github · tradingview-mcpa6d2b40a17d1

Evidence

if not is_proxy_configured():

        return None

    c = _cfg()

    session_id = random.randint(c["min"], c["max"])

    return f"http://{c['prefix']}-{session_id}:{c['password']}@{c['host']}:{c['port']}"

Remediation

Use the secrets module (Python: secrets.token_urlsafe, secrets.choice), crypto.randomBytes (Node), or crypto.getRandomValues (browser). Reserve random.* for simulations, games, and ML sampling.

Evidence

# Run the MCP server over streamable-http (ideal for Docker/remote deployments)

ENTRYPOINT ["tradingview-mcp"]

CMD ["streamable-http", "--host", "0.0.0.0", "--port", "8000"]

Remediation

Bind to 127.0.0.1 for local-only access. If cross-host access is truly required, put the service behind an authenticated reverse proxy rather than exposing it on 0.0.0.0.

Evidence

"timestamp":     datetime.now(timezone.utc).isoformat(),

        }

    except Exception as e:

        return {"symbol": symbol.upper(), "error": str(e), "source": "Yahoo Finance"}

def get_prices_bulk(symbols: list[str]) -> list[dict]:

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

except Exception as e:

        conn.rollback()

        return {"error": f"Database error during trade: {str(e)}"}

    finally:

        conn.close()

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

"volume": volume,

        }

    except Exception as exc:

        return {"detected": False, "score": 0, "error": str(exc)}

def fetch_multi_timeframe_patterns(

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

# Health check

HEALTHCHECK --interval=30s --timeout=5s --retries=3 \

    CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health')" || exit 1

# Run the MCP server over streamable-http (ideal for Docker/remote deployments)

ENTRYPOINT ["tradingview-mcp"]

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

- uses: docker/setup-buildx-action@v3

      # Only log in when we actually intend to push (skip on pull_request).

      - uses: docker/login-action@v3

        if: github.event_name != 'pull_request'

        with:

          registry: ghcr.io

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

packages: write   # needed to push to ghcr.io/<owner>/<repo>

    steps:

      - uses: actions/checkout@v4

      - uses: docker/setup-qemu-action@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

steps:

      - uses: actions/checkout@v4

      - uses: docker/setup-qemu-action@v3

      - uses: docker/setup-buildx-action@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- uses: docker/setup-qemu-action@v3

      - uses: docker/setup-buildx-action@v3

      # Only log in when we actually intend to push (skip on pull_request).

      - uses: docker/login-action@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

password: ${{ secrets.GITHUB_TOKEN }}

      - id: meta

        uses: docker/metadata-action@v5

        with:

          images: ghcr.io/${{ github.repository }}

          # Tag logic:

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

type=sha,prefix=sha-

            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') || startsWith(github.ref, 'refs/tags/v') }}

      - uses: docker/build-push-action@v6

        with:

          context: .

          platforms: linux/amd64,linux/arm64

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

if f.endswith(".txt")

            ]

            if exchanges:

                return f"Available exchanges: {', '.join(sorted(exchanges))}"

    except Exception:

        pass

    return "Common exchanges: KUCOIN, BINANCE, BYBIT, MEXC, BITGET, OKX, COINBASE, GATEIO, HUOBI, BITFINEX, KRAKEN, BITSTAMP, BIST, EGX, NASDAQ, TWSE, TPEX"

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

try:

    from dotenv import load_dotenv

    _env_path = os.path.join(os.path.dirname(__file__), "../../../../.env")

    load_dotenv(dotenv_path=_env_path, override=False)

except ImportError:

    pass

# ─── Read config from env ─────────────────────────────────────────────────────

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

"method": "multi-timeframe",

                "total_found": len(results),

                "data": results[:limit],

            }

        except Exception:

            pass  # Fall through to single-timeframe fallback

    return scan_advanced_candle_patterns_single_tf(exchange, symbols, base_timeframe, pattern_length, min_size_increase, limit)

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

data = None

    try:

        with urllib.request.urlopen(req, timeout=15) as resp:

            data = json.loads(resp.read().decode("utf-8"))

    except Exception:

        pass

    if data is None:

        try:

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

else:

        try:

            mcp.settings.host = args.host

            mcp.settings.port = args.port

        except Exception:

            pass

        mcp.run(transport="streamable-http")

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

if h is not None and ll is not None and h > ll:

                    swing_high = float(h)

                    swing_low = float(ll)

                    swing_source = f"screener ({lookback} period high/low)"

        except Exception:

            pass

    try:

        analysis = get_multiple_analysis(screener=screener, interval=timeframe, symbols=[full_symbol])

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

# Filter out None values (can happen for incomplete candles)

        valid_closes = [c for c in closes if c is not None]

        if len(valid_closes) >= 2:

            return valid_closes[-2]

    except (IndexError, TypeError, KeyError):

        pass

    # Fallback to meta fields if candle data unavailable

    meta = chart_result.get("meta", {})

    return meta.get("previousClose") or meta.get("chartPreviousClose")

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.