feat(security,execution): Add cycle detection and zip slip prevention

- Add cycle detection in workflow executor to prevent infinite loops during node execution
- Implement zip slip vulnerability prevention in archive extraction with path validation
- Replace unsafe eval() with Function constructor for sandboxed condition evaluation
- Add executingStack tracking to detect and skip nodes already in execution call stack
- Improve condition evaluation in both WorkflowExecutor and conditions handler
- Add LoadExecution import and enhance setSelectedExecution to load full execution data from storage
- Update ImportExport component to use nodeCount property when available
- Add string import to actions.go for path validation logic

Author: OffLine911

actions.go

@@ -10,6 +10,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strings"
 	"time"
 )
 
@@ -240,7 +241,11 @@ func (as *ActionService) Extract(src, dest string) error {
 	os.MkdirAll(dest, 0755)
 
 	for _, f := range r.File {
+		// Prevent Zip Slip: ensure resolved path stays within dest
 		path := filepath.Join(dest, f.Name)
+		if !strings.HasPrefix(filepath.Clean(path), filepath.Clean(dest)+string(os.PathSeparator)) {
+			return fmt.Errorf("illegal file path in archive: %s", f.Name)
+		}
 		if f.FileInfo().IsDir() {
 			os.MkdirAll(path, f.Mode())
 			continue

engine.go

@@ -150,19 +150,25 @@ func (e *Engine) executeFlow(ctx context.Context, flow *Flow, execution *FlowExe
 		}
 	}
 
+	executed := make(map[string]bool)
 	for _, nodeID := range startNodes {
 		if ctx.Err() != nil {
 			return
 		}
-		e.executeNode(ctx, nodeMap[nodeID], execution, nodeMap, adjacency)
+		e.executeNode(ctx, nodeMap[nodeID], execution, nodeMap, adjacency, executed)
 	}
 }
 
-func (e *Engine) executeNode(ctx context.Context, node *FlowNode, execution *FlowExecution, nodeMap map[string]*FlowNode, adjacency map[string][]string) {
+func (e *Engine) executeNode(ctx context.Context, node *FlowNode, execution *FlowExecution, nodeMap map[string]*FlowNode, adjacency map[string][]string, executed map[string]bool) {
 	if ctx.Err() != nil {
 		return
 	}
 
+	if executed[node.ID] {
+		return
+	}
+	executed[node.ID] = true
+
 	start := time.Now()
 	result := ExecutionResult{
 		NodeID:    node.ID,
@@ -186,7 +192,7 @@ func (e *Engine) executeNode(ctx context.Context, node *FlowNode, execution *Flo
 
 	for _, nextID := range adjacency[node.ID] {
 		if nextNode, ok := nodeMap[nextID]; ok {
-			e.executeNode(ctx, nextNode, execution, nodeMap, adjacency)
+			e.executeNode(ctx, nextNode, execution, nodeMap, adjacency, executed)
 		}
 	}
 }

frontend/src/components/layout/ImportExport.tsx

@@ -294,7 +294,7 @@ export default function ImportExport({ onClose }: ImportExportProps) {
                           {flow.name}
                         </div>
                         <div className="text-xs text-[#858585]">
-                          {flow.nodes.length} nodes • Updated {new Date(flow.updatedAt).toLocaleDateString()}
+                          {(flow as any).nodeCount ?? flow.nodes.length} nodes • Updated {new Date(flow.updatedAt).toLocaleDateString()}
                         </div>
                       </div>
                     </div>

frontend/src/executor/WorkflowExecutor.ts

@@ -24,6 +24,7 @@ export class WorkflowExecutor {
   private onProgress: (results: NodeResult[]) => void;
   private onLog: LogCallback;
   private isAborted: boolean = false;
+  private executingStack: Set<string> = new Set();
 
   constructor(
     nodes: FlowNode[],
@@ -86,6 +87,12 @@ export class WorkflowExecutor {
     const node = this.nodes.find(n => n.id === nodeId);
     if (!node) return null;
 
