telegram-bot-bash/README.txt

173 lines
6.1 KiB
Plaintext
Raw Normal View History

2019-04-09 11:41:38 +00:00
bashbot
-------
A Telegram bot written in bash.
Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M
(@gnadelwartz).
Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.
Released to the public domain wherever applicable. Elsewhere, consider
it released under the http://www.wtfpl.net/txt/copying/[WTFPLv2].
2019-04-17 07:34:02 +00:00
Prerequisites
~~~~~~~~~~~~~
2019-04-09 11:41:38 +00:00
Depends on http://github.com/tmux/tmux[tmux]. Uses
http://github.com/dominictarr/JSON.sh[JSON.sh].
2019-04-18 19:02:06 +00:00
Most complete link:doc/4_expert.md#Bashbot-UTF-8-Support[UTF-8 support
for bashbot] is availible if phyton is installed (optional).
2019-04-13 12:50:53 +00:00
2019-04-16 18:43:54 +00:00
Bashbot https://github.com/topkecleon/telegram-bot-bash[Documentation]
and https://github.com/topkecleon/telegram-bot-bash/releases[Downloads]
are availible on www.github.com
2019-04-09 11:41:38 +00:00
Install bashbot
~~~~~~~~~~~~~~~
1. Go to the directory you want to install bashbot, e.g.
* your $HOME directory (install and run with your user-ID)
* /usr/local if you want to run as service
2019-04-19 11:01:25 +00:00
2. https://github.com/topkecleon/telegram-bot-bash/releases[Download
2019-04-22 18:34:43 +00:00
latest release zip from github] and extract all files.
2019-04-19 12:07:01 +00:00
+
2019-04-22 18:34:43 +00:00
As an alternative you can clone the github repository to get the latest
2019-04-23 13:48:58 +00:00
improvements/fixes, run bashbot test suite `All-tests.sh` afterwards to
see if code looks OK.
2019-04-19 12:07:01 +00:00
+
....
2019-04-22 18:34:43 +00:00
git clone https://github.com/topkecleon/telegram-bot-bash; test/ALL-tests.sh
2019-04-19 12:07:01 +00:00
....
3. Go to directory `telegram-bot-bash`, run `./bashbot.sh init` and
follow the instructions. At this point you are asked for your Bots token
given by botfather.
2019-04-09 11:41:38 +00:00
2019-04-12 11:14:33 +00:00
Update bashbot
~~~~~~~~~~~~~~
1. https://github.com/topkecleon/telegram-bot-bash/releases[Download
latest update zip from github]
2. Extract all files and copy them to your bashbot dir
3. Run `sudo ./bashbot.sh init` to setup your environment after the
2019-04-17 07:34:02 +00:00
update
2019-04-12 11:14:33 +00:00
2019-04-17 07:34:02 +00:00
Documentation
~~~~~~~~~~~~~
2019-04-09 11:41:38 +00:00
2019-04-16 18:43:54 +00:00
* link:doc/1_firstbot.md[Create a new Telegram Bot with botfather]
2019-04-16 11:29:49 +00:00
* link:doc/2_usage.md[Getting Started]
** Managing your Bot
** Recieve data
2019-04-16 18:43:54 +00:00
** Send messages
** Send files, locations, keyboards
2019-04-11 08:02:52 +00:00
* link:doc/3_advanced.md[Advanced Features]
2019-04-16 11:29:49 +00:00
** Access Control
** Interactive Chats
** Background Jobs
** Inline queries
2019-04-09 11:41:38 +00:00
* link:doc/4_expert.md[Expert Use]
2019-04-16 18:43:54 +00:00
** Handling UTF-8 character sets
2019-04-16 11:29:49 +00:00
** Run as other user or system service
** Scedule bashbot from Cron
2019-04-11 08:02:52 +00:00
* link:doc/5_practice.md[Best Practices]
2019-04-16 18:43:54 +00:00
** Customize commands.sh
** Seperate logic from commands
2019-04-16 11:29:49 +00:00
** Test your Bot with shellcheck
2019-04-16 18:43:54 +00:00
* link:doc/6_reference.md[Bashbot function reference]
2019-04-19 11:01:25 +00:00
* link:doc/7_develop.md[Notes for bashbot developers]
2019-04-23 13:48:58 +00:00
* link:doc/8_customize.md[Customize bashbot environment]
2019-04-15 19:06:29 +00:00
Note on Keyboards
~~~~~~~~~~~~~~~~~
2019-04-16 18:43:54 +00:00
From Version 0.60 on keybord format for `send_keyboard` and
`send_message "mykeyboardstartshere ..."` was changed. Keybords are now
defined in JSON Array notation e.g. "[ \"yes\" , \"no\" ]". This has the
advantage that you can create any type of keyboard supported by
2019-04-17 07:34:02 +00:00
Telegram. The old format is supported for backward compatibility, but
2019-04-18 08:35:18 +00:00
may fail for corner cases.
