218cedf56f
security: Apply critical security fixes from PR #281 review
...
Implement the top 3 critical security fixes identified in Gemini code review:
**Fix 1: ChromaDB Reset Protection**
- Changed `allow_reset=True` to `False` in memory.py
- Prevents catastrophic database deletion in production
- File: tradingagents/agents/utils/memory.py:13
**Fix 2: Path Traversal Prevention**
- Added `validate_ticker_symbol()` function with comprehensive validation
- Applied validation to 5 functions using ticker in file paths:
- get_YFin_data_window()
- get_YFin_data()
- get_data_in_range()
- get_finnhub_company_insider_sentiment()
- get_finnhub_company_insider_transactions()
- Blocks: path traversal (../, \\), invalid chars, length > 10
- File: tradingagents/dataflows/local.py
**Fix 3: CLI Input Validation**
- Added validation loop to get_ticker() with user-friendly error messages
- Prevents malicious input at entry point
- Validates format, blocks traversal, limits length
- File: cli/main.py:499-521
**Testing:**
- Validation logic verified with attack vectors:
- ../../etc/passwd (blocked ✓)
- Long tickers (blocked ✓)
- Special characters (blocked ✓)
- Valid tickers: AAPL, BRK.B (pass ✓)
**Changes:**
- 3 files changed, 65 insertions(+), 3 deletions(-)
- Implementation time: ~20 minutes
- Zero breaking changes to existing functionality
**References:**
- Security analysis: docs/security/PR281_CRITICAL_FIXES.md
- Future roadmap: docs/security/FUTURE_HARDENING.md
Addresses critical path traversal (CWE-22) and data loss vulnerabilities.
2025-11-19 09:01:11 +00:00
Claude
Max Wong
Yijia Xiao
Geeta Chauhan
Edward Sun
maxer137
Yijia-Xiao