Skip to content

Add ComfyUI-Workflow-Studio#2706

Merged
ltdrdata merged 1 commit into
Comfy-Org:mainfrom
ketle-man:add-workflow-studio
May 10, 2026
Merged

Add ComfyUI-Workflow-Studio#2706
ltdrdata merged 1 commit into
Comfy-Org:mainfrom
ketle-man:add-workflow-studio

Conversation

@ketle-man
Copy link
Copy Markdown
Contributor

@ketle-man ketle-man commented Mar 18, 2026

Summary

  • Add ComfyUI-Workflow-Studio to the custom node list

Custom Node Info

Description

Workflow management and generation UI plugin for ComfyUI.

  • Workflow Tab: Browse, search, and organize workflows with thumbnail/card/table views, metadata analysis, and AI-generated summaries
  • GenerateUI Tab: Auto-generated parameter editing UI with one-click generation, seed control, and Raw JSON editor with syntax highlighting
  • Prompt Tab: AI chat assistant powered by Ollama with JA/EN/ZH translation and prompt presets
  • Settings Tab: Configurable workflows directory, Ollama/Eagle integration, multi-language UI (English/Japanese/Chinese)

Screenshots

Workflow Tab GenerateUI Tab
Workflow GenerateUI
Prompt Tab Settings Tab
Prompt Settings

@ketle-man
Add ComfyUI-Workflow-Studio to custom node list
0e9c0ba 
Rebase on latest main to resolve merge conflict.
@ketle-man ketle-man force-pushed the add-workflow-studio branch from 86f2629 to 0e9c0ba Compare March 21, 2026 03:38
@ltdrdata
Copy link
Copy Markdown
Member

ltdrdata commented Mar 22, 2026

Access to arbitrary paths must not be allowed.

https://github.com/ketle-man/ComfyUI-Workflow-Studio/blob/fc82c0fed0d90d9e3337058b120fee0c9ffbd076/py/services/workflow_service.py#L139

https://github.com/ketle-man/ComfyUI-Workflow-Studio/blob/fc82c0fed0d90d9e3337058b120fee0c9ffbd076/py/services/workflow_service.py#L161

@ketle-man
Copy link
Copy Markdown
Contributor Author

ketle-man commented Mar 23, 2026

Thank you for the review, @ltdrdata.

I've fixed the path traversal vulnerability in workflow_service.py:

  • Added _safe_path() method that validates filenames and ensures resolved paths stay within workflows_dir using Path.resolve()
  • Applied path validation to all public methods: import_files, get_raw, rename, delete, analyze, change_thumbnail
  • Strengthened _validate_filename() with ., .., and null byte checks

Commit: ketle-man/ComfyUI-Workflow-Studio@42ffd8d
Release: https://github.com/ketle-man/ComfyUI-Workflow-Studio/releases/tag/v0.1.6

Could you please re-review when you have a chance?

@ketle-man
Copy link
Copy Markdown
Contributor Author

ketle-man commented Mar 31, 2026

Hi @ltdrdata,

I wanted to follow up on this PR. The path traversal vulnerability you flagged has been fixed in v0.1.6 (commit 42ffd8d) — _safe_path() was added to validate all filenames and ensure resolved paths stay within workflows_dir.

Since then, the plugin has grown significantly. Current version is v0.2.4 (commit e7fdfc4), with additions including:

  • Models Tab — CivitAI integration, model grouping, preview images
  • Workflow Studio Library — sidebar panel for browsing workflow/prompt presets in ComfyUI
  • GenerateUI redesign — 3-tab layout with always-visible Raw JSON column

Could you please take another look when you have time? Thank you!

@ltdrdata ltdrdata merged commit ed8baf3 into Comfy-Org:main May 10, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ketle-man @ltdrdata