漏洞总结 漏洞概述 漏洞编号: #791112 漏洞名称: comfyanonymous ComfyUI PreviewImage -> /view 链式调用泄露图像内容 修复方案 问题根源: 函数未对 的结果进行路径安全检查,导致路径遍历攻击。 修复建议: - 在 函数中添加路径安全检查,确保路径不包含 等非法字符。 - 对所有涉及文件路径的操作进行严格的输入验证和过滤。 POC 代码 ```python Vulnerable Code File: folder_paths.py (lines 259-268) Method: get_annotated_filepath Why: 'os.path.join("comfyui/input", "../..//etc/shadow_image")' resolves to '/etc/shadow_image'. The protected 'get_full_path' uses 'os.path.relpath' for containment - but 'get_annotated_filepath' has no such check. The 'VALIDATE_INPUTS' in nodes only checks file existence, not path confinement. Reproduction 1. Submit a crafted workflow via POST /prompt with path traversal in the LoadImage image field: {"image": "../..//tmp/secret.jpg", "upload": "image"} 2. File existence oracle: HTTP 200 (file exists) vs HTTP 400 (file not found). 3. Chain with PreviewImage -> /view to exfiltrate the image content.