Skip to content

fix: HONEYPOT_MARKER for honeypot message#34

Merged
Nivmizz7 merged 1 commit into
mainfrom
fix-honeypot-message-marker
Jul 13, 2026
Merged

fix: HONEYPOT_MARKER for honeypot message#34
Nivmizz7 merged 1 commit into
mainfrom
fix-honeypot-message-marker

Conversation

@Nivmizz7

@Nivmizz7 Nivmizz7 commented Jul 13, 2026

Copy link
Copy Markdown
Member

CodeAnt-AI Description

Fix the honeypot warning marker so it can be detected reliably

What Changed

  • Changed the hidden marker in the honeypot warning message to a readable, stable label
  • Keeps the warning message identifiable after restarts so the bot can find and manage it consistently

Impact

✅ Reliable honeypot message tracking
✅ Fewer duplicate warning messages
✅ More consistent channel cleanup

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

@Nivmizz7
Nivmizz7 merged commit 1f9c47f into main Jul 13, 2026
6 of 7 checks passed
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 413e3693-ba92-4d14-9dec-406dcbf0e698

📥 Commits

Reviewing files that changed from the base of the PR and between c8265b8 and 5429933.

📒 Files selected for processing (1)
  • src/handlers/honeypotHandler.js

📝 Walkthrough

Summary by CodeRabbit

  • Bug Fixes
    • Improved honeypot warning detection to prevent duplicate warning messages.
    • Ensured honeypot warnings are preserved during cleanup operations.

Walkthrough

The honeypot detection marker changes from an HTML comment to the plain-text string "TrackerBot Honeypot". Honeypot setup, deletion, punishment, and bulk-delete behavior remain unchanged.

Changes

Honeypot marker handling

Layer / File(s) Summary
Update honeypot detection marker
src/handlers/honeypotHandler.js
The stable marker used to detect existing honeypot warnings and exclude them from cleanup is changed to "TrackerBot Honeypot".

Estimated code review effort: 1 (Trivial) | ~2 minutes

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-honeypot-message-marker

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codeant-ai codeant-ai Bot added the size:XS This PR changes 0-9 lines, ignoring generated files label Jul 13, 2026
@kilo-code-bot

kilo-code-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (1 files)
  • src/handlers/honeypotHandler.js

Reviewed by hy3:free · Input: 36.5K · Output: 3.9K · Cached: 68.9K

// Stable marker embedded in the bot's warning message so we can detect it
// across restarts without persisting state.
const HONEYPOT_MARKER = "<!-- trackerbot-honeypot-message -->";
const HONEYPOT_MARKER = "TrackerBot Honeypot";

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The marker value is too generic for a substring-based detector. Because the code later treats any bot message whose content includes this marker as the protected honeypot warning, another bot posting this phrase will be mistaken as the canonical warning, which can suppress warning creation and prevent cleanup deletion for that message. Use a highly unique/unguessable marker string (and ideally pair detection with the expected bot author) to avoid false positives. [logic error]

Severity Level: Major ⚠️
- ❌ Honeypot warning missing when other bot posts marker.
- ⚠️ Old bot message preserved, interfering with honeypot cleanup.
- ⚠️ Misclassified message weakens honeypot reliability and safety.
Steps of Reproduction ✅
1. Start the Discord bot using `bot.js:1-29`, with `HONEYPOT_CHANNEL_ID` set and
`setupHoneypot(client)` called at `bot.js:27`, which in turn registers honeypot behavior
via `setupHoneypot` in `src/handlers/honeypotHandler.js:24-74`.

2. In the honeypot channel whose ID matches `HONEYPOT_CHANNEL_ID`
(`honeypotHandler.js:8`), have a different bot (any Discord bot account other than this
TrackerBot client) send a message whose `content` includes the literal phrase `"TrackerBot
Honeypot"` (the marker defined at `honeypotHandler.js:12`), for example `"TrackerBot
Honeypot test message"`.

3. On `ClientReady`, `setupHoneypot` calls `ensureHoneypotMessage(channel)` at
`honeypotHandler.js:37`. Inside `ensureHoneypotMessage` (`honeypotHandler.js:78-85`), the
code iterates pages from `fetchMessagePages` and checks `messages.some(msg =>
msg.author.bot && msg.content?.includes(HONEYPOT_MARKER))` at `honeypotHandler.js:80`.
Because the other bot’s message satisfies `msg.author.bot` and
`msg.content.includes("TrackerBot Honeypot")`, the function returns early at
`honeypotHandler.js:81` without sending the actual honeypot warning
(`channel.send(HONEYPOT_WARNING)` at `honeypotHandler.js:84` is skipped).

4. Later, when periodic cleanup runs via `cleanupOldMessages(channel)` from the interval
in `setupHoneypot` (`honeypotHandler.js:40-45`), the filter at `honeypotHandler.js:93-96`
computes `toDelete` as messages older than 16h where NOT `(msg.author.bot &&
msg.content?.includes(HONEYPOT_MARKER))`. The unrelated bot’s message is preserved because
it matches the marker condition, causing it to be treated as the protected honeypot
warning even though it was not authored by the TrackerBot client and may be arbitrary
content. This demonstrates that any bot message containing the generic marker substring is
misclassified as the honeypot warning, affecting warning creation and cleanup behavior.

Fix in Cursor Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is a comment left during a code review.

**Path:** src/handlers/honeypotHandler.js
**Line:** 12:12
**Comment:**
	*Logic Error: The marker value is too generic for a substring-based detector. Because the code later treats any bot message whose content includes this marker as the protected honeypot warning, another bot posting this phrase will be mistaken as the canonical warning, which can suppress warning creation and prevent cleanup deletion for that message. Use a highly unique/unguessable marker string (and ideally pair detection with the expected bot author) to avoid false positives.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
👍 | 👎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:XS This PR changes 0-9 lines, ignoring generated files

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant