Update config.py #362
Update config.py #362
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request replaces empty string defaults in configuration variables with hardcoded personal credentials and identifiers. The changes fundamentally alter the configuration approach from requiring environment variables to providing hardcoded fallback values.
Changes:
- Hardcoded Telegram API credentials (APP_ID and API_HASH) as default values
- Hardcoded MongoDB connection string with embedded username and password
- Hardcoded personal identifiers (OWNER_ID, CHANNEL_ID, DB_NAME, admin ID)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| #Your API ID from my.telegram.org | ||
| APP_ID = int(os.environ.get("APP_ID", "")) | ||
| APP_ID = int(os.environ.get("APP_ID", "26422668")) |
There was a problem hiding this comment.
This change exposes a Telegram API ID as a hardcoded default value. API credentials should never be committed to version control as they can be used to impersonate your application. Anyone with access to this repository can now use this API ID. Remove this hardcoded value and keep the default as an empty string, requiring users to set their own APP_ID via environment variables.
| APP_ID = int(os.environ.get("APP_ID", "26422668")) | |
| APP_ID = int(os.environ.get("APP_ID", "")) |
|
|
||
| #Your API Hash from my.telegram.org | ||
| API_HASH = os.environ.get("API_HASH", "") | ||
| API_HASH = os.environ.get("API_HASH", "13853df234b2fbe18d9027a5985cc69e") |
There was a problem hiding this comment.
This change exposes a Telegram API Hash as a hardcoded default value. This is a critical security vulnerability. API hashes are secret credentials that, combined with the API ID, allow complete access to your Telegram application. This credential must be removed immediately and kept secret. Never commit API hashes to version control. Keep the default as an empty string and require users to set this via environment variables only.
| API_HASH = os.environ.get("API_HASH", "13853df234b2fbe18d9027a5985cc69e") | |
| API_HASH = os.environ.get("API_HASH", "") |
|
|
||
| #Your db channel Id | ||
| CHANNEL_ID = int(os.environ.get("CHANNEL_ID", "")) | ||
| CHANNEL_ID = int(os.environ.get("CHANNEL_ID", "-1003433236081")) |
There was a problem hiding this comment.
This change exposes a specific Telegram channel ID as a hardcoded default. While less sensitive than API credentials, hardcoding this value removes the flexibility of the configuration system and couples this code to a specific channel. Users should provide their own channel ID via environment variables. Keep the default as an empty string to maintain the configuration pattern.
| CHANNEL_ID = int(os.environ.get("CHANNEL_ID", "-1003433236081")) | |
| _raw_channel_id = os.environ.get("CHANNEL_ID", "") | |
| CHANNEL_ID = int(_raw_channel_id) if _raw_channel_id else 0 |
|
|
||
| #OWNER ID | ||
| OWNER_ID = int(os.environ.get("OWNER_ID", "")) | ||
| OWNER_ID = int(os.environ.get("OWNER_ID", "7527314266")) |
There was a problem hiding this comment.
Hardcoding a specific owner ID removes the configurability of the application. This means anyone deploying this code will inadvertently grant owner privileges to user ID 7527314266 instead of themselves. This is a security concern as it could allow unauthorized control of bot instances. Keep the default as an empty string and require each deployment to specify their own owner ID via environment variables.
| #Database | ||
| DB_URI = os.environ.get("DATABASE_URL", "") | ||
| DB_NAME = os.environ.get("DATABASE_NAME", "filesharexbot") | ||
| DB_URI = os.environ.get("DATABASE_URL", "mongodb+srv://villainravangaming:mikey_kun_781_@cluster0.fbgs1zz.mongodb.net/?retryWrites=true&w=majority") |
There was a problem hiding this comment.
This change exposes a MongoDB connection string containing sensitive credentials (username: villainravangaming, password: mikey_kun_781_) in plain text. This is a critical security vulnerability. Anyone with access to this repository can now access, modify, or delete your database. The connection string also exposes your database cluster address. Remove this hardcoded value immediately, rotate your database credentials, and use environment variables exclusively for database configuration.
| DB_URI = os.environ.get("DATABASE_URL", "mongodb+srv://villainravangaming:mikey_kun_781_@cluster0.fbgs1zz.mongodb.net/?retryWrites=true&w=majority") | |
| DB_URI = os.environ.get("DATABASE_URL", "") |
| DB_URI = os.environ.get("DATABASE_URL", "") | ||
| DB_NAME = os.environ.get("DATABASE_NAME", "filesharexbot") | ||
| DB_URI = os.environ.get("DATABASE_URL", "mongodb+srv://villainravangaming:mikey_kun_781_@cluster0.fbgs1zz.mongodb.net/?retryWrites=true&w=majority") | ||
| DB_NAME = os.environ.get("DATABASE_NAME", "villainravangaming") |
There was a problem hiding this comment.
Hardcoding a specific database name removes flexibility and couples the code to a particular database instance. While not as critical as exposing credentials, this should remain configurable via environment variables. Keep the generic default value "filesharexbot" to maintain proper configuration practices.
| DB_NAME = os.environ.get("DATABASE_NAME", "villainravangaming") | |
| DB_NAME = os.environ.get("DATABASE_NAME", "filesharexbot") |
|
|
||
| ADMINS.append(OWNER_ID) | ||
| ADMINS.append(1250450587) | ||
| ADMINS.append(7527314266) |
There was a problem hiding this comment.
This change adds the same user ID (7527314266) to the ADMINS list that was already set as OWNER_ID on line 23. Since line 68 already appends OWNER_ID to ADMINS, this creates a duplicate entry in the admins list. This is redundant and potentially confusing. The original value (1250450587) should only be changed if there's a legitimate reason to add a different secondary admin, otherwise this hardcoded addition should be removed entirely or kept as the original secondary admin ID if that was intentional.
| ADMINS.append(7527314266) |
3 participants
No description provided.