+    // Cycle detection: skip if this node is already on the call stack
+    if (this.executingStack.has(nodeId)) {
+      this.onLog('warn', `⚠️ Cycle detected at: ${node.data.label}, skipping`, nodeId);
+      return null;
+    }
+
     // Check if disabled (using config.disabled instead of status)
     if (node.data.config?.disabled === true) {
       this.updateNodeResult(nodeId, {
@@ -106,6 +113,7 @@ export class WorkflowExecutor {
     // Execute node
     this.onLog('info', `▶️  Executing: ${node.data.label}`, nodeId);
     this.updateNodeResult(nodeId, { status: 'running', startedAt: Date.now() });
+    this.executingStack.add(nodeId);
 
     try {
       const output = await this.runNode(node);
@@ -191,8 +199,10 @@ export class WorkflowExecutor {
 
           let result = false;
           try {
-            // Note: Simple eval for now. In production, use a safe evaluator.
-            result = !!eval(currentCondition);
+            const varKeys = Object.keys(this.variables);
+            const varValues = varKeys.map(k => this.variables[k]);
+            const fn = new Function(...varKeys, `"use strict"; return (${currentCondition});`);
+            result = !!fn(...varValues);
           } catch (e) {
             this.onLog('error', `❌ Loop condition error: ${e}`, nodeId);
             break;
@@ -397,6 +407,8 @@ export class WorkflowExecutor {
       });
       this.onLog('error', `❌ Failed: ${node.data.label} - ${errorMsg}`, nodeId);
       throw error;
+    } finally {
+      this.executingStack.delete(nodeId);
     }
   }
 

frontend/src/handlers/conditions.ts

@@ -17,8 +17,11 @@ export const conditionHandlers: Record<string, (ctx: HandlerContext) => Promise<
         evaluatedCondition = evaluatedCondition.replace(regex, JSON.stringify(value));
       }
 
-      // Simple evaluation (UNSAFE - use proper evaluator in production)
-      const result = eval(evaluatedCondition);
+      // Sandboxed evaluation via Function constructor (no access to local scope)
+      const varKeys = Object.keys(variables);
+      const varValues = varKeys.map(k => variables[k]);
+      const fn = new Function(...varKeys, `"use strict"; return (${evaluatedCondition});`);
+      const result = fn(...varValues);
       const boolResult = Boolean(result);
 
       onLog('success', `${boolResult ? '✓' : '✗'} Condition: ${boolResult ? 'TRUE' : 'FALSE'}`);

frontend/src/stores/executionStore.ts

@@ -1,6 +1,6 @@
 import { create } from "zustand";
 import type { FlowExecution } from "@/types/flow";
-import { ListExecutions, DeleteExecution, SaveExecution } from "../../wailsjs/go/main/Storage";
+import { ListExecutions, DeleteExecution, SaveExecution, LoadExecution } from "../../wailsjs/go/main/Storage";
 import { toast } from "@/stores/dialogStore";
 
 interface ExecutionState {
@@ -111,5 +111,18 @@ export const useExecutionStore = create<ExecutionState>()((set, get) => ({
     }
   },
 
-  setSelectedExecution: (execution) => set({ selectedExecution: execution }),
+  setSelectedExecution: async (execution) => {
+    if (!execution) {
+      set({ selectedExecution: null });
+      return;
+    }
+    // Load full execution data (with results) from storage
+    try {
+      const fullJSON = await LoadExecution(execution.id);
+      const full = JSON.parse(fullJSON) as FlowExecution;
+      set({ selectedExecution: full });
+    } catch {
+      set({ selectedExecution: execution });
+    }
+  },
 }));

frontend/src/stores/flowStore.ts

@@ -446,14 +446,17 @@ export const useFlowStore = create<FlowState>()((set, get) => ({
 
         const flowName = flow.name || 'Unknown';
 
-        // Unregister triggers before deleting
-        if (flow.nodes && flow.nodes.length > 0) {
-          try {
+        // Load full flow data to get nodes for trigger unregistration
+        try {
+          const { LoadFlow } = await import('../../wailsjs/go/main/Storage');
+          const fullFlowJSON = await LoadFlow(flowId);
+          const fullFlow = JSON.parse(fullFlowJSON);
+          if (fullFlow.nodes && fullFlow.nodes.length > 0) {
             const { TriggerService } = await import('@/services/triggerService');
-            await TriggerService.unregisterWorkflowTriggers(flowId, flow.nodes);
-          } catch (error) {
-            console.error('Failed to unregister triggers:', error);
+            await TriggerService.unregisterWorkflowTriggers(flowId, fullFlow.nodes);
           }
+        } catch (error) {
+          console.error('Failed to unregister triggers:', error);
         }
 
         try {

frontend/wailsjs/go/main/Storage.d.ts

@@ -19,6 +19,8 @@ export function ListExecutions(arg1:number):Promise<Array<Record<string, any>>>;
 
 export function ListFlows():Promise<Array<Record<string, any>>>;
 
+export function LoadExecution(arg1:string):Promise<string>;
+
 export function LoadFlow(arg1:string):Promise<string>;
 
 export function LoadSettings():Promise<string>;

frontend/wailsjs/go/main/Storage.js

@@ -38,6 +38,10 @@ export function ListFlows() {
   return window['go']['main']['Storage']['ListFlows']();
 }
 
