Hardcoded Telegram Bot API token in source codeSCT-1049

Leaking a Telegram Bot API token in source code can cause severe security issues as it can give access to the bot and its resources, leading to potential data breaches and unauthorized usage. It is crucial to ensure that API tokens are not hardcoded in the source code to mitigate these risks.

If a token has been leaked, it is recommended to revoke access to the bot to prevent any further unauthorized access.

It is recommended to use environment variables to store the API key. This ensures that the key is not hardcoded in the source code and is kept separate from the codebase. Using environment variables also makes it easier to manage the API key as it can be updated without modifying the source code. Additionally, it is recommended that access to the API key is restricted to only those who need it, by using IAM roles and permissions.

Bad practice

import telebot

# Token generated from BotFather
bot = telebot.TeleBot("YOUR_TELEGRAM_BOT_API_TOKEN")

@bot.message_handler(commands=['start'])
def send_welcome(message):
    bot.reply_to(message, "Hello, welcome to my bot!")

bot.polling()

Recommended

import telebot
import os

# Token generated from BotFather
bot = telebot.TeleBot(os.getenv('TELEGRAM_BOT_API_TOKEN'))

@bot.message_handler(commands=['start'])
def send_welcome(message):
    bot.reply_to(message, "Hello, welcome to my bot!")

bot.polling()