charieswei
/
TradingAgents
mirror of https://github.com/TauricResearch/TradingAgents.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
70 Commits 2 Branches 6 Tags 543 MiB
Commit Graph

9 Commits

Author SHA1 Message Date
Claude 475e7c143f
feat: Add comprehensive security improvements and documentation 
This commit addresses critical security vulnerabilities and establishes
a security framework for the TradingAgents project.

## Critical Security Fixes

1. **Path Traversal Protection (CRITICAL)**
   - Fixed user input being used directly in file paths
   - Created sanitize_path_component() function
   - Prevents directory traversal attacks (CWE-22)

2. **Removed Hardcoded Developer Path (CRITICAL)**
   - Removed /Users/yluo/Documents/Code/ScAI/FR1-data
   - Now uses environment variable TRADINGAGENTS_DATA_DIR
   - Prevents information disclosure

3. **Input Validation Framework (CRITICAL)**
   - Created comprehensive validators for all user inputs
   - validate_ticker() - ticker symbol validation
   - validate_date() - date validation
   - validate_api_key() - API key validation
   - validate_url() - URL validation with SSRF protection

## New Security Infrastructure

- Created tradingagents/security/ module with:
  - validators.py - Input validation functions
  - rate_limiter.py - API rate limiting
  - __init__.py - Public security API

- Created tradingagents/utils.py for easy imports

## Documentation

Added comprehensive security documentation:
- SECURITY.md - Security policy and vulnerability reporting
- SECURITY_AUDIT.md - Detailed security audit (19 issues identified)
- SECURITY_SUMMARY.md - Summary of improvements
- SETUP_SECURE.md - Secure setup guide for users
- CONTRIBUTING_SECURITY.md - Security best practices for contributors
- IMPROVEMENTS.md - 30+ suggested enhancements with examples

## Configuration Improvements

- Enhanced .env.example with comprehensive documentation
- Added environment variable support for all paths
- Removed all hardcoded credentials and paths

## Security Issues Addressed

Critical (3):
 Path traversal vulnerability
 Hardcoded path exposure
 Missing input validation

High (5):
 API key validation framework
 Rate limiting implementation
 Error handling best practices
 Debug mode warnings
📝 Test coverage framework (tests needed)

Medium (7):
📝 All documented with solutions and examples

Low (4):
📝 All documented with recommendations

## Impact

Before:
- Path traversal vulnerability
- Hardcoded secrets and paths
- No input validation
- No security documentation

After:
- Path traversal protection
- Environment-based configuration
- Comprehensive input validation
- Extensive security documentation
- Security framework in place

## Testing

Security framework created. Tests should be added in tests/security/:
- test_input_validation.py
- test_path_traversal.py
- test_rate_limiting.py

## Breaking Changes

None - all changes are additive and backward compatible

## References

- OWASP Top 10
- CWE-22 (Path Traversal)
- Python Security Best Practices

Co-authored-by: Claude <claude@anthropic.com>
 2025-11-14 22:16:44 +00:00
luohy15 b01051b9f4 Switch default data vendor 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-09-30 12:43:27 +08:00
luohy15 0ab323c2c6 Add Alpha Vantage API integration as primary data provider 
- Replace FinnHub with Alpha Vantage API in README documentation
- Implement comprehensive Alpha Vantage modules:
  - Stock data (daily OHLCV with date filtering)
  - Technical indicators (SMA, EMA, MACD, RSI, Bollinger Bands, ATR)
  - Fundamental data (overview, balance sheet, cashflow, income statement)
  - News and sentiment data with insider transactions
- Update news analyst tools to use ticker-based news search
- Integrate Alpha Vantage vendor methods into interface routing
- Maintain backward compatibility with existing vendor system

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-09-26 22:57:50 +08:00
luohy15 a6734d71bc WIP 2025-09-26 16:17:50 +08:00
Huijae Lee ee3d499894
Merge branch 'TauricResearch:main' into save_results 2025-06-25 08:43:19 +09:00
Edward Sun da84ef43aa main works, cli bugs 2025-06-15 22:20:59 -07:00
ZeroAct 9647359246 save reports & logs under results_dir 2025-06-12 11:25:07 +09:00
maxer137 99789f9cd1 Add support for other backends, such as OpenRouter and olama 
This aims to offer alternative OpenAI capable api's.
This offers people to experiment with running the application locally
 2025-06-11 14:19:25 +02:00
Yijia-Xiao cc97cb6d5d chore(release): v0.1.0 – initial public release of TradingAgents 2025-06-05 04:27:57 -07:00