Default parameters lead to pickle deserialization vulnerability

[l1k3beef]

Expected Behavior

This is the reference document of pytorch. Use the safe parameter weights_only=True

Actual Behavior

default to set safe_load=False which leading to pickle deserialization vulnerability

Steps to Reproduce

1. Comfyui provides a rich set of node nodes, and there are many interfaces that can download models from remote locations such as huggingface, github, etc. to the server.
2. When a malicious model is constructed and uploaded to the server, and then the checkpointloadersimple node is used, remote code execution can occur, causing serious network security hazards.

Debug Logs

refer to steps to reproduce

Other

As a very influential open source project, we suggest you enable the Security Policy feature of GitHub. For sensitive information, you can communicate through other channels instead of issues.

[comfyanonymous]

A lot of checkpoints like the official SD1.5 ckpt for example cannot be loaded with weights_only=True that's why this option is only enabled for a few types of models.

If you want to be safe you have to only allow people people to upload .safetensors files.

[l1k3beef]

Yes, we noticed that some checkpoints need to use unsafe serialization methods. At the same time, we found that some plug-in nodes can download models from remote to local, such as easyuse. In this case, my Comfyui will be hacked by others if it is open to others.

Try to discuss some ideas to solve this problem. Is comfyui also considering doing some pickle security filtering? See some todo lists in the project.