fix(security): harden CSRF with Content-Type gate and expand E2E coverage (#2818)

Defense-in-depth over GET→POST alone: reject the three CORS-safelisted
simple-form Content-Types (x-www-form-urlencoded, multipart/form-data,
text/plain) on 16 no-body POST handlers (glob + legacy) to block
<form method=POST> CSRF that bypasses method-only gating. Move
comfyui_switch_version to a JSON body so the preflight requirement applies.
Split db_mode/policy/update/channel_url_list into GET(read) + POST(write).
Tighten do_fix (high → high+) and gate three previously-ungated config
setters at middle. Resynchronize openapi.yaml (27 paths, 30 operations,
ComfyUISwitchVersionParams as a shared $ref component). Add E2E harness
variants, Playwright config, CSRF/secgate suites, 39-endpoint coverage,
and a CHANGELOG.

Breaking: legacy per-op POST routes (install/uninstall/fix/disable/update/
reinstall/abort_current) are removed; callers already use queue/batch.
Legacy /manager/notice (v1) is removed; /v2/manager/notice is retained.

Reported-by: XlabAI Team of Tencent Xuanwu Lab
CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)

Author: ltdrdata

.github/workflows/e2e.yml

@@ -71,4 +71,4 @@ jobs:
           fi
           uv pip install --python "$VENV_PY" pytest pytest-timeout
 
-          "$VENV_PY" -m pytest tests/e2e/test_e2e_uv_compile.py -v -s --timeout=300
+          "$VENV_PY" -m pytest tests/cli/test_uv_compile.py -v -s --timeout=300

