fixed: robust validation when model downloading #2

glob/manager_core.py

@@ -43,7 +43,7 @@ import manager_downloader
 from node_package import InstalledNodePackage
 
 
-version_code = [3, 30, 8]
+version_code = [3, 30, 9]
 version_str = f"V{version_code[0]}.{version_code[1]}" + (f'.{version_code[2]}' if len(version_code) > 2 else '')
 
 

glob/manager_server.py

@@ -279,6 +279,10 @@ def get_model_dir(data, show_log=False) -> str | None:
     else:
         models_base = folder_paths.models_dir
 
+    # NOTE: Validate to prevent path traversal.
+    if any(char in data['filename'] for char in {'/', '\\', ':'}):
+        return None
+
     def resolve_custom_node(save_path):
         save_path = save_path[13:] # remove 'custom_nodes/'