<p>Released to the public domain wherever applicable. Elsewhere, consider it released under the <ahref="http://www.wtfpl.net/txt/copying/">WTFPLv2</a>.</p>
<p>Uses <ahref="http://github.com/dominictarr/JSON.sh">JSON.sh</a>/<ahref="https://github.com/step-/JSON.awk">JSON.awk</a> and the magic of sed.</p>
<p>Bashbot is written in bash. It depends on commands typically available in a Linux/Unix Environment. For more information on commands provided by recent versions of <ahref="https://en.wikipedia.org/wiki/List_of_GNU_Core_Utilities_commands">coreutils</a>, <ahref="https://en.wikipedia.org/wiki/BusyBox#Commands">busybox</a> or <ahref="https://landley.net/toybox/help.html">toybox</a>, see <ahref="doc/7_develop.md#common-commands">Developer Notes</a>.</p>
<p><strong>Note for MacOS and BSD Users:</strong> Bashbot will not run without installing additional software as it uses modern bash and (gnu) grep/sed features. See <ahref="doc/0_install.md">Install Bashbot</a>.</p>
<p><strong>Note for embedded systems:</strong> You need to install a "real" bash as the vanilla installation of busybox or toybox is not sufficient. See <ahref="doc/0_install.md">Install Bashbot</a>.</p>
<p>Bashbot <ahref="https://github.com/topkecleon/telegram-bot-bash">Documentation</a> and <ahref="https://github.com/topkecleon/telegram-bot-bash/releases">Downloads</a> are available on <ahref="https://www.github.com">www.github.com</a>.</p>
<p>To install and run bashbot you need access to a Linux/Unix command line with bash, a <ahref="https://telegram.org">Telegram client</a> and a mobile phone <ahref="https://telegramguide.com/create-a-telegram-account/">with a Telegram account</a>.</p>
<spanid="cb1-5"><ahref="#cb1-5"aria-hidden="true"tabindex="-1"></a