Summary
triage_issue() passes str(exc) directly into the Telegram error notification (triage.py:837). Exception messages can contain server paths, internal URLs, command-line arguments, or env var names — all of which end up visible in the Telegram chat.
Details
The current flow:
except Exception as exc:
log.exception("Triage failed for %s#%d", ...) # good — full details in logs
await _send_error_notification(metadata, str(exc), ...) # problem — full details to Telegram_send_error_notification builds the text as:
text = f"Issue triage failed for {metadata.repo}#{metadata.number}: {error_detail}"Depending on the exception type, str(exc) may expose:
- Server filesystem paths (
FileNotFoundError, PermissionError)
- Internal URLs and ports (
ConnectionError, aiohttp.ClientError)
- Subprocess command-line arguments
With GITHUB_NOTIFY_CHAT_ID (#182), these messages now reach group chats too.
Suggested fix
Send only the exception type name to Telegram — log.exception() already captures the full details:
await _send_error_notification(
metadata,
type(exc).__name__, # e.g. "TimeoutError", not the full message
webhook_port,
webhook_secret,
notify_chat_id,
)The same pattern should be checked in review.py if it has a similar notification path.
Summary
triage_issue()passesstr(exc)directly into the Telegram error notification (triage.py:837). Exception messages can contain server paths, internal URLs, command-line arguments, or env var names — all of which end up visible in the Telegram chat.Details
The current flow:
_send_error_notificationbuilds the text as:Depending on the exception type,
str(exc)may expose:FileNotFoundError,PermissionError)ConnectionError,aiohttp.ClientError)With
GITHUB_NOTIFY_CHAT_ID(#182), these messages now reach group chats too.Suggested fix
Send only the exception type name to Telegram —
log.exception()already captures the full details:The same pattern should be checked in
review.pyif it has a similar notification path.