TradingAgents

History

陈少杰 7b41ba51c1 fix: resolve 4 critical security/correctness bugs in web dashboard 1. Mass position deletion (portfolio.py): remove_position now rejects empty position_id — previously position_id="" matched all positions and deleted every holding for a ticker across ALL accounts. 2. Path traversal in get_recommendation (portfolio.py): added ticker/date validation (no ".." or path separators) + resolved-path check against RECOMMENDATIONS_DIR to prevent ../../etc/passwd attacks. 3. Path traversal in get_report_content (main.py): same ticker/date validation + resolved-path check against get_results_dir(). 4. china_data import stub (interface.py + new china_data.py): the actual akshare implementation lives in web_dashboard/backend/china_data.py (different package); tradingagents/dataflows/china_data.py was missing entirely, so _china_data_available was always False. Added stub file and AttributeError to the import exception handler so the module gracefully degrades instead of silently hiding the missing vendor. Magic numbers also extracted to named constants: - MAX_RETRY_COUNT, RETRY_BASE_DELAY_SECS (main.py) - MAX_CONCURRENT_YFINANCE_REQUESTS (portfolio.py) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-07 18:52:00 +08:00
..
__init__.py	feat(dashboard): add portfolio panel - watchlist, positions, and recommendations	2026-04-07 18:52:00 +08:00
portfolio.py	fix: resolve 4 critical security/correctness bugs in web dashboard	2026-04-07 18:52:00 +08:00

陈少杰 7b41ba51c1 fix: resolve 4 critical security/correctness bugs in web dashboard

1. Mass position deletion (portfolio.py): remove_position now rejects
   empty position_id — previously position_id="" matched all positions
   and deleted every holding for a ticker across ALL accounts.

2. Path traversal in get_recommendation (portfolio.py): added ticker/date
   validation (no ".." or path separators) + resolved-path check against
   RECOMMENDATIONS_DIR to prevent ../../etc/passwd attacks.

3. Path traversal in get_report_content (main.py): same ticker/date
   validation + resolved-path check against get_results_dir().

4. china_data import stub (interface.py + new china_data.py): the actual
   akshare implementation lives in web_dashboard/backend/china_data.py
   (different package); tradingagents/dataflows/china_data.py was missing
   entirely, so _china_data_available was always False. Added stub file
   and AttributeError to the import exception handler so the module
   gracefully degrades instead of silently hiding the missing vendor.

Magic numbers also extracted to named constants:
- MAX_RETRY_COUNT, RETRY_BASE_DELAY_SECS (main.py)
- MAX_CONCURRENT_YFINANCE_REQUESTS (portfolio.py)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-07 18:52:00 +08:00

__init__.py

feat(dashboard): add portfolio panel - watchlist, positions, and recommendations

2026-04-07 18:52:00 +08:00

portfolio.py

fix: resolve 4 critical security/correctness bugs in web dashboard

2026-04-07 18:52:00 +08:00