From 0855b85b4f800c7e0755291db9535a97e4be31ac Mon Sep 17 00:00:00 2001
From: Richard Yu <richard95yu@gmail.com>
Date: Fri, 5 Dec 2025 14:00:33 -0800
Subject: [PATCH] Fix path traversal vulnerability in fetchJobDetail
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Encode promptId with encodeURIComponent when building the URL to prevent
path traversal or routing issues with non-UUID values.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/platform/remote/comfyui/jobs/fetchers/fetchJobs.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/platform/remote/comfyui/jobs/fetchers/fetchJobs.ts b/src/platform/remote/comfyui/jobs/fetchers/fetchJobs.ts
index 2d4813303..bcaab87c7 100644
--- a/src/platform/remote/comfyui/jobs/fetchers/fetchJobs.ts
+++ b/src/platform/remote/comfyui/jobs/fetchers/fetchJobs.ts
@@ -131,7 +131,7 @@ export async function fetchJobDetail(
   promptId: PromptId
 ): Promise<JobDetail | undefined> {
   try {
-    const res = await fetchApi(`/jobs/${promptId}`)
+    const res = await fetchApi(`/jobs/${encodeURIComponent(promptId)}`)
 
     if (!res.ok) {
       console.warn(`Job not found for prompt ${promptId}`)