218cedf56f
Implement the top 3 critical security fixes identified in Gemini code review: **Fix 1: ChromaDB Reset Protection** - Changed `allow_reset=True` to `False` in memory.py - Prevents catastrophic database deletion in production - File: tradingagents/agents/utils/memory.py:13 **Fix 2: Path Traversal Prevention** - Added `validate_ticker_symbol()` function with comprehensive validation - Applied validation to 5 functions using ticker in file paths: - get_YFin_data_window() - get_YFin_data() - get_data_in_range() - get_finnhub_company_insider_sentiment() - get_finnhub_company_insider_transactions() - Blocks: path traversal (../, \\), invalid chars, length > 10 - File: tradingagents/dataflows/local.py **Fix 3: CLI Input Validation** - Added validation loop to get_ticker() with user-friendly error messages - Prevents malicious input at entry point - Validates format, blocks traversal, limits length - File: cli/main.py:499-521 **Testing:** - Validation logic verified with attack vectors: - ../../etc/passwd (blocked ✓) - Long tickers (blocked ✓) - Special characters (blocked ✓) - Valid tickers: AAPL, BRK.B (pass ✓) **Changes:** - 3 files changed, 65 insertions(+), 3 deletions(-) - Implementation time: ~20 minutes - Zero breaking changes to existing functionality **References:** - Security analysis: docs/security/PR281_CRITICAL_FIXES.md - Future roadmap: docs/security/FUTURE_HARDENING.md Addresses critical path traversal (CWE-22) and data loss vulnerabilities. |
||
|---|---|---|
| .. | ||
| static | ||
| __init__.py | ||
| main.py | ||
| models.py | ||
| utils.py | ||