TradingAgents

Commit Graph

Author	SHA1	Message	Date
Claude	475e7c143f	feat: Add comprehensive security improvements and documentation This commit addresses critical security vulnerabilities and establishes a security framework for the TradingAgents project. ## Critical Security Fixes 1. Path Traversal Protection (CRITICAL) - Fixed user input being used directly in file paths - Created sanitize_path_component() function - Prevents directory traversal attacks (CWE-22) 2. Removed Hardcoded Developer Path (CRITICAL) - Removed /Users/yluo/Documents/Code/ScAI/FR1-data - Now uses environment variable TRADINGAGENTS_DATA_DIR - Prevents information disclosure 3. Input Validation Framework (CRITICAL) - Created comprehensive validators for all user inputs - validate_ticker() - ticker symbol validation - validate_date() - date validation - validate_api_key() - API key validation - validate_url() - URL validation with SSRF protection ## New Security Infrastructure - Created tradingagents/security/ module with: - validators.py - Input validation functions - rate_limiter.py - API rate limiting - __init__.py - Public security API - Created tradingagents/utils.py for easy imports ## Documentation Added comprehensive security documentation: - SECURITY.md - Security policy and vulnerability reporting - SECURITY_AUDIT.md - Detailed security audit (19 issues identified) - SECURITY_SUMMARY.md - Summary of improvements - SETUP_SECURE.md - Secure setup guide for users - CONTRIBUTING_SECURITY.md - Security best practices for contributors - IMPROVEMENTS.md - 30+ suggested enhancements with examples ## Configuration Improvements - Enhanced .env.example with comprehensive documentation - Added environment variable support for all paths - Removed all hardcoded credentials and paths ## Security Issues Addressed Critical (3): ✅ Path traversal vulnerability ✅ Hardcoded path exposure ✅ Missing input validation High (5): ✅ API key validation framework ✅ Rate limiting implementation ✅ Error handling best practices ✅ Debug mode warnings 📝 Test coverage framework (tests needed) Medium (7): 📝 All documented with solutions and examples Low (4): 📝 All documented with recommendations ## Impact Before: - Path traversal vulnerability - Hardcoded secrets and paths - No input validation - No security documentation After: - Path traversal protection - Environment-based configuration - Comprehensive input validation - Extensive security documentation - Security framework in place ## Testing Security framework created. Tests should be added in tests/security/: - test_input_validation.py - test_path_traversal.py - test_rate_limiting.py ## Breaking Changes None - all changes are additive and backward compatible ## References - OWASP Top 10 - CWE-22 (Path Traversal) - Python Security Best Practices Co-authored-by: Claude <claude@anthropic.com>	2025-11-14 22:16:44 +00:00

Author

SHA1

Message

Date

Claude

475e7c143f

feat: Add comprehensive security improvements and documentation

This commit addresses critical security vulnerabilities and establishes
a security framework for the TradingAgents project.

## Critical Security Fixes

1. **Path Traversal Protection (CRITICAL)**
   - Fixed user input being used directly in file paths
   - Created sanitize_path_component() function
   - Prevents directory traversal attacks (CWE-22)

2. **Removed Hardcoded Developer Path (CRITICAL)**
   - Removed /Users/yluo/Documents/Code/ScAI/FR1-data
   - Now uses environment variable TRADINGAGENTS_DATA_DIR
   - Prevents information disclosure

3. **Input Validation Framework (CRITICAL)**
   - Created comprehensive validators for all user inputs
   - validate_ticker() - ticker symbol validation
   - validate_date() - date validation
   - validate_api_key() - API key validation
   - validate_url() - URL validation with SSRF protection

## New Security Infrastructure

- Created tradingagents/security/ module with:
  - validators.py - Input validation functions
  - rate_limiter.py - API rate limiting
  - __init__.py - Public security API

- Created tradingagents/utils.py for easy imports

## Documentation

Added comprehensive security documentation:
- SECURITY.md - Security policy and vulnerability reporting
- SECURITY_AUDIT.md - Detailed security audit (19 issues identified)
- SECURITY_SUMMARY.md - Summary of improvements
- SETUP_SECURE.md - Secure setup guide for users
- CONTRIBUTING_SECURITY.md - Security best practices for contributors
- IMPROVEMENTS.md - 30+ suggested enhancements with examples

## Configuration Improvements

- Enhanced .env.example with comprehensive documentation
- Added environment variable support for all paths
- Removed all hardcoded credentials and paths

## Security Issues Addressed

Critical (3):
✅ Path traversal vulnerability
✅ Hardcoded path exposure
✅ Missing input validation

High (5):
✅ API key validation framework
✅ Rate limiting implementation
✅ Error handling best practices
✅ Debug mode warnings
📝 Test coverage framework (tests needed)

Medium (7):
📝 All documented with solutions and examples

Low (4):
📝 All documented with recommendations

## Impact

Before:
- Path traversal vulnerability
- Hardcoded secrets and paths
- No input validation
- No security documentation

After:
- Path traversal protection
- Environment-based configuration
- Comprehensive input validation
- Extensive security documentation
- Security framework in place

## Testing

Security framework created. Tests should be added in tests/security/:
- test_input_validation.py
- test_path_traversal.py
- test_rate_limiting.py

## Breaking Changes

None - all changes are additive and backward compatible

## References

- OWASP Top 10
- CWE-22 (Path Traversal)
- Python Security Best Practices

Co-authored-by: Claude <claude@anthropic.com>

2025-11-14 22:16:44 +00:00

1 Commits