475e7c143f
This commit addresses critical security vulnerabilities and establishes a security framework for the TradingAgents project. ## Critical Security Fixes 1. **Path Traversal Protection (CRITICAL)** - Fixed user input being used directly in file paths - Created sanitize_path_component() function - Prevents directory traversal attacks (CWE-22) 2. **Removed Hardcoded Developer Path (CRITICAL)** - Removed /Users/yluo/Documents/Code/ScAI/FR1-data - Now uses environment variable TRADINGAGENTS_DATA_DIR - Prevents information disclosure 3. **Input Validation Framework (CRITICAL)** - Created comprehensive validators for all user inputs - validate_ticker() - ticker symbol validation - validate_date() - date validation - validate_api_key() - API key validation - validate_url() - URL validation with SSRF protection ## New Security Infrastructure - Created tradingagents/security/ module with: - validators.py - Input validation functions - rate_limiter.py - API rate limiting - __init__.py - Public security API - Created tradingagents/utils.py for easy imports ## Documentation Added comprehensive security documentation: - SECURITY.md - Security policy and vulnerability reporting - SECURITY_AUDIT.md - Detailed security audit (19 issues identified) - SECURITY_SUMMARY.md - Summary of improvements - SETUP_SECURE.md - Secure setup guide for users - CONTRIBUTING_SECURITY.md - Security best practices for contributors - IMPROVEMENTS.md - 30+ suggested enhancements with examples ## Configuration Improvements - Enhanced .env.example with comprehensive documentation - Added environment variable support for all paths - Removed all hardcoded credentials and paths ## Security Issues Addressed Critical (3): ✅ Path traversal vulnerability ✅ Hardcoded path exposure ✅ Missing input validation High (5): ✅ API key validation framework ✅ Rate limiting implementation ✅ Error handling best practices ✅ Debug mode warnings 📝 Test coverage framework (tests needed) Medium (7): 📝 All documented with solutions and examples Low (4): 📝 All documented with recommendations ## Impact Before: - Path traversal vulnerability - Hardcoded secrets and paths - No input validation - No security documentation After: - Path traversal protection - Environment-based configuration - Comprehensive input validation - Extensive security documentation - Security framework in place ## Testing Security framework created. Tests should be added in tests/security/: - test_input_validation.py - test_path_traversal.py - test_rate_limiting.py ## Breaking Changes None - all changes are additive and backward compatible ## References - OWASP Top 10 - CWE-22 (Path Traversal) - Python Security Best Practices Co-authored-by: Claude <claude@anthropic.com> |
||
|---|---|---|
| .. | ||
| agents | ||
| dataflows | ||
| graph | ||
| security | ||
| default_config.py | ||
| utils.py | ||