Skip to content

feat: add Painter Nodes to custom-node-list#3041

Open
princepainter wants to merge 1 commit into
Comfy-Org:mainfrom
princepainter:patch-1
Open

feat: add Painter Nodes to custom-node-list#3041
princepainter wants to merge 1 commit into
Comfy-Org:mainfrom
princepainter:patch-1

Conversation

@princepainter

Copy link
Copy Markdown
Contributor

Resubmits #3039 with full file replacement (verified JSON valid).

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Important

Review skipped

Review was skipped as selected files did not have any reviewable changes.

💤 Files selected but had no reviewable changes (1)
  • custom-node-list.json
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: fc40d88d-6409-4699-af04-354b8596a58e

📥 Commits

Reviewing files that changed from the base of the PR and between 8e06ee6 and 66eefe1.

📒 Files selected for processing (1)
  • custom-node-list.json

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
✨ Simplify code
  • Create PR with simplified code

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@princepainter

Copy link
Copy Markdown
Contributor Author

Hi @ltdrdata, this replaces the full custom-node-list.json to resolve merge conflicts from #3039.
The only functional change is adding the painter-nodes entry (line ~107,966).
All checks pass — ready for merge when convenient. Thanks!

@ltdrdata

ltdrdata commented Jul 2, 2026

Copy link
Copy Markdown
Member

Thanks for the contribution! Before this can be merged, several issues need to be addressed:

  1. Path traversal (arbitrary file read)PainterImageLoad accepts user-controlled paths without sandbox restriction. Please constrain reads to the ComfyUI input directory or an explicit allow-list.

  2. Arbitrary file writePainterVideoCombine.py writes output paths without validation. Please restrict writes to the ComfyUI output directory (folder_paths.get_output_directory()).

  3. Command injectionPainterVideoCombine.py uses os.system / subprocess with shell=True patterns. Please switch to subprocess.run([...], shell=False) with an argument list, or shlex.quote() untrusted inputs.

  4. Dynamic code execution / RCE__init__.py triggered the code_exec_rce signature (any of: trust_remote_code=True, pickle.loads, yaml.load, eval/exec/compile, or dynamic import on user-controlled data). Please remove any such dispatch on external input.

  5. Non-English tooltips (Chinese) — please write UI strings (widget tooltips, RETURN_NAMES, CATEGORY, DISPLAY_NAME) in English. For multilingual support, see the locale feature: [i18n] Add /i18n endpoint to provide all custom node translations ComfyUI#6558

Additionally, this PR's diff wholesale-rewrites custom-node-list.json from a very old fork base (~54k added / ~54k deleted lines, existing entries corrupted). Please rebase onto Comfy-Org/ComfyUI-Manager:main and submit a minimal diff that only adds the ComfyUI-PainterNodes entry.

I'll re-evaluate once these are addressed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants