xinyun/ComfyUI-Manager
1
0
Fork 0
mirror of https://git.datalinker.icu/ltdrdata/ComfyUI-Manager synced 2025-12-09 14:14:54 +08:00
Code Issues Packages Projects Releases Wiki Activity

fixed: several security bugs

Browse Source 
refactor: remove serveal unused code
This commit is contained in:
Dr.Lt.Data 2025-03-12 11:32:16 +09:00
parent cef0ad6707
commit 0a60a44478
3 changed files with 38 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
glob/manager_core.py
View File

@ -43,7 +43,7 @@ import manager_downloader
from node_package import InstalledNodePackage from node_package import InstalledNodePackage
version_code = [3, 30, 4] version_code = [3, 30, 5]
version_str = f"V{version_code[0]}.{version_code[1]}" + (f'.{version_code[2]}' if len(version_code) > 2 else '') version_str = f"V{version_code[0]}.{version_code[1]}" + (f'.{version_code[2]}' if len(version_code) > 2 else '')
@ -53,6 +53,11 @@ DEFAULT_CHANNEL = "https://raw.githubusercontent.com/ltdrdata/ComfyUI-Manager/ma
default_custom_nodes_path = None default_custom_nodes_path = None
class InvalidChannel(Exception):
def __init__(self, channel):
self.channel = channel
super().__init__(channel)
def get_default_custom_nodes_path(): def get_default_custom_nodes_path():
global default_custom_nodes_path global default_custom_nodes_path
if default_custom_nodes_path is None: if default_custom_nodes_path is None:
@ -251,6 +256,7 @@ comfy_ui_revision = "Unknown"
comfy_ui_commit_datetime = datetime(1900, 1, 1, 0, 0, 0) comfy_ui_commit_datetime = datetime(1900, 1, 1, 0, 0, 0)
channel_dict = None channel_dict = None
valid_channels = set()
channel_list = None channel_list = None
@ -355,7 +361,7 @@ def normalize_channel(channel):
if channel_url: if channel_url:
return channel_url return channel_url
raise Exception(f"Invalid channel name '{channel}'") raise InvalidChannel(channel)
class ManagedResult: class ManagedResult:
@ -770,6 +776,11 @@ class UnifiedManager:
print(f"[bold red]ERROR: Invalid mode is specified `--mode {mode}`[/bold red]", file=sys.stderr) print(f"[bold red]ERROR: Invalid mode is specified `--mode {mode}`[/bold red]", file=sys.stderr)
return {} return {}
# validate channel - only the channel set by the user is allowed.
if channel_url not in valid_channels:
logging.error(f'[ComfyUI-Manager] An invalid channel was used: {channel_url}')
raise InvalidChannel(channel_url)
json_obj = await get_data_by_mode(mode, 'custom-node-list.json', channel_url=channel_url) json_obj = await get_data_by_mode(mode, 'custom-node-list.json', channel_url=channel_url)
for x in json_obj['custom_nodes']: for x in json_obj['custom_nodes']:
try: try:
@ -1414,7 +1425,11 @@ class UnifiedManager:
version_spec = self.resolve_unspecified_version(node_id) version_spec = self.resolve_unspecified_version(node_id)
if version_spec == 'unknown' or version_spec == 'nightly': if version_spec == 'unknown' or version_spec == 'nightly':
custom_nodes = await self.get_custom_nodes(channel, mode) try:
custom_nodes = await self.get_custom_nodes(channel, mode)
except InvalidChannel as e:
return ManagedResult('fail').fail(f'Invalid channel is used: {e.channel}')
the_node = custom_nodes.get(node_id) the_node = custom_nodes.get(node_id)
if the_node is not None: if the_node is not None:
if version_spec == 'unknown': if version_spec == 'unknown':
@ -1472,28 +1487,6 @@ class UnifiedManager:
return res return res
async def migrate_unmanaged_nodes(self):
"""
fix path for nightly and unknown nodes of unmanaged nodes
"""
await self.reload('cache')
await self.get_custom_nodes('default', 'cache')
print("Migration: STAGE 1")
moves = []
# migrate nightly inactive
for x, v in self.nightly_inactive_nodes.items():
if v.endswith('@nightly'):
continue
new_path = os.path.join(get_default_custom_nodes_path(), '.disabled', f"{x}@nightly")
moves.append((v, new_path))
self.reserve_migration(moves)
print("DONE (Migration reserved)")
unified_manager = UnifiedManager() unified_manager = UnifiedManager()
@ -1565,6 +1558,7 @@ def get_installed_node_packs():
def get_channel_dict(): def get_channel_dict():
global channel_dict global channel_dict
global valid_channels
if channel_dict is None: if channel_dict is None:
channel_dict = {} channel_dict = {}
@ -1578,6 +1572,7 @@ def get_channel_dict():
channel_info = x.split("::") channel_info = x.split("::")
if len(channel_info) == 2: if len(channel_info) == 2:
channel_dict[channel_info[0]] = channel_info[1] channel_dict[channel_info[0]] = channel_info[1]
valid_channels.add(channel_info[1])
return channel_dict return channel_dict

