From c98de44e982d78f2ab05528fa073e5b0114d5208 Mon Sep 17 00:00:00 2001
From: snomiao <snomiao@gmail.com>
Date: Tue, 17 Mar 2026 06:27:51 +0000
Subject: [PATCH] fix: harden setup-comfyui-server against shell injection

Move extra_server_params input to env var to prevent shell injection
from untrusted input. Replace wait-for-it pip dependency with a
cross-platform curl polling loop.
---
 .github/actions/setup-comfyui-server/action.yaml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/actions/setup-comfyui-server/action.yaml b/.github/actions/setup-comfyui-server/action.yaml
index 721b47e34a..767d9f0b65 100644
--- a/.github/actions/setup-comfyui-server/action.yaml
+++ b/.github/actions/setup-comfyui-server/action.yaml
@@ -44,12 +44,17 @@ runs:
         python -m pip install --upgrade pip
         pip install torch torchvision torchaudio --index-url https://download.pytorch.org/whl/cpu
         pip install -r requirements.txt
-        pip install wait-for-it
 
     - name: Start ComfyUI server
       if: ${{ inputs.launch_server == 'true' }}
       shell: bash
       working-directory: ComfyUI
+      env:
+        EXTRA_SERVER_PARAMS: ${{ inputs.extra_server_params }}
       run: |
-        python main.py --cpu --multi-user --front-end-root ../dist ${{ inputs.extra_server_params }} &
-        wait-for-it --service 127.0.0.1:8188 -t 600
+        python main.py --cpu --multi-user --front-end-root ../dist $EXTRA_SERVER_PARAMS &
+        for i in $(seq 1 300); do
+          curl -sf http://127.0.0.1:8188/api/system_stats >/dev/null 2>&1 && echo "Server ready" && exit 0
+          sleep 2
+        done
+        echo "::error::ComfyUI server did not start within 600s" && exit 1