2019-04-15 19:06:29 +00:00
_Example Keyboards_:
2019-04-18 08:35:18 +00:00
* yes no in two rows:
** OLD format: 'yes' 'no' (two strings)
** NEW format: '[ "yes" ] , [ "no" ]' (two arrays with a string)
* new layouts made easy with NEW format:
** Yes No in one row: '[ "yes" , "no" ]'
** Yes No plus Maybe in 2.row: '[ "yes" , "no" ] , [ "maybe" ]'
2019-04-16 18:43:54 +00:00
** numpad style keyboard: '[ "1" , "2" , "3" ] , [ "4" , "5" , "6" ] , [
"7" , "8" , "9" ] , [ "0" ]'
2019-04-09 11:41:38 +00:00
Security Considerations
~~~~~~~~~~~~~~~~~~~~~~~
2019-04-16 14:45:26 +00:00
Running a Telegram Bot means it is connected to the public and you never
2019-04-09 11:41:38 +00:00
know whats send to your Bot.
Bash scripts in general are not designed to be bullet proof, so consider
this Bot as a proof of concept. More concret examples of security
2019-04-16 18:43:54 +00:00
problems are: bash's 'quoting hell' and globbing.
2019-04-09 11:41:38 +00:00
https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells[Implications
of wrong quoting]
2019-04-16 11:29:49 +00:00
Whenever you are processing input from from untrusted sources (messages,
2019-04-16 18:43:54 +00:00
files, network) you must be as carefull as possible, e.g. set IFS
appropriate, disable globbing (set -f) and quote everthing. In addition
disable not used Bot commands and delete unused scripts from your Bot,
e.g. example scripts 'notify', 'calc', 'question',
2019-04-09 11:41:38 +00:00
2019-04-16 11:29:49 +00:00
A powerful tool to improve your scripts robustness is `shellcheck`. You
can https://www.shellcheck.net/[use it online] or
https://github.com/koalaman/shellcheck#installing[install shellcheck
locally]. All bashbot scripts are checked by shellcheck.
2019-04-09 11:41:38 +00:00
Run your Bot as a restricted user
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2019-04-16 18:43:54 +00:00
*I recommend to run your bot as a user, with almost no access rights.*
2019-04-16 14:45:26 +00:00
All files your Bot have write access to are in danger to be
2019-04-16 11:29:49 +00:00
overwritten/deleted if your bot is hacked. For the same reason ervery
2019-04-16 18:43:54 +00:00
file your Bot can read is in danger to be disclosed. Restict your Bots
access rigths to the absolute minimum.
2019-04-16 11:29:49 +00:00
*Never run your Bot as root, this is the most dangerous you can do!*
2019-04-16 14:45:26 +00:00
Usually the user 'nobody' has almost no rights on Unix/Linux systems.
2019-04-16 18:43:54 +00:00
See link:doc/4_expert.md[Expert use] on how to run your Bot as an other
user.
2019-04-09 11:41:38 +00:00
Secure your Bot installation
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2019-04-16 18:43:54 +00:00
*Your Bot configuration must no be readable from other users.* Everyone
who can read your Bots token can act as your Bot and has access to all
chats your Bot is in!
2019-04-16 11:29:49 +00:00
Everyone with read access to your Bot files can extract your Bots data.
2019-04-09 11:41:38 +00:00
Especially your Bot Token in `token` must be protected against other
2019-04-16 18:43:54 +00:00
users. No one exept you must have write access to the Bot files. The Bot
must be restricted to have write access to `count` and `tmp-bot-bash`
only, all other files must be write protected.
2019-04-09 11:41:38 +00:00
To set access rights for your bashbot installation to a reasonable
default run `sudo ./bashbot.sh init` after every update or change to
2019-04-16 18:43:54 +00:00
your installation directory.
2019-04-09 11:41:38 +00:00
Is this Bot insecure?
^^^^^^^^^^^^^^^^^^^^^
2019-04-16 18:43:54 +00:00
Bashbot is not more (in)secure as any other Bot written in any other
language, we have done our best to make it as secure as possible. But
YOU are responsible for the bot commands you wrote and you should know
about the risks ...
2019-04-09 11:41:38 +00:00
That's it!
~~~~~~~~~~
If you feel that there's something missing or if you found a bug, feel
free to submit a pull request!
2019-04-23 13:48:58 +00:00
latexmath:[\[VERSION\]] v0.70-dev2-10-gfa9e879
++++++++++++++++++++++++++++++++++++++++++++++