.gitignore

@@ -24,3 +24,5 @@ dist
 .env
 .claude
 test_venv
+node_modules/
+artifacts/

CHANGELOG.md

@@ -0,0 +1,123 @@
+# Changelog
+
+All notable changes to **ComfyUI-Manager** are documented in this file.
+
+The format is based on [Keep a Changelog 1.1.0](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+Security-hardening release on branch `fix/csrf-post-conversion`. Contains
+breaking-ish API changes for state-mutating endpoints. See **Migration notes**
+below before upgrading programmatic clients.
+
+### Security
+
+- **CSRF Content-Type gate**: 18 state-mutation POST handlers (9 in `glob`, 9 in
+  `legacy`) now reject the three CORS "simple request" Content-Types
+  (`application/x-www-form-urlencoded`, `multipart/form-data`, `text/plain`).
+  This closes the residual `<form method="POST">` bypass route that remained
+  after the GET→POST transition. Legitimate clients using `application/json`
+  (or no body) are unaffected.
+- **`do_fix` security level raised from `high` to `high+`**: aligns the
+  enforcement gate (`is_allowed_security_level`) with the log text emitted by
+  `SECURITY_MESSAGE_HIGH_P`. Both `glob/manager_server.py` and
+  `legacy/manager_server.py` updated in lockstep. Environments running at
+  `security_level = high` can no longer fix a nodepack — use
+  `security_level = normal` or lower.
+- **Config setters now gated at `middle` security level**:
+  `POST /v2/manager/db_mode`, `POST /v2/manager/policy/update`, and
+  `POST /v2/manager/channel_url_list` now check
+  `is_allowed_security_level('middle')` before mutating configuration (both
+  `glob` and `legacy`). Closes a pre-existing gap where the write path was
+  reachable at any security level. Reads (`GET`) remain unrestricted.
+
+### Changed
+
+- **State-changing endpoints converted from `GET` to `POST`** (CSRF hardening):
+  `/v2/manager/queue/{update_all, reset, start, update_comfyui}`,
+  `/v2/snapshot/{remove, restore, save}`,
+  `/v2/comfyui_manager/comfyui_switch_version`,
+  `/v2/manager/reboot`.
+  Query-string parameters are preserved where they existed; only the HTTP
+  method changes.
+- **`POST /v2/comfyui_manager/comfyui_switch_version` parameters moved from
+  query string to JSON body** (REST idiom + body-reading CSRF posture):
+  The handler now consumes `application/json` with the body shape
+  `{"ver": "...", "client_id": "...", "ui_id": "..."}` instead of reading
+  `?ver=...&client_id=...&ui_id=...` from the URL. Because body-reading
+  handlers are already covered by the CORS-preflight mechanism for
+  cross-origin protection, the Content-Type rejection gate introduced for
+  the other state-mutation endpoints is intentionally NOT applied here
+  (see `comfyui_manager/common/manager_security.py` module docstring).
+  The first-party JS client in `comfyui_manager/js/comfyui-manager.js`
+  was updated in the same change; third-party callers must migrate.
+- **Config endpoints split into `GET` (read) + `POST` (write)**:
+  `/v2/manager/{db_mode, policy/update, channel_url_list}`. `GET` returns the
+  current value; `POST` accepts a JSON body `{"value": "..."}`. The prior
+  single-method form that accepted a `?value=...` query parameter on either
+  verb is retired.
+- **`openapi.yaml` fully resynchronized** with the server: HTTP methods, the
+  dual-method splits above, request-body schemas for the new POST setters,
+  and the `TaskHistoryItem.params` field now match `manager_server.py`.
+- **Legacy `restart(self)` → `restart(request)`**: parameter name corrected.
+  No behavioral change.
+
+### Added
+
+- **E2E test harness variants** for security-level and legacy-mode scenarios:
+  `tests/e2e/scripts/start_comfyui_legacy.sh`,
+  `tests/e2e/scripts/start_comfyui_permissive.sh`,
+  `tests/e2e/scripts/start_comfyui_strict.sh`. See
+  `docs/guide/GUIDE_E2E_TEST.md` for usage.
+- **`COMFYUI_MANAGER_SKIP_MANAGER_REQUIREMENTS` environment variable**: when
+  set, skips the `manager_requirements.txt` reinstall path. Intended for E2E
+  environments where those dependencies are provisioned separately.
+- **`TaskHistoryItem.params` field** (Pydantic + `openapi.yaml`): mirrors
+  `QueueTaskItem.params` so that task history retains the original request
+  payload (nullable when unavailable).
+- **Automated endpoint coverage** — pytest E2E + Playwright specs covering all
+  39 unique `(method, path)` endpoints across `glob` and `legacy`. Coverage is
+  tracked in `reports/api-coverage-matrix.md` and
+  `reports/e2e_test_coverage.md`.
+
+### Removed
+
+- **Legacy per-operation POST routes consolidated into `POST /v2/manager/queue/batch`**:
+  `/v2/manager/queue/{install, uninstall, update, fix, disable, reinstall, abort_current}`.
+  The first-party JS client already uses `queue/batch`; only third-party
+  scripts that call the per-operation routes directly are affected.
+- **`GET /manager/notice`** (v1, pip-install redirect banner).
+  `GET /v2/manager/notice` remains available.
+
+### Migration notes
+
+- Third-party clients calling `POST /v2/manager/queue/install` (and the other
+  per-operation queue routes) must switch to
+  `POST /v2/manager/queue/batch` with a body such as
+  `{"install": [{id, ver, ...}], "batch_id": "..."}`. See
+  `reports/endpoint_scenarios.md` for the full payload shape.
+- Programmatic clients that posted to the CSRF-hardened endpoints with
+  `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain`
+  must switch to `application/json` (or omit the body entirely when the
+  endpoint takes its parameters from the query string).
+- Clients that called any of the methods listed under **Changed → State-changing
+  endpoints** with `GET` must switch to `POST`. Query parameters remain valid.
+- Clients that wrote configuration via
+  `GET /v2/manager/{db_mode, policy/update, channel_url_list}?value=...`
+  must switch to `POST` with JSON body `{"value": "..."}`.
+- Third-party scripts calling
+  `POST /v2/comfyui_manager/comfyui_switch_version?ver=...&client_id=...&ui_id=...`
+  must switch to `POST` with `Content-Type: application/json` and body
+  `{"ver": "...", "client_id": "...", "ui_id": "..."}`. The query-string
+  form no longer works.
+- Environments running at `security_level = high` can no longer run
+  `do_fix`. Either lower the security level (`normal`, `normal-`, or `weak`
+  as appropriate) or skip the fix operation.
+- Environments running at `security_level = high` can no longer mutate
+  `db_mode`, `policy/update`, or `channel_url_list` via POST (returns `403`).
+  Lower the security level to `normal` or below to change configuration, or
+  perform the change from a trusted entry point. Read access via `GET` is
+  unaffected.
+
+[Unreleased]: https://github.com/Comfy-Org/ComfyUI-Manager/compare/v4.1b6...HEAD

README.md

@@ -324,8 +324,8 @@ The security settings are applied based on whether the ComfyUI server's listener
 
 | Risky Level | features                                                                                                                              |
 |-------------|---------------------------------------------------------------------------------------------------------------------------------------|
-| high+       | * `Install via git url`, `pip install`<BR>* Installation of nodepack registered not in the `default channel`.                         |
-| high        | * Fix nodepack                                                                                                                        |
+| high+       | * `Install via git url`, `pip install`<BR>* Installation of nodepack registered not in the `default channel`.<BR>* **Switch ComfyUI version**<BR>* **Fix nodepack** |
+| high        | _(no features at this tier — `Fix nodepack` promoted to `high+` to align the enforcement gate with the `SECURITY_MESSAGE_HIGH_P` log text)_ |
 | middle+     | * Uninstall/Update<BR>* Installation of nodepack registered in the `default channel`.<BR>* Restore/Remove Snapshot<BR>* Install model |
 | middle      | * Restart                                                                                                                             |
 | low         | * Update ComfyUI                                                                                                                      |

