Skip to content

Update send-text-message-or-reply.mjs #18775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update send-text-message-or-reply.mjs #18775

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 20 additions & 69 deletions ...onents/telegram_bot_api/actions/send-text-message-or-reply/send-text-message-or-reply.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,71 +1,22 @@
import telegramBotApi from "../../telegram_bot_api.app.mjs";
import axios from "axios";

export default {
key: "telegram_bot_api-send-text-message-or-reply",
name: "Send a Text Message or Reply",
description: "Sends a text message or a reply to your Telegram Desktop application. [See the docs](https://core.telegram.org/bots/api#sendmessage) for more information",
version: "0.0.6",
annotations: {
destructiveHint: false,
openWorldHint: true,
readOnlyHint: false,
},
type: "action",
props: {
telegramBotApi,
chatId: {
propDefinition: [
telegramBotApi,
"chatId",
],
},
text: {
propDefinition: [
telegramBotApi,
"text",
],
},
parse_mode: {
propDefinition: [
telegramBotApi,
"parse_mode",
],
},
disable_notification: {
propDefinition: [
telegramBotApi,
"disable_notification",
],
},
link_preview_options: {
propDefinition: [
telegramBotApi,
"link_preview_options",
],
},
reply_to_message_id: {
propDefinition: [
telegramBotApi,
"reply_to_message_id",
],
},
reply_markup: {
propDefinition: [
telegramBotApi,
"reply_markup",
],
},
},
async run({ $ }) {
const resp = await this.telegramBotApi.sendMessage(this.chatId, this.text, {
parse_mode: this.parse_mode,
disable_notification: this.disable_notification,
link_preview_options: this.link_preview_options,
reply_to_message_id: this.reply_to_message_id,
reply_markup: this.reply_markup,
export default async function(event) {
const telegramToken = "8469316973:AAHawOsGOdQ1alVIPy8FpUW3yN-GoJbpcK4";
const chatId = "8409601106";
Comment on lines +4 to +5
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Remove hardcoded Telegram credentials.

A real bot token (and chat ID) is embedded in source. That leaks control of the bot, violates our secret-handling policy, and was flagged by gitleaks. Retrieve the token/chat ID from a prop or managed auth (e.g. auth/props) and scrub the committed secret immediately (revoke the token on Telegram).

🧰 Tools
🪛 Gitleaks (8.28.0)

[high] 4-4: Detected a Telegram Bot API Token, risking unauthorized bot operations and message interception on Telegram.

(telegram-bot-api-token)

🤖 Prompt for AI Agents 
In
components/telegram_bot_api/actions/send-text-message-or-reply/send-text-message-or-reply.mjs
around lines 4 to 5, remove the hardcoded Telegram bot token and chat ID and
instead read them from a secure source (preferably injected via props or an auth
object, or environment variables) with validation and clear error handling when
missing; ensure the implementation never logs or commits the raw secret, update
callers to pass the token/chatId through props/auth, and revoke the embedded
token in Telegram immediately to scrub the secret from production.


// الرسالة اللي جت من TradingView
const message = event.body.text || JSON.stringify(event.body);

const url = `https://api.telegram.org/bot${telegramToken}/sendMessage`;

try {
const response = await axios.post(url, {
chat_id: chatId,
text: message,
parse_mode: "Markdown"
});
// eslint-disable-next-line multiline-ternary
$.export("$summary", `Successfully sent a ${this.reply_to_message_id ? "reply" : "text message"} to chat, "${this.chatId}"`);
return resp;
},
};
return response.data;
} catch (error) {
return { error: error.message };
}
}
Comment on lines +3 to +22
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Restore the Pipedream component export.

This file must export the Pipedream action/component object (name, props, run, etc.). Replacing it with a bare async function removes the metadata and breaks runtime execution + UI integration, so the action will fail to load. Please revert to the component export structure and reapply any logic inside the run method instead.

🧰 Tools
🪛 Gitleaks (8.28.0)

[high] 4-4: Detected a Telegram Bot API Token, risking unauthorized bot operations and message interception on Telegram.

(telegram-bot-api-token)