Conversation
WalkthroughUpdated default values for environment-backed configuration constants in info.py, including API credentials, admin identifiers, links, channels, and MongoDB URI/name. No logic, flow, or error-handling changes. COLLECTION_NAME remains unchanged. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
Tip 🔌 Remote MCP (Model Context Protocol) integration is now available!Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats. ✨ Finishing Touches
🧪 Generate unit tests
🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
info.py (3)
6-12: Harden is_enabled to handle None/bool and whitespace; current implementation assumes a strThe function calls value.lower() unconditionally; callers also pass literal keys (see below), so env flags are ignored.
Apply:
def is_enabled(value, default): - if value.lower() in ["true", "yes", "1", "enable", "y"]: - return True - elif value.lower() in ["false", "no", "0", "disable", "n"]: - return False - else: - return default + if value is None: + return default + if isinstance(value, bool): + return value + v = str(value).strip().lower() + if v in ["true", "yes", "1", "enable", "y", "on"]: + return True + if v in ["false", "no", "0", "disable", "n", "off"]: + return False + return default
45-45: Env flags are never read (literals passed to is_enabled) and STREAM_MODE uses bool(str)Passing string literals like 'AUTO_FILTER' makes flags permanently equal to defaults. Also, bool(environ.get('STREAM_MODE', True)) is almost always True. Read from env properly.
Apply:
-IS_VERIFY = is_enabled('IS_VERIFY', True) +IS_VERIFY = is_enabled(getenv('IS_VERIFY'), True)-AUTO_FILTER = is_enabled('AUTO_FILTER', True) -IS_PM_SEARCH = is_enabled('IS_PM_SEARCH', False) -AUTO_DELETE = is_enabled('AUTO_DELETE', True) -IMDB = is_enabled('IMDB', False) -LONG_IMDB_DESCRIPTION = is_enabled('LONG_IMDB_DESCRIPTION', False) -PROTECT_CONTENT = is_enabled('PROTECT_CONTENT', False) -SPELL_CHECK = is_enabled('SPELL_CHECK', True) -LINK_MODE = is_enabled('LINK_MODE', True) +AUTO_FILTER = is_enabled(getenv('AUTO_FILTER'), True) +IS_PM_SEARCH = is_enabled(getenv('IS_PM_SEARCH'), False) +AUTO_DELETE = is_enabled(getenv('AUTO_DELETE'), True) +IMDB = is_enabled(getenv('IMDB'), False) +LONG_IMDB_DESCRIPTION = is_enabled(getenv('LONG_IMDB_DESCRIPTION'), False) +PROTECT_CONTENT = is_enabled(getenv('PROTECT_CONTENT'), False) +SPELL_CHECK = is_enabled(getenv('SPELL_CHECK'), True) +LINK_MODE = is_enabled(getenv('LINK_MODE'), True)-STREAM_MODE = bool(environ.get('STREAM_MODE', True)) # Set True or Flase +STREAM_MODE = is_enabled(getenv('STREAM_MODE'), True) # Set True or FalseAlso applies to: 81-94, 98-98
49-54: More API keys committed as defaults (shortener services) — remove and rotateThese look like real keys and domains. Treat them as secrets.
Apply:
-SHORTENER_API = environ.get("SHORTENER_API", "…redacted…") -SHORTENER_WEBSITE = environ.get("SHORTENER_WEBSITE", 'omegalinks.in') -SHORTENER_API2 = environ.get("SHORTENER_API2", "…redacted…") -SHORTENER_WEBSITE2 = environ.get("SHORTENER_WEBSITE2", 'omegalinks.in') -SHORTENER_API3 = environ.get("SHORTENER_API3", "…redacted…") -SHORTENER_WEBSITE3 = environ.get("SHORTENER_WEBSITE3", 'omegalinks.in') +SHORTENER_API = getenv("SHORTENER_API") +SHORTENER_WEBSITE = getenv("SHORTENER_WEBSITE", "") +SHORTENER_API2 = getenv("SHORTENER_API2") +SHORTENER_WEBSITE2 = getenv("SHORTENER_WEBSITE2", "") +SHORTENER_API3 = getenv("SHORTENER_API3") +SHORTENER_WEBSITE3 = getenv("SHORTENER_WEBSITE3", "")Rotate all exposed keys at their providers and purge them from history.
🧹 Nitpick comments (3)
info.py (3)
5-5: Fix id_pattern: current regex matches “any char + digits” and allows odd casesr'^.\d+$' accepts a single arbitrary leading char (including letters), then digits. Use a clear numeric pattern that supports negative IDs (e.g., Telegram chats).
Apply:
-id_pattern = re.compile(r'^.\d+$') +id_pattern = re.compile(r'^-?\d+$')Follow-up (outside this hunk): switch id_pattern.search(...) to id_pattern.fullmatch(...) where used (e.g., Lines 21, 25, 66, 67) to avoid partial matches.
61-61: Optional: Keep YEARS list current automaticallyHard-coding through 2024 will age quickly. Generate dynamically.
