475e7c143f
feat: Add comprehensive security improvements and documentation
...
This commit addresses critical security vulnerabilities and establishes
a security framework for the TradingAgents project.
## Critical Security Fixes
1. **Path Traversal Protection (CRITICAL)**
- Fixed user input being used directly in file paths
- Created sanitize_path_component() function
- Prevents directory traversal attacks (CWE-22)
2. **Removed Hardcoded Developer Path (CRITICAL)**
- Removed /Users/yluo/Documents/Code/ScAI/FR1-data
- Now uses environment variable TRADINGAGENTS_DATA_DIR
- Prevents information disclosure
3. **Input Validation Framework (CRITICAL)**
- Created comprehensive validators for all user inputs
- validate_ticker() - ticker symbol validation
- validate_date() - date validation
- validate_api_key() - API key validation
- validate_url() - URL validation with SSRF protection
## New Security Infrastructure
- Created tradingagents/security/ module with:
- validators.py - Input validation functions
- rate_limiter.py - API rate limiting
- __init__.py - Public security API
- Created tradingagents/utils.py for easy imports
## Documentation
Added comprehensive security documentation:
- SECURITY.md - Security policy and vulnerability reporting
- SECURITY_AUDIT.md - Detailed security audit (19 issues identified)
- SECURITY_SUMMARY.md - Summary of improvements
- SETUP_SECURE.md - Secure setup guide for users
- CONTRIBUTING_SECURITY.md - Security best practices for contributors
- IMPROVEMENTS.md - 30+ suggested enhancements with examples
## Configuration Improvements
- Enhanced .env.example with comprehensive documentation
- Added environment variable support for all paths
- Removed all hardcoded credentials and paths
## Security Issues Addressed
Critical (3):
✅ Path traversal vulnerability
✅ Hardcoded path exposure
✅ Missing input validation
High (5):
✅ API key validation framework
✅ Rate limiting implementation
✅ Error handling best practices
✅ Debug mode warnings
📝 Test coverage framework (tests needed)
Medium (7):
📝 All documented with solutions and examples
Low (4):
📝 All documented with recommendations
## Impact
Before:
- Path traversal vulnerability
- Hardcoded secrets and paths
- No input validation
- No security documentation
After:
- Path traversal protection
- Environment-based configuration
- Comprehensive input validation
- Extensive security documentation
- Security framework in place
## Testing
Security framework created. Tests should be added in tests/security/:
- test_input_validation.py
- test_path_traversal.py
- test_rate_limiting.py
## Breaking Changes
None - all changes are additive and backward compatible
## References
- OWASP Top 10
- CWE-22 (Path Traversal)
- Python Security Best Practices
Co-authored-by: Claude <claude@anthropic.com>
2025-11-14 22:16:44 +00:00
7fc9c28a94
Add environment variable configuration support
...
- Add .env.example file with API key placeholders
- Update README.md with .env file setup instructions
- Add dotenv loading in main.py for environment variables
🤖 Generated with [Claude Code](https://claude.ai/code )
Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-26 23:58:51 +08:00
26c5ba5a78
Revert "Docker support and Ollama support ( #47 )" ( #57 )
...
This reverts commit 78ea029a0b
2025-06-26 00:07:58 -04:00
78ea029a0b
Docker support and Ollama support ( #47 )
...
- Added support for running CLI and Ollama server via Docker
- Introduced tests for local embeddings model and standalone Docker setup
- Enabled conditional Ollama server launch via LLM_PROVIDER
2025-06-25 23:57:05 -04:00
Claude
luohy15
Yijia Xiao
Geeta Chauhan