Is it nessesary to avoid loading components from dotted directory?
asbytes opened this issue · 3 comments
Is there any substantial reason to skip loading of components, which placed in dotted dir? I mean this:
I have my whole ComfyUI setup in dotted directory at user profile dir and components aren't loaded until i remove this check.
That is a sanitizer for standard security. It prevents access outside of ComfyUI using relative paths.
This code doesn't receive any user input, which could lead to path traversal.
@asbytes Sure it can. What you are not realizing, the author has written code to override the functionality of other nodes, such as load image, to embed image refiner. I too have done a similar thing, via javascript, this is how I modified the LoadImage node so I can inject my own commands. If I chose to, I can target this authors nodes/refiner, and skip the endpoints check, and use this script to bypass it, if if any(part.startswith(".") for part in root.split("/")): wasn't in place. This effectively replaces the functions.
var originalLoadImageNode = LiteGraph.registered_node_types['LoadImage'];
// Define the extended node
function ExtendedLoadImage() {
originalLoadImageNode.call(this); // Call the original constructor
// Modify the upload button widget after the node is fully initialized
setTimeout(() => {
var uploadWidget = this.widgets.find(w => w.name === 'upload');
if (uploadWidget) {
uploadWidget.callback = () => {
myLoadAnythingScriptAndSendWithFetchCanGoHere();
});
};
}
}, 0);
}
// Inherit from the original node type
ExtendedLoadImage.prototype = Object.create(originalLoadImageNode.prototype);
ExtendedLoadImage.prototype.constructor = ExtendedLoadImage;
// Register the new node type
LiteGraph.registerNodeType('LoadImage', ExtendedLoadImage);