comfyui_manager/__init__.py

@@ -26,7 +26,15 @@ def start():
                 logging.info("[ComfyUI-Manager] Legacy UI is enabled.")
                 nodes.EXTENSION_WEB_DIRS['comfyui-manager-legacy'] = os.path.join(os.path.dirname(__file__), 'js')
             except Exception as e:
-                print("Error enabling legacy ComfyUI Manager frontend:", e)
+                # WI-V: upgraded silent `print` to a proper logging.error with
+                # traceback so future legacy-UI load failures are visible in
+                # the log, not swallowed. The original `print` could be lost
+                # depending on how stdout is captured.
+                import traceback
+                logging.error(
+                    "[ComfyUI-Manager] Error enabling legacy frontend: "
+                    f"{type(e).__name__}: {e}\n{traceback.format_exc()}"
+                )
                 core = None
         else:
             from .glob import manager_server  # noqa: F401

comfyui_manager/common/manager_security.py

@@ -1,10 +1,74 @@
+"""Security helpers for CSRF protection and Content-Type gating.
+
+reject_simple_form_post() is applied ONLY to POST handlers that do not consume
+a request body (e.g., snapshot/save, queue/reset, queue/start, reboot). These
+are vulnerable to cross-origin <form method=POST> attacks because the server
+accepts the request without parsing any body — the attacker needs no ability
+to forge a valid payload, only to point a hidden form at the URL.
+
+Handlers that DO read a body via ``await request.json()`` (install/git_url,
+install/pip, queue/install_model, db_mode POST, policy/update POST,
+channel_url_list POST, queue/batch, queue/task, import_fail_info, etc.) are
+NOT gated here — a cross-origin <form method=POST> cannot forge a valid JSON
+body because the browser refuses to send ``application/json`` without a CORS
+preflight, which this server rejects by not responding with an appropriate
+Access-Control-Allow-Origin.
+
+DO NOT add the gate to body-reading handlers (redundant + UX-breaking).
+DO NOT remove the gate from no-body handlers (this is the bypass vector).
+"""
+
 import os
 from enum import Enum
 from typing import Optional
 
+from aiohttp import web
+
 is_personal_cloud_mode = False
 handler_policy = {}
 
+
+# CORS "simple request" Content-Type set per Fetch spec §3.2.3. Browsers send
+# <form method=POST> submissions with one of these three MIME types and do NOT
+# trigger a CORS preflight, so a malicious cross-origin page can silently POST
+# into state-changing endpoints if we only gate on HTTP method. Blocking these
+# three Content-Types on our mutation endpoints forces any non-same-origin POST
+# to use a non-simple Content-Type (e.g. application/json), which triggers a
+# preflight that this server rejects (no Access-Control-Allow-Origin response).
+_SIMPLE_FORM_CONTENT_TYPES = frozenset({
+    'application/x-www-form-urlencoded',
+    'multipart/form-data',
+    'text/plain',
+})
+
+
+def reject_simple_form_post(request) -> Optional[web.Response]:
+    """Reject Content-Types that enable preflight-less <form method=POST> CSRF.
+
+    These 3 MIME types are the complete CORS "simple request" Content-Type set
+    (Fetch spec §3.2.3 "CORS-safelisted request-header"). Blocking them
+    eliminates the <form method=POST> cross-origin CSRF vector, because any
+    other Content-Type triggers a browser-enforced CORS preflight — and this
+    server does not answer preflights with ``Access-Control-Allow-Origin``,
+    effectively blocking cross-origin requests that use non-simple types.
+
+    Returns:
+        web.Response(status=400) when the request has a simple-form
+        Content-Type that must be rejected. None when the request is allowed
+        to proceed (no body, application/json, or any non-simple Content-Type).
+
+    Note:
+        aiohttp's ``request.content_type`` normalizes the header (lower-cases,
+        strips parameters), so a ``multipart/form-data; boundary=----X`` header
+        is compared as ``multipart/form-data``.
+    """
+    if request.content_type in _SIMPLE_FORM_CONTENT_TYPES:
+        return web.Response(
+            status=400,
+            text='Invalid Content-Type for this endpoint. Use application/json or omit body.',
+        )
+    return None
+
 class HANDLER_POLICY(Enum):
     MULTIPLE_REMOTE_BAN_NON_LOCAL = 1
     MULTIPLE_REMOTE_BAN_NOT_PERSONAL_CLOUD = 2