Apply (includes new import):
-YEARS = [f'{i}' for i in range(2024 , 2002,-1 )] +from datetime import datetime # at top of file +YEARS = [str(i) for i in range(datetime.utcnow().year, 2002, -1)]
112-132: Config surface is growing; consider a typed settings object with validationThe SETTINGS dict mirrors many globals. A typed config (pydantic BaseSettings/dataclass) would centralize env parsing, validation, and defaults; easier to test and safer.
If you want, I can propose a minimal pydantic-based Settings class and migrate callers incrementally.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (1)
info.py(1 hunks)
🧰 Additional context used
🪛 Gitleaks (8.27.2)
info.py
17-17: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
| API_ID = int(environ.get('API_ID', '21335951')) | ||
| API_HASH = environ.get('API_HASH', '6dcf7f757103ba5dd383474830a47271') | ||
| BOT_TOKEN = environ.get('BOT_TOKEN', '8354170660:AAGI_DwNUUT3KKwT5ohpWJUewD1OMN5yuhU') |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Critical: Hard-coded Telegram credentials (API_ID/API_HASH/BOT_TOKEN) are committed — rotate and remove immediately
Exposing these in a public repo enables account takeover and abuse. Replace with required environment variables and fail fast if missing. Also purge secrets from git history and rotate via BotFather/my.telegram.org.
Apply this diff to stop committing secrets and enforce required envs (values redacted to avoid re-exposing):
-API_ID = int(environ.get('API_ID', '21335951'))
-API_HASH = environ.get('API_HASH', '…redacted…')
-BOT_TOKEN = environ.get('BOT_TOKEN', '…redacted…')
+API_ID_STR = getenv('API_ID')
+API_HASH = getenv('API_HASH')
+BOT_TOKEN = getenv('BOT_TOKEN')
+if not API_ID_STR or not API_HASH or not BOT_TOKEN:
+ raise RuntimeError("Missing required env vars: API_ID, API_HASH, BOT_TOKEN")
+API_ID = int(API_ID_STR)Optional script to scan repo for remaining exposures (tokens, SRV URIs, etc.):
Next steps:
- Revoke and regenerate the bot token via @Botfather immediately.
- Invalidate/rotate the Telegram API_HASH/API_ID on my.telegram.org if tied to a sensitive app.
- Use gitleaks/detect-secrets pre-commit to prevent recurrence. I can add a pre-commit config if you want.
🏁 Script executed:
#!/bin/bash
# Grep for common secret patterns; adjust as needed.
rg -nP --hidden --glob '!*lock*' -C1 '(BOT_TOKEN|API_HASH|mongodb\+srv://|SECRET|TOKEN|API_KEY|AUTH_KEY)'Length of output: 1836
Critical: Remove All Hard-Coded Secrets and Enforce Required Environment Variables
Before merging, the following hard-coded credentials must be removed and treated as required env vars. Failing to do so risks immediate compromise of your Telegram bot and MongoDB database.
• info.py (lines 16–19 & 28–29)
- Remove default values for
API_ID,API_HASH,BOT_TOKEN,DATABASE_URIandDATABASE_NAME. - Enforce presence of each via
getenv()and fail fast if any are missing.
Example diff:
- API_ID = int(environ.get('API_ID', '21335951'))
- API_HASH = environ.get('API_HASH', '6dcf7f757103ba5dd383474830a47271')
- BOT_TOKEN = environ.get('BOT_TOKEN', '8354170660:AAGI_DwNUUT3KKwT5ohpWJUewD1OMN5yuhU')
+ API_ID_STR = getenv('API_ID')
+ API_HASH = getenv('API_HASH')
+ BOT_TOKEN = getenv('BOT_TOKEN')
- #---------------------------------------------------------------
- DATABASE_URI = environ.get('DATABASE_URI', "mongodb+srv://ManagerBoy:[email protected]/?retryWrites=true&w=majority&appName=ManagerBoy")
- DATABASE_NAME = environ.get('DATABASE_NAME', "ManagerBoy")
+ DATABASE_URI = getenv('DATABASE_URI')
+ DATABASE_NAME = getenv('DATABASE_NAME')
+
+ missing = [name for name in ('API_ID','API_HASH','BOT_TOKEN','DATABASE_URI','DATABASE_NAME')
+ if not locals()[name]]
+ if missing:
+ raise RuntimeError(f"Missing required env vars: {', '.join(missing)}")
+ API_ID = int(API_ID_STR)• README.md (lines 66–70)
- Remove any “default” or example values.
- Clarify that all five vars must be set before running.
Next steps:
- Revoke and rotate your Telegram bot token via @Botfather.
- Regenerate the Telegram API_HASH/API_ID at my.telegram.org.
- Rotate your MongoDB credentials and update the URI.
- Purge these secrets from Git history (e.g., with git-filter-repo).
- Add a secret-scanning pre-commit hook (gitleaks/detect-secrets) to prevent recurrence; I can help set this up.
Please address these immediately—this is a blocking security issue.
Committable suggestion skipped: line range outside the PR's diff.
🧰 Tools
🪛 Gitleaks (8.27.2)
17-17: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
1 participant
Summary by CodeRabbit