ComfyUI

mirror of https://github.com/comfyanonymous/ComfyUI.git synced 2026-05-30 04:37:29 +08:00

Files

dante01yoon db9c8cc2fd fix(server): scope prompt metadata to active prompt_id and validate at submission

Address adversarial-review findings on FE-745 metadata propagation:

- send_sync previously spread active_prompt_metadata onto every dict
  payload, contaminating unrelated status/queue broadcasts with the
  running prompt's workflow_id. Change the slot to (prompt_id, metadata)
  and only inject when payload.prompt_id matches the active prompt_id.
  Same condition applied to the WS reconnect catch-up frame.

- post_prompt now validates extra_data.metadata at the submission
  boundary: flat dict[str,str], max 16 keys, 64-char keys, 256-char
  values, and reserved server-side keys (prompt_id, node, output, etc.)
  are rejected with 400. Removes the broadcast-amplification vector
  where a client could submit arbitrarily large metadata and force it
  onto every WS frame.

- Extract validate_client_metadata + caps into app/prompt_metadata.py so
  tests can import without pulling server.py's import-time side effects.

- Expand tests-unit/server_test/test_prompt_metadata.py from 12 to 47:
  add TestStatusBroadcastsAreNotContaminated for prompt_id-scoping and
  TestValidateClientMetadata for the new submission-boundary checks
  (including parametrized reserved-key rejection).

2026-05-20 19:01:38 +09:00

assets

fix(assets): recognize temp directory in asset category resolution (#13159 )

2026-03-25 19:59:59 -07:00

database

feat(assets): align local API with cloud spec (#12863 )

2026-03-16 12:34:04 -07:00

__init__.py

Add FrontendManager to manage non-default front-end impl (#3897 )

2024-07-16 11:26:11 -04:00

app_settings.py

Update frontend to v1.25.10 and revert navigation mode override (#9522 )