TradingAgents

History

陈少杰 7b41ba51c1 fix: resolve 4 critical security/correctness bugs in web dashboard 1. Mass position deletion (portfolio.py): remove_position now rejects empty position_id — previously position_id="" matched all positions and deleted every holding for a ticker across ALL accounts. 2. Path traversal in get_recommendation (portfolio.py): added ticker/date validation (no ".." or path separators) + resolved-path check against RECOMMENDATIONS_DIR to prevent ../../etc/passwd attacks. 3. Path traversal in get_report_content (main.py): same ticker/date validation + resolved-path check against get_results_dir(). 4. china_data import stub (interface.py + new china_data.py): the actual akshare implementation lives in web_dashboard/backend/china_data.py (different package); tradingagents/dataflows/china_data.py was missing entirely, so _china_data_available was always False. Added stub file and AttributeError to the import exception handler so the module gracefully degrades instead of silently hiding the missing vendor. Magic numbers also extracted to named constants: - MAX_RETRY_COUNT, RETRY_BASE_DELAY_SECS (main.py) - MAX_CONCURRENT_YFINANCE_REQUESTS (portfolio.py) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-07 18:52:00 +08:00
..
backend	fix: resolve 4 critical security/correctness bugs in web dashboard	2026-04-07 18:52:00 +08:00
frontend	fix(dashboard): reliability fixes - cross-platform PDF fonts, API timeouts, yfinance concurrency, retry logic	2026-04-07 18:52:00 +08:00

陈少杰 7b41ba51c1 fix: resolve 4 critical security/correctness bugs in web dashboard

1. Mass position deletion (portfolio.py): remove_position now rejects
   empty position_id — previously position_id="" matched all positions
   and deleted every holding for a ticker across ALL accounts.

2. Path traversal in get_recommendation (portfolio.py): added ticker/date
   validation (no ".." or path separators) + resolved-path check against
   RECOMMENDATIONS_DIR to prevent ../../etc/passwd attacks.

3. Path traversal in get_report_content (main.py): same ticker/date
   validation + resolved-path check against get_results_dir().

4. china_data import stub (interface.py + new china_data.py): the actual
   akshare implementation lives in web_dashboard/backend/china_data.py
   (different package); tradingagents/dataflows/china_data.py was missing
   entirely, so _china_data_available was always False. Added stub file
   and AttributeError to the import exception handler so the module
   gracefully degrades instead of silently hiding the missing vendor.

Magic numbers also extracted to named constants:
- MAX_RETRY_COUNT, RETRY_BASE_DELAY_SECS (main.py)
- MAX_CONCURRENT_YFINANCE_REQUESTS (portfolio.py)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-07 18:52:00 +08:00

backend

fix: resolve 4 critical security/correctness bugs in web dashboard

2026-04-07 18:52:00 +08:00

frontend

fix(dashboard): reliability fixes - cross-platform PDF fonts, API timeouts, yfinance concurrency, retry logic

2026-04-07 18:52:00 +08:00