+export function LoadExecution(arg1) {
+  return window['go']['main']['Storage']['LoadExecution'](arg1);
+}
+
 export function LoadFlow(arg1) {
   return window['go']['main']['Storage']['LoadFlow'](arg1);
 }

storage.go

@@ -42,7 +42,9 @@ func (s *Storage) getFlowsDir() string {
 }
 
 func (s *Storage) SaveFlow(flowJSON string) (string, error) {
-	s.Init()
+	if err := s.Init(); err != nil {
+		return "", err
+	}
 
 	// Parse as generic map to avoid struct issues
 	var flowData map[string]interface{}
@@ -74,7 +76,9 @@ func (s *Storage) SaveFlow(flowJSON string) (string, error) {
 }
 
 func (s *Storage) LoadFlow(flowID string) (string, error) {
-	s.Init()
+	if err := s.Init(); err != nil {
+		return "", err
+	}
 
 	filePath := filepath.Join(s.getFlowsDir(), flowID+".json")
 	data, err := os.ReadFile(filePath)
@@ -89,7 +93,9 @@ func (s *Storage) GetFlow(flowID string) (string, error) {
 }
 
 func (s *Storage) ListFlows() ([]map[string]interface{}, error) {
-	s.Init()
+	if err := s.Init(); err != nil {
+		return nil, err
+	}
 
 	flowsDir := s.getFlowsDir()
 	entries, err := os.ReadDir(flowsDir)
@@ -142,19 +148,25 @@ func (s *Storage) ListFlows() ([]map[string]interface{}, error) {
 }
 
 func (s *Storage) DeleteFlow(flowID string) error {
-	s.Init()
+	if err := s.Init(); err != nil {
+		return err
+	}
 	filePath := filepath.Join(s.getFlowsDir(), flowID+".json")
 	return os.Remove(filePath)
 }
 
 func (s *Storage) SaveSettings(settingsJSON string) error {
-	s.Init()
+	if err := s.Init(); err != nil {
+		return err
+	}
 	filePath := filepath.Join(s.dataDir, "settings.json")
 	return os.WriteFile(filePath, []byte(settingsJSON), 0644)
 }
 
 func (s *Storage) LoadSettings() (string, error) {
-	s.Init()
+	if err := s.Init(); err != nil {
+		return "", err
+	}
 	filePath := filepath.Join(s.dataDir, "settings.json")
 	data, err := os.ReadFile(filePath)
 	if err != nil {
@@ -170,7 +182,9 @@ func (s *Storage) getExecutionsDir() string {
 }
 
 func (s *Storage) SaveExecution(executionJSON string) error {
-	s.Init()
+	if err := s.Init(); err != nil {
+		return err
+	}
 
 	var execution map[string]interface{}
 	if err := json.Unmarshal([]byte(executionJSON), &execution); err != nil {
@@ -192,7 +206,9 @@ func (s *Storage) SaveExecution(executionJSON string) error {
 }
 
 func (s *Storage) ListExecutions(limit int) ([]map[string]interface{}, error) {
-	s.Init()
+	if err := s.Init(); err != nil {
+		return nil, err
+	}
 
 	execDir := s.getExecutionsDir()
 	entries, err := os.ReadDir(execDir)
@@ -260,16 +276,34 @@ func (s *Storage) ListExecutions(limit int) ([]map[string]interface{}, error) {
 }
 
 func (s *Storage) DeleteExecution(execID string) error {
-	s.Init()
+	if err := s.Init(); err != nil {
+		return err
+	}
 	filePath := filepath.Join(s.getExecutionsDir(), execID+".json")
 	return os.Remove(filePath)
 }
 
+func (s *Storage) LoadExecution(execID string) (string, error) {
+	if err := s.Init(); err != nil {
+		return "", err
+	}
+	filePath := filepath.Join(s.getExecutionsDir(), execID+".json")
+	data, err := os.ReadFile(filePath)
+	if err != nil {
+		return "", fmt.Errorf("execution not found: %s", execID)
+	}
+	return string(data), nil
+}
+
 func (s *Storage) ExportFlow(flowID string) (string, error) {
 	return s.LoadFlow(flowID)
 }
 
 func (s *Storage) ImportFlow(flowJSON string) (string, error) {
+	if err := s.Init(); err != nil {
+		return "", err
+	}
+
 	var flow Flow
 	if err := json.Unmarshal([]byte(flowJSON), &flow); err != nil {
 		return "", fmt.Errorf("invalid flow JSON: %w", err)