7b41ba51c1
1. Mass position deletion (portfolio.py): remove_position now rejects empty position_id — previously position_id="" matched all positions and deleted every holding for a ticker across ALL accounts. 2. Path traversal in get_recommendation (portfolio.py): added ticker/date validation (no ".." or path separators) + resolved-path check against RECOMMENDATIONS_DIR to prevent ../../etc/passwd attacks. 3. Path traversal in get_report_content (main.py): same ticker/date validation + resolved-path check against get_results_dir(). 4. china_data import stub (interface.py + new china_data.py): the actual akshare implementation lives in web_dashboard/backend/china_data.py (different package); tradingagents/dataflows/china_data.py was missing entirely, so _china_data_available was always False. Added stub file and AttributeError to the import exception handler so the module gracefully degrades instead of silently hiding the missing vendor. Magic numbers also extracted to named constants: - MAX_RETRY_COUNT, RETRY_BASE_DELAY_SECS (main.py) - MAX_CONCURRENT_YFINANCE_REQUESTS (portfolio.py) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| agents | ||
| dataflows | ||
| graph | ||
| llm_clients | ||
| __init__.py | ||
| default_config.py | ||