Defense-in-depth over GET→POST alone: reject the three CORS-safelisted
simple-form Content-Types (x-www-form-urlencoded, multipart/form-data,
text/plain) on 5 no-body POST handlers (snapshot/save,
manager/queue/{reset,start,update_comfyui}, manager/reboot) to block
<form method=POST> CSRF that bypasses method-only gating. Convert 10 pure
state-changing endpoints (fetch_updates, queue/{update_all,reset,start,
update_comfyui}, snapshot/{remove,restore,save}, comfyui_switch_version,
reboot) from GET to POST and split 5 config endpoints
(db_mode/preview_method/channel_url_list/policy/{component,update}) into
GET(read) + POST(write, JSON body). Emit the in_progress + done event pair
from the /manager/queue/install sync-enable fast-path so client UI
finalizes (previously only queue/start's empty worker done fired, leaving
item.restart unset and the Enable button visible after a successful enable).
Harden js/custom-nodes-manager.js completion path: await onQueueCompleted
with try/catch (surfaces silent turbogrid stale-item throws), replace the
{}.length == 0 no-op empty guard, set install_context before queue/install
to avoid a sync-completion race, wrap classList/updateCell in try/catch.
Resynchronize openapi.yaml with the converted routes (method → post, query
params → requestBody JSON schema, sibling post on 5 split endpoints).
Update 31 JS fetchApi call sites across 7 files; add
tests/test_csrf_content_type_helper.py covering 5 Content-Type cases via
aiohttp TestClient.
Reported-by: XlabAI Team of Tencent Xuanwu Lab
CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
- Migrate Manager data path: default/ComfyUI-Manager → __manager
- Force security_level=strong on outdated ComfyUI (block installations)
- Auto-migrate config.ini only; backup legacy files for manual verification
- Raise weak/normal- to normal during migration
- Add /manager/startup_alerts API for UI warnings
- Differentiate 403 responses: comfyui_outdated vs security_level
- Block startup scripts execution on old ComfyUI
Requires ComfyUI v0.3.76+ for full functionality.
Backward compatible with older versions (uses legacy path).
This allows nodes to be pulled from git repositories that:
1. Require authentication
2. Are located on a computer that does not have any special software
beyond an SSH server to serve up git repos
3. Are hosted on sites that exclusively allow SSH access
I have also cleaned up the JavaScript regex for identifying valid HTTP
addresses. Due to an unescaped '.' and the lack of a count on the first
group, it wasn't doing a whole lot anyway -- just checking that the very
first character wasn't invalid.
* fixed row height with lib API
* update grid lib
* UI adjustment
* move some of api to common utils
* added model manager
* update install
* replace model-downloader with model-manager
* replace model-downloader with model-manager
* fixed filter
* fixed status
* apply loading animation for install button
* sort type and base
* new custom nodes manager
* fix loading
* replace build-in sha1 with md5
* better description link
* fix the update button disappears if open dialog again
* fix restart required status if open dialog again
* merge with main branch
* add trust icon for author
* fixed grid theme for Comfy.ColorPalette
* fix get_unresolved
* remove useless file
* supports better theme with comfyui color palette
* add extensions column
* fixed conflicts
