Skip to content

(sec?): Two custom-node-list entries collide on lowercased repo basename (comfyui-ranbooru): installing one can fetch/satisfy the other #2998

Description

@tyrypyrking

Two different node packs are registered in custom-node-list.json whose Git URL
basenames differ only by letter case:

- https://github.com/Inzaniak/comfyui-ranbooru      (the original Ranbooru node)
- https://github.com/liming123332/ComfyUI-Ranbooru  (an unrelated third-party fork)

Because package identity and the install folder are both derived from the
URL basename, and that key is lowercased, these two entries normalize to the
same identity ("comfyui-ranbooru"). The practical effect is that requesting one
package can install, or be satisfied by, the other — they are indistinguishable
to the Manager.

What I observed

Installing the Inzaniak package through ComfyUI-Manager resulted in the
liming123332 fork being present instead. The two are easy to tell apart on disk:

- Inzaniak (expected): has ranbooru.conf, assets/, English readme.md,
  nodes like PromptMix / PromptBackground / LockSeed
- liming123332 fork (got this): has install.py, scripts/ranbooru.py, a .trae/
  folder, a Chinese README.md, single node RanbooruPrompt

(I have not reproduced this in a clean environment, so I'm reporting the observed
behavior plus the code path that appears to explain it — happy to test a fix.)

This is likely to have security issues because it's fetching the latter package that could have malicious payloads or be generally unsound. My repro is on stable release, latest update.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions