ComfyUI/tests-unit/security_test
Matt Miller ae4fcaaf41 security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4)
- CVE-2026-56670: force download of SVG/XML responses on /view to prevent stored XSS
- CVE-2026-56671: contain /experiment/models/preview reads within the model folder
- CVE-2026-56672: stop inline rendering of uploaded /userdata/{file} content
- CVE-2026-56673: prevent path traversal in get_annotated_filepath (LoadImage /prompt input)
- CVE-2026-56674: reject opaque/null Origin to close the CSRF middleware bypass

Adds regression tests under tests-unit/security_test/ covering all five.
2026-07-02 19:10:30 -07:00
..
__init__.py security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4) 2026-07-02 19:10:30 -07:00
test_ghsa_779p_01_origin_csrf.py security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4) 2026-07-02 19:10:30 -07:00
test_ghsa_779p_02_preview_traversal.py security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4) 2026-07-02 19:10:30 -07:00
test_ghsa_779p_03_annotated_traversal.py security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4) 2026-07-02 19:10:30 -07:00
test_ghsa_779p_04_userdata_xss.py security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4) 2026-07-02 19:10:30 -07:00
test_ghsa_779p_05_dangerous_content_types.py security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4) 2026-07-02 19:10:30 -07:00