fix: hash-only cache naming (security fix) (#40)

tracer-mohist · tracer-mohist · commit 9d95d13d4590 · 2026-03-14T16:17:26.000+08:00
- Remove original filename (prevent injection) - Format: .imports/<hash>.workflow.list - Tested: local + remote imports REFERENCE: #40
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,4 @@
+<!-- CHANGELOG.md -->
 # CHANGELOG
 
 
diff --git a/src/workflow_as_list/executor/loader.py b/src/workflow_as_list/executor/loader.py
@@ -172,26 +172,21 @@ def _fetch_remote(self, url: str) -> str:
             raise RuntimeError(f"Failed to fetch {url}: {e}") from e
 
     def _get_import_cache_path(self, import_path: str, base_path: Path) -> Path:
-        """Get cache file path using hash-based naming (flat structure).
+        """Get cache file path using hash-only naming (security + flat structure).
 
         Design:
-        - Cache files named by content hash prefix + original filename
+        - Cache files named by content hash only (no original filename)
+        - Prevents path traversal and injection attacks
         - Flat structure (no deep directories)
         - Deduplication: same content = same cache file
-        - User reads import line for source, cache is internal storage
+        - User reads import line for source, cache filename is internal
         """
         # Fetch content to compute hash
         imported_content = self._fetch_import(import_path, base_path)
         content_hash = hashlib.sha256(imported_content.encode("utf-8")).hexdigest()[:16]
 
-        # Extract original filename for readability
-        if import_path.startswith(("http://", "https://")):
-            original_name = import_path.split("/")[-1]
-        else:
-            original_name = Path(import_path).name
-
-        # Format: <hash-prefix>-<original-name>
-        cache_filename = f"{content_hash}-{original_name}"
+        # Format: <hash-prefix>.workflow.list (no original filename for security)
+        cache_filename = f"{content_hash}.workflow.list"
         cache_path = self.imports_dir / cache_filename
 
         cache_path.parent.mkdir(parents=True, exist_ok=True)
diff --git a/uv.lock b/uv.lock
diff --git a/workflow/test-import.workflow.list b/workflow/test-import.workflow.list
diff --git a/workflow/test-local-import.workflow.list b/workflow/test-local-import.workflow.list
@@ -0,0 +1,8 @@
+# test-local-import.workflow.list
+# Purpose: Test local import caching
+
+- (start) Test Local Import
+  # you see: <project root:.imports/6b30743e0e2cbec3.workflow.list> <sha256:6b30743e0e2cbec36c0c98c0fd27814a8ba6fd4a73aed0e40d020111cc199994>
+  import: ./main.workflow.list
+
+- End
diff --git a/workflow/test-remote-import.workflow.list b/workflow/test-remote-import.workflow.list
@@ -0,0 +1,8 @@
+# test-remote-import.workflow.list
+# Purpose: Test remote URL import caching
+
+- (start) Test Remote Import
+  # you see: <project root:.imports/61726152b038af77.workflow.list> <sha256:61726152b038af779e07b68db164187111b6d02a6427db25c03fd987f4ac0c30>
+  import: https://raw.githubusercontent.com/tracer-mohist/workflow-as-list/refs/heads/main/examples/git/commit.workflow.list
+
+- End

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+<!-- CHANGELOG.md -->`
`1`	`2`	`# CHANGELOG`
`2`	`3`
`3`	`4`