security patch

#1125
ltdrdata · Oct 8, 2024 · 3315807 · 3315807
1 parent 8dd84bb
commit 3315807
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/glob/manager_core.py b/glob/manager_core.py
@@ -23,7 +23,7 @@
 import cm_global
 from manager_util import *
 
-version = [2, 51, 5]
+version = [2, 51, 6]
 version_str = f"V{version[0]}.{version[1]}" + (f'.{version[2]}' if len(version) > 2 else '')
 
 

diff --git a/glob/manager_server.py b/glob/manager_server.py
@@ -820,7 +820,14 @@ async def install_custom_node(request):
         res = unzip_install(json_data['files'])
 
     if install_type == "copy":
-        js_path_name = json_data['js_path'] if 'js_path' in json_data else '.'
+        if 'js_path' in json_data:
+            if '.' in json_data['js_path'] or ':' in json_data['js_path'] or json_data['js_path'].startswith('/'):
+                print(f"[ComfyUI Manager] An abnormal JS path has been transmitted. This could be the result of a security attack.\n{json_data['js_path']}")
+                return web.Response(status=400)
+            else:
+                js_path_name = json_data['js_path']
+        else:
+            js_path_name = '.'
         res = copy_install(json_data['files'], js_path_name)
 
     elif install_type == "git-clone":

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,7 +1,7 @@
 [project]
 name = "comfyui-manager"
 description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI."
-version = "2.51.5"
+version = "2.51.6"
 license = { file = "LICENSE.txt" }
 dependencies = ["GitPython", "PyGithub", "matrix-client==0.4.0", "transformers", "huggingface-hub>0.20", "typer", "rich", "typing-extensions"]