(comfy_root: Path) -> HostSecurityPolicy:
|
|
config_override = os.environ.get(HOST_POLICY_PATH_ENV)
|
|
config_path = Path(config_override) if config_override else comfy_root / "pyproject.toml"
|
|
policy = _default_policy()
|
|
|
|
if not config_path.exists():
|
|
logger.debug("Host policy file missing at %s, using defaults.", config_path)
|
|
return policy
|
|
|
|
try:
|
|
with config_path.open("rb") as f:
|
|
data = tomllib.load(f)
|
|
except Exception:
|
|
logger.warning(
|
|
"Failed to parse host policy from %s, using defaults.",
|
|
config_path,
|
|
exc_info=True,
|
|
)
|
|
return policy
|
|
|
|
tool_config = data.get("tool", {}).get("comfy", {}).get("host", {})
|
|
if not isinstance(tool_config, dict):
|
|
logger.debug("No [tool.comfy.host] section found, using defaults.")
|
|
return policy
|
|
|
|
sandbox_mode = tool_config.get("sandbox_mode")
|
|
if isinstance(sandbox_mode, str):
|
|
normalized_sandbox_mode = sandbox_mode.strip().lower()
|
|
if normalized_sandbox_mode in VALID_SANDBOX_MODES:
|
|
policy["sandbox_mode"] = normalized_sandbox_mode
|
|
else:
|
|
logger.warning(
|
|
"Invalid host sandbox_mode %r in %s, using default %r.",
|
|
sandbox_mode,
|
|
config_path,
|
|
DEFAULT_POLICY["sandbox_mode"],
|
|
)
|
|
|
|
if "allow_network" in tool_config:
|
|
policy["allow_network"] = bool(tool_config["allow_network"])
|
|
|
|
if "writable_paths" in tool_config:
|
|
policy["writable_paths"] = [str(p) for p in tool_config["writable_paths"]]
|
|
|
|
if "readonly_paths" in tool_config:
|
|
policy["readonly_paths"] = [str(p) for p in tool_config["readonly_paths"]]
|
|
|
|
whitelist_raw = tool_config.get("whitelist")
|
|
if isinstance(whitelist_raw, dict):
|
|
policy["whitelist"] = {str(k): str(v) for k, v in whitelist_raw.items()}
|
|
|
|
logger.debug(
|
|
"Loaded Host Policy: %d whitelisted nodes, Sandbox=%s, Network=%s",
|
|
len(policy["whitelist"]),
|
|
policy["sandbox_mode"],
|
|
policy["allow_network"],
|
|
)
|
|
return policy
|
|
|
|
|
|
__all__ = ["HostSecurityPolicy", "load_host_policy", "DEFAULT_POLICY"]
|