31
glob/manager_server.py
View File

@ -399,7 +399,6 @@ async def task_worker():
try: try:
node_spec = core.unified_manager.resolve_node_spec(node_spec_str) node_spec = core.unified_manager.resolve_node_spec(node_spec_str)
if node_spec is None: if node_spec is None:
logging.error(f"Cannot resolve install target: '{node_spec_str}'") logging.error(f"Cannot resolve install target: '{node_spec_str}'")
return f"Cannot resolve install target: '{node_spec_str}'" return f"Cannot resolve install target: '{node_spec_str}'"
@ -929,6 +928,7 @@ def check_model_installed(json_obj):
@routes.get("/externalmodel/getlist") @routes.get("/externalmodel/getlist")
async def fetch_externalmodel_list(request): async def fetch_externalmodel_list(request):
# The model list is only allowed in the default channel, yet.
json_obj = await core.get_data_by_mode(request.rel_url.query["mode"], 'model-list.json') json_obj = await core.get_data_by_mode(request.rel_url.query["mode"], 'model-list.json')
check_model_installed(json_obj) check_model_installed(json_obj)
@ -1197,9 +1197,8 @@ async def install_custom_node(request):
git_url = None git_url = None
if json_data['version'] != 'unknown': selected_version = json_data.get('selected_version')
selected_version = json_data.get('selected_version') if json_data['version'] != 'unknown' and selected_version != 'unknown':
if skip_post_install: if skip_post_install:
if cnr_id in core.unified_manager.nightly_inactive_nodes or cnr_id in core.unified_manager.cnr_inactive_nodes: if cnr_id in core.unified_manager.nightly_inactive_nodes or cnr_id in core.unified_manager.cnr_inactive_nodes:
core.unified_manager.unified_enable(cnr_id) core.unified_manager.unified_enable(cnr_id)
@ -1216,6 +1215,9 @@ async def install_custom_node(request):
if git_url is None: if git_url is None:
logging.error(f"[ComfyUI-Manager] Following node pack doesn't provide `nightly` version: ${git_url}") logging.error(f"[ComfyUI-Manager] Following node pack doesn't provide `nightly` version: ${git_url}")
return web.Response(status=404, text=f"Following node pack doesn't provide `nightly` version: ${git_url}") return web.Response(status=404, text=f"Following node pack doesn't provide `nightly` version: ${git_url}")
elif json_data['version'] != 'unknown' and selected_version == 'unknown':
logging.error(f"[ComfyUI-Manager] Invalid installation request: {json_data}")
return web.Response(status=400, text="Invalid installation request")
else: else:
# unknown # unknown
unknown_name = os.path.basename(json_data['files'][0]) unknown_name = os.path.basename(json_data['files'][0])
@ -1407,17 +1409,13 @@ async def disable_node(request):
return web.Response(status=200) return web.Response(status=200)
@routes.get("/manager/migrate_unmanaged_nodes") async def check_whitelist_for_model(item):
async def migrate_unmanaged_nodes(request): json_obj = await core.get_data_by_mode('cache', 'model-list.json')
logging.info("[ComfyUI-Manager] Migrating unmanaged nodes...")
await core.unified_manager.migrate_unmanaged_nodes()
logging.info("Done.")
return web.Response(status=200)
for x in json_obj.get('models', []):
@routes.get("/manager/need_to_migrate") return True
async def need_to_migrate(request):
return web.Response(text=str(core.need_to_migrate), status=200) return False
@routes.post("/manager/queue/install_model") @routes.post("/manager/queue/install_model")
@ -1428,6 +1426,11 @@ async def install_model(request):
logging.error(SECURITY_MESSAGE_MIDDLE_OR_BELOW) logging.error(SECURITY_MESSAGE_MIDDLE_OR_BELOW)
return web.Response(status=403, text="A security error has occurred. Please check the terminal logs") return web.Response(status=403, text="A security error has occurred. Please check the terminal logs")
# validate request
if not await check_whitelist_for_model(json_data):
logging.error(f"[ComfyUI-Manager] Invalid model install request is detected: {json_data}")
return web.Response(status=400, text="Invalid model install request is detected")
if not json_data['filename'].endswith('.safetensors') and not is_allowed_security_level('high'): if not json_data['filename'].endswith('.safetensors') and not is_allowed_security_level('high'):
models_json = await core.get_data_by_mode('cache', 'model-list.json', 'default') models_json = await core.get_data_by_mode('cache', 'model-list.json', 'default')

2
pyproject.toml
View File

@ -1,7 +1,7 @@
[project] [project]
name = "comfyui-manager" name = "comfyui-manager"
description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI." description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI."
version = "3.30.4" version = "3.30.5"
license = { file = "LICENSE.txt" } license = { file = "LICENSE.txt" }
dependencies = ["GitPython", "PyGithub", "matrix-client==0.4.0", "transformers", "huggingface-hub>0.20", "typer", "rich", "typing-extensions", "toml", "uv", "chardet"] dependencies = ["GitPython", "PyGithub", "matrix-client==0.4.0", "transformers", "huggingface-hub>0.20", "typer", "rich", "typing-extensions", "toml", "uv", "chardet"]