ComfyUI/tests-unit
Matt Miller 96e0e3585b
Some checks are pending
Detect Unreviewed Merge / detect (push) Waiting to run
Python Linting / Run Ruff (push) Waiting to run
Python Linting / Run Pylint (push) Waiting to run
Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.10, [self-hosted Linux], stable) (push) Waiting to run
Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.11, [self-hosted Linux], stable) (push) Waiting to run
Full Comfy CI Workflow Runs / test-stable (12.1, , linux, 3.12, [self-hosted Linux], stable) (push) Waiting to run
Full Comfy CI Workflow Runs / test-unix-nightly (12.1, , linux, 3.11, [self-hosted Linux], nightly) (push) Waiting to run
Execution Tests / test (macos-latest) (push) Waiting to run
Execution Tests / test (ubuntu-latest) (push) Waiting to run
Execution Tests / test (windows-latest) (push) Waiting to run
Test server launches without errors / test (push) Waiting to run
Unit Tests / test (macos-latest) (push) Waiting to run
Unit Tests / test (ubuntu-latest) (push) Waiting to run
Unit Tests / test (windows-2022) (push) Waiting to run
security: fix four vulnerabilities (GHSA-779p-m5rp-r4h4) (#14734)
* security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4)

- CVE-2026-56670: force download of SVG/XML responses on /view to prevent stored XSS
- CVE-2026-56671: contain /experiment/models/preview reads within the model folder
- CVE-2026-56672: stop inline rendering of uploaded /userdata/{file} content
- CVE-2026-56673: prevent path traversal in get_annotated_filepath (LoadImage /prompt input)
- CVE-2026-56674: reject opaque/null Origin to close the CSRF middleware bypass

Adds regression tests under tests-unit/security_test/ covering all five.

* security: address review feedback on GHSA-779p fixes

- Fix Windows CI failure in test_get_annotated_filepath: compare against
  os.path.abspath(...) to match the intentional abspath normalization added
  by the traversal hardening (abspath prepends the drive letter on Windows).
- origin_check: narrow the bare `except:` in is_loopback() to ValueError so
  genuine interrupts aren't swallowed (review nit).
- origin_check: guard .port access in is_cross_origin_forbidden() so a
  malformed/out-of-range port (e.g. Origin: http://127.0.0.1:99999) fails
  closed with a 403 instead of surfacing an uncaught 500 in the middleware.
- server /view: escape backslash/quote in the Content-Disposition filename
  (RFC 6266 quoted-string) so a filename containing a double quote can't
  malform the response header.

* security: address CodeRabbit review feedback on GHSA-779p tests

- test #3: guard the symlink-escape test with a try/except skip so it no
  longer errors on Windows CI where os.symlink needs elevated privileges /
  Developer Mode (mirrors the guard in the sibling test #2).
- test #5: refresh the stale module docstring to describe the actual /view
  gating (view_image closure calling folder_paths.is_dangerous_content_type,
  the normalising check) instead of the bypassable raw set-membership test.

* revert(security): drop CVE-2026-56674 Origin: null CSRF change

Per maintainer review, the reported CSRF is already mitigated by the pre-existing
Sec-Fetch-Site: cross-site check for current browsers, and the null-origin
rejection risked breaking legitimate sandboxed-iframe embeds. Restores
origin_only_middleware and is_loopback in server.py to their prior state
(the Sec-Fetch-Site check is retained) and removes utils/origin_check.py and its
regression test. The other four GHSA-779p fixes are unaffected.
2026-07-02 20:44:54 -07:00
..
app_test Generalize frontend version warning to all comfy* requirements.txt entries (#13875) 2026-05-14 16:13:30 -07:00
assets_test security: fix four vulnerabilities (GHSA-779p-m5rp-r4h4) (#14734) 2026-07-02 20:44:54 -07:00
comfy_api_test Add 10-bit video support (#14452) 2026-06-13 16:05:25 +03:00
comfy_extras_test Revert "Add SeedVR2 support (CORE-6) (#14110)" (#14359) 2026-06-08 18:00:20 -04:00
comfy_quant Support int8 models. (#14636) 2026-06-25 11:23:58 -07:00
comfy_test security: fix four vulnerabilities (GHSA-779p-m5rp-r4h4) (#14734) 2026-07-02 20:44:54 -07:00
execution_test feat(assets): include asset id in executed WebSocket message (#13862) 2026-06-10 17:04:52 -07:00
folder_paths_test feat(security): add System User protection with __ prefix (#10966) 2025-11-28 21:28:42 -05:00
jobs_cancel_test Add jobs-namespace cancel endpoints (POST /api/jobs/{job_id}/cancel, POST /api/jobs/cancel) (#14493) 2026-06-19 16:39:35 -07:00
prompt_server_test fix: return millisecond timestamps from get_file_info() (#12996) 2026-05-06 10:56:09 +08:00
security_test security: fix four vulnerabilities (GHSA-779p-m5rp-r4h4) (#14734) 2026-07-02 20:44:54 -07:00
seeder_test feat(assets): register output files as assets after prompt execution (#12812) 2026-03-24 20:48:55 -07:00
server/utils
server_test fix: use no-store cache headers to prevent stale frontend chunks (#12911) 2026-03-14 18:25:09 -04:00
utils Normalize extra_model_config.yaml paths to prevent duplicates. (#6885) 2025-02-20 07:09:45 -05:00
deploy_environment_test.py Add deploy environment header (Comfy-Env) to partner node API calls (#13425) 2026-05-04 20:17:56 -07:00
feature_flags_test.py feat: add generic --feature-flag CLI arg and --list-feature-flags registry (#13685) 2026-05-04 19:50:26 -07:00
README.md
requirements.txt refactor(assets): modular architecture + async two-phase scanner & background seeder (#12621) 2026-03-07 20:37:25 -05:00
websocket_feature_flags_test.py Support for async node functions (#8830) 2025-07-10 14:46:19 -04:00

Pytest Unit Tests

Install test dependencies

pip install -r tests-unit/requirements.txt

Run tests

pytest tests-unit/