search

gokayfem / ComfyUI-fal-API

Custom nodes for using fal API. Video generation with Kling, Runway, Luma. Image generation with Flux. LLMs and VLMs OpenAI, Claude, Llama and Gemini.
Apache License 2.0
74 stars 4 forks source link

Potential API Key Leak #1

Closed BetaDoggo closed 3 months ago

BetaDoggo commented 3 months ago

When a custom string is entered into a comfyui node the string is saved in the metadata of the output image. If a user shares an image created with this node online with metadata intact anyone viewing the image will be able to load the image in their own instance and steal the api key. Here's the metadata from one of the images made with this node:

{
  "11": {
    "class_type": "SaveImage",
    "inputs": {
      "filename_prefix": "flux",
      "images": [
        "40",
        0
      ]
    }
  },
  "40": {
    "class_type": "FluxSchnell_fal",
    "inputs": {
      "api_key": "00000000-00000-0000-0000-000000000000:00000000000000000000000000000000",
      "enable_safety_checker": true,
      "image_size": "landscape_4_3",
      "num_images": 1,
      "num_inference_steps": 4,
      "prompt": "anime girl",
      "seed": -1
    }
  }
}

The api key can be read from the inputs section (I zeroed it out for obvious reasons).

I recommend either altering the node so that it loads the key from a file instead or adding a disclaimer about stripping metadata.

gokayfem commented 3 months ago

Fixed thanks for the warning!