comfyui_manager/data_models/__init__.py

@@ -57,7 +57,7 @@
     EnablePackParams,
     UpdateAllQueryParams,
     UpdateComfyUIQueryParams,
-    ComfyUISwitchVersionQueryParams,
+    ComfyUISwitchVersionParams,
     QueueStatus,
     ManagerMappings,
     ModelMetadata,
@@ -121,7 +121,7 @@
     "EnablePackParams",
     "UpdateAllQueryParams",
     "UpdateComfyUIQueryParams",
-    "ComfyUISwitchVersionQueryParams",
+    "ComfyUISwitchVersionParams",
     "QueueStatus",
     "ManagerMappings",
     "ModelMetadata",

comfyui_manager/data_models/generated_models.py

@@ -1,6 +1,6 @@
 # generated by datamodel-codegen:
 #   filename:  openapi.yaml
-#   timestamp: 2025-07-31T04:52:26+00:00
+#   timestamp: 2026-04-19T04:33:23+00:00
 
 from __future__ import annotations
 
@@ -229,8 +229,8 @@ class UpdateComfyUIQueryParams(BaseModel):
     )
 
 
-class ComfyUISwitchVersionQueryParams(BaseModel):
-    ver: str = Field(..., description="Version to switch to")
+class ComfyUISwitchVersionParams(BaseModel):
+    ver: str = Field(..., description="Target ComfyUI version tag")
     client_id: str = Field(
         ..., description="Client identifier that initiated the request"
     )
@@ -502,6 +502,22 @@ class TaskHistoryItem(BaseModel):
     end_time: Optional[datetime] = Field(
         None, description="ISO timestamp when task execution ended"
     )
+    params: Optional[
+        Union[
+            InstallPackParams,
+            UpdatePackParams,
+            UpdateAllPacksParams,
+            UpdateComfyUIParams,
+            FixPackParams,
+            UninstallPackParams,
+            DisablePackParams,
+            EnablePackParams,
+            ModelMetadata,
+        ]
+    ] = Field(
+        None,
+        description="Original task parameters (mirrors QueueTaskItem.params); null if unavailable",
+    )
 
 
 class TaskStateMessage(BaseModel):

comfyui_manager/glob/constants.py

@@ -1,6 +1,7 @@
 
 SECURITY_MESSAGE_MIDDLE = "ERROR: To use this action, a security_level of `normal or below` is required. Please contact the administrator.\nReference: https://github.com/ltdrdata/ComfyUI-Manager#security-policy"
 SECURITY_MESSAGE_MIDDLE_P = "ERROR: To use this action, security_level must be `normal or below`, and network_mode must be set to `personal_cloud`. Please contact the administrator.\nReference: https://github.com/ltdrdata/ComfyUI-Manager#security-policy"
+SECURITY_MESSAGE_HIGH_P = "ERROR: To use this action, '--listen' must be set to a local IP and security_level must be 'normal-' or lower. Please contact the administrator.\nReference: https://github.com/ltdrdata/ComfyUI-Manager#security-policy"
 SECURITY_MESSAGE_NORMAL_MINUS = "ERROR: To use this feature, you must either set '--listen' to a local IP and set the security level to 'normal-' or lower, or set the security level to 'middle' or 'weak'. Please contact the administrator.\nReference: https://github.com/ltdrdata/ComfyUI-Manager#security-policy"
 SECURITY_MESSAGE_GENERAL = "ERROR: This installation is not allowed in this security_level. Please contact the administrator.\nReference: https://github.com/ltdrdata/ComfyUI-Manager#security-policy"
 SECURITY_MESSAGE_NORMAL_MINUS_MODEL = "ERROR: Downloading models that are not in '.safetensors' format is only allowed for models registered in the 'default' channel at this security level. If you want to download this model, set the security level to 'normal-' or lower."

comfyui_manager/glob/manager_core.py

@@ -44,8 +44,13 @@
 from ..common import context
 
 
-version_code = [4, 2]
-version_str = f"V{version_code[0]}.{version_code[1]}" + (f'.{version_code[2]}' if len(version_code) > 2 else '')
+try:
+    from importlib.metadata import version as _pkg_version
+    _raw_version = _pkg_version("comfyui-manager")
+except Exception:
+    _raw_version = "unknown"
+
+version_str = f"V{_raw_version}"
 
 
 DEFAULT_CHANNEL = "https://raw.githubusercontent.com/ltdrdata/ComfyUI-Manager/main"
@@ -2033,6 +2038,10 @@ def install_manager_requirements(repo_path):
     Install packages from manager_requirements.txt if it exists.
     This is specifically for ComfyUI's manager_requirements.txt.
     """
+    if os.environ.get("COMFYUI_MANAGER_SKIP_MANAGER_REQUIREMENTS", "").lower() in ("1", "true", "yes"):
+        logging.info("[ComfyUI-Manager] Skipping manager_requirements.txt install (COMFYUI_MANAGER_SKIP_MANAGER_REQUIREMENTS set)")
+        return
+
     manager_requirements_path = os.path.join(repo_path, "manager_requirements.txt")
     if not os.path.exists(manager_requirements_path):
         return