wangbo/ComfyUI
1
0
Fork 0
mirror of https://github.com/comfyanonymous/ComfyUI.git synced 2026-06-26 17:59:54 +08:00
Code Issues Actions 23 Packages Projects Releases Wiki Activity
88a5a1862e
ComfyUI/tests-unit/server_test/test_is_path_within_directory.py
nahcmon 88a5a1862e Fix ValueError in /view and /upload/mask when subfolder is on a different drive 
os.path.commonpath raises ValueError when comparing paths that don't share
a drive (e.g. on Windows when output_dir is on C: and the resolved subfolder
ends up on D:), so a malicious or malformed `subfolder` query/field crashed
these handlers with an unhandled exception instead of returning 403.

Extract the check into is_path_within_directory(), which treats a
different-drive ValueError as "not within" and returns False, restoring the
intended 403 response.

Fixes #1488
2026-06-08 17:59:54 +02:00

43 lines
1.7 KiB
Python
Raw Blame History

"""Tests for server.is_path_within_directory"""
import os
from unittest.mock import patch
# Importing `nodes` (a transitive import of `server`) prepends the `comfy/`
# directory to sys.path, which shadows the top-level `utils` package with
# `comfy/utils.py`. Importing `utils` first caches the real package so later
# `server` imports (e.g. app.frontend_management) resolve it correctly.
import utils # noqa: F401
from server import is_path_within_directory
def test_subpath_is_within_directory(tmp_path):
directory = str(tmp_path)
sub = os.path.join(directory, "subfolder")
assert is_path_within_directory(sub, directory) is True
def test_directory_itself_is_within_directory(tmp_path):
directory = str(tmp_path)
assert is_path_within_directory(directory, directory) is True
def test_sibling_path_is_not_within_directory(tmp_path):
directory = os.path.join(str(tmp_path), "output")
sibling = os.path.join(str(tmp_path), "other")
assert is_path_within_directory(sibling, directory) is False
def test_parent_path_is_not_within_directory(tmp_path):
directory = os.path.join(str(tmp_path), "output")
parent = str(tmp_path)
assert is_path_within_directory(parent, directory) is False
def test_different_drive_returns_false_instead_of_raising():
# On Windows, os.path.commonpath raises ValueError when the paths don't
# share a drive (e.g. comparing "C:\\output" with "D:\\secret"). That
# should be treated as "not within", not bubble up as an exception.
with patch("os.path.commonpath", side_effect=ValueError("Paths don't have the same drive")):
assert is_path_within_directory("D:\\secret", "C:\\output") is False
Reference in New Issue View Git Blame Copy Permalink