fixed: robust validation when model downloading

fixed: a condition code wasn’t saved after editing... lol
2025-03-12 21:10:02 +09:00 · 2025-03-12 21:00:05 +09:00
3 changed files with 9 additions and 3 deletions
--- a/glob/manager_core.py
+++ b/glob/manager_core.py
@@ -43,7 +43,7 @@ import manager_downloader
 from node_package import InstalledNodePackage


-version_code = [3, 30, 6]
+version_code = [3, 30, 8]
 version_str = f"V{version_code[0]}.{version_code[1]}" + (f'.{version_code[2]}' if len(version_code) > 2 else '')


--- a/glob/manager_server.py
+++ b/glob/manager_server.py
@@ -273,7 +273,7 @@ import zipfile
 import urllib.request


-def get_model_dir(data, show_log=False):
+def get_model_dir(data, show_log=False) -> str | None:
    if 'download_model_base' in folder_paths.folder_names_and_paths:
        models_base = folder_paths.folder_names_and_paths['download_model_base'][0][0]
    else:
@@ -281,6 +281,11 @@ def get_model_dir(data, show_log=False):

    def resolve_custom_node(save_path):
        save_path = save_path[13:] # remove 'custom_nodes/'
+
+        # NOTE: Validate to prevent path traversal.
+        if save_path.startswith(os.path.sep) or ':' in save_path:
+            return None
+
        repo_name = save_path.replace('\\','/').split('/')[0] # get custom node repo name

        # NOTE: The creation of files within the custom node path should be removed in the future.
@@ -1413,6 +1418,7 @@ async def check_whitelist_for_model(item):
    json_obj = await core.get_data_by_mode('cache', 'model-list.json')

    for x in json_obj.get('models', []):
+        if x['save_path'] == item['save_path'] and x['base'] == item['base'] and x['filename'] == item['filename']:
            return True
        
    return False
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,7 +1,7 @@
 [project]
 name = "comfyui-manager"
 description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI."
-version = "3.30.6"
+version = "3.30.8"
 license = { file = "LICENSE.txt" }
 dependencies = ["GitPython", "PyGithub", "matrix-client==0.4.0", "transformers", "huggingface-hub>0.20", "typer", "rich", "typing-extensions", "toml", "uv", "chardet"]
Author	SHA1	Message	Date
Dr.Lt.Data	bbb54d4a08	fixed: robust validation when model downloading	2025-03-12 21:10:02 +09:00
Dr.Lt.Data	4566c585db	fixed: a condition code wasn’t saved after editing... lol	2025-03-12 21:00:05 +09:00