ComfyUI/tests-unit/assets_test
Matt Miller ae4fcaaf41 security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4)
- CVE-2026-56670: force download of SVG/XML responses on /view to prevent stored XSS
- CVE-2026-56671: contain /experiment/models/preview reads within the model folder
- CVE-2026-56672: stop inline rendering of uploaded /userdata/{file} content
- CVE-2026-56673: prevent path traversal in get_annotated_filepath (LoadImage /prompt input)
- CVE-2026-56674: reject opaque/null Origin to close the CSRF middleware bypass

Adds regression tests under tests-unit/security_test/ covering all five.
2026-07-02 19:10:30 -07:00
..
queries revert(assets): drop job_ids filter from GET /api/assets (#14408) 2026-06-10 19:23:01 -07:00
services feat(assets): cursor-based pagination on GET /api/assets (#14014) 2026-06-09 21:14:03 -07:00
conftest.py fix(assets): remove unused delete_content param from deleteAsset (#14241) 2026-06-09 21:52:14 -07:00
helpers.py Emit hash alongside asset_hash on all Asset responses (#13739) 2026-05-25 11:21:35 -07:00
test_assets_missing_sync.py Emit hash alongside asset_hash on all Asset responses (#13739) 2026-05-25 11:21:35 -07:00
test_crud.py fix(assets): remove unused delete_content param from deleteAsset (#14241) 2026-06-09 21:52:14 -07:00
test_downloads.py security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4) 2026-07-02 19:10:30 -07:00
test_file_utils.py refactor(assets): modular architecture + async two-phase scanner & background seeder (#12621) 2026-03-07 20:37:25 -05:00
test_list_cursor.py feat(assets): cursor-based pagination on GET /api/assets (#14014) 2026-06-09 21:14:03 -07:00
test_list_filter.py Emit hash alongside asset_hash on all Asset responses (#13739) 2026-05-25 11:21:35 -07:00
test_metadata_filters.py Assets Part 2 - add more endpoints (#12125) 2026-01-31 02:22:05 -05:00
test_prompt_id_enforcement.py revert(assets): drop job_ids filter from GET /api/assets (#14408) 2026-06-10 19:23:01 -07:00
test_prune_orphaned_assets.py refactor(assets): modular architecture + async two-phase scanner & background seeder (#12621) 2026-03-07 20:37:25 -05:00
test_sync_references.py chore(assets): drop vestigial tags.tag_type column (#14248) 2026-06-09 21:07:10 -07:00
test_tags_api.py fix(assets): remove unused delete_content param from deleteAsset (#14241) 2026-06-09 21:52:14 -07:00
test_uploads.py Emit hash alongside asset_hash on all Asset responses (#13739) 2026-05-25 11:21:35 -07:00