fix(security): add input sanitization and path traversal protection

- Sanitize config string values to prevent CRLF injection attacks - Add get_safe_snapshot_path() helper to validate snapshot targets - Block path traversal attempts in remove_snapshot and restore_snapshot endpoints - Reject targets containing /, \, .., or null characters
2026-01-19 03:35:17 +08:00 · 2026-01-08 18:22:29 +09:00
parent 8d67702ab0
commit f4fa394e0f
3 changed files with 26 additions and 4 deletions
--- a/glob/manager_core.py
+++ b/glob/manager_core.py
@ -44,7 +44,7 @@ import manager_migration
 from node_package import InstalledNodePackage
-version_code = [3, 39, 1]
+version_code = [3, 39, 2]
 version_str = f"V{version_code[0]}.{version_code[1]}" + (f'.{version_code[2]}' if len(version_code) > 2 else '')
@ -1701,6 +1701,11 @@ def write_config():
        'db_mode': get_config()['db_mode'],
    }
    # Sanitize all string values to prevent CRLF injection attacks
    for key, value in config['default'].items():
        if isinstance(value, str):
            config['default'][key] = value.replace('\r', '').replace('\n', '').replace('\x00', '')
    directory = os.path.dirname(manager_config_path)
    if not os.path.exists(directory):
        os.makedirs(directory)
--- a/glob/manager_server.py
+++ b/glob/manager_server.py
@ -997,6 +997,15 @@ async def get_snapshot_list(request):
    return web.json_response({'items': items}, content_type='application/json')
 def get_safe_snapshot_path(target):
    """
    Safely construct a snapshot file path, preventing path traversal attacks.
    """
    if '/' in target or '\\' in target or '..' in target or '\x00' in target:
        return None
    return os.path.join(core.manager_snapshot_path, f"{target}.json")
@routes.get("/snapshot/remove")
 async def remove_snapshot(request):
    if not is_allowed_security_level('middle'):
@ -1005,8 +1014,12 @@ async def remove_snapshot(request):
    try:
        target = request.rel_url.query["target"]
        path = get_safe_snapshot_path(target)
        if path is None:
            logging.error(f"[ComfyUI-Manager] Invalid snapshot target: {target}")
            return web.Response(text="Invalid snapshot target", status=400)
        path = os.path.join(core.manager_snapshot_path, f"{target}.json")
        if os.path.exists(path):
            os.remove(path)
@ -1023,8 +1036,12 @@ async def restore_snapshot(request):
    try:
        target = request.rel_url.query["target"]
        path = get_safe_snapshot_path(target)
        if path is None:
            logging.error(f"[ComfyUI-Manager] Invalid snapshot target: {target}")
            return web.Response(text="Invalid snapshot target", status=400)
        path = os.path.join(core.manager_snapshot_path, f"{target}.json")
        if os.path.exists(path):
            if not os.path.exists(core.manager_startup_script_path):
                os.makedirs(core.manager_startup_script_path)
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,7 +1,7 @@
 [project]
 name = "comfyui-manager"
 description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI."
-version = "3.39.1"
+version = "3.39.2"
 license = { file = "LICENSE.txt" }
 dependencies = ["GitPython", "PyGithub", "matrix-nio", "transformers", "huggingface-hub>0.20", "typer", "rich", "typing-extensions", "toml", "uv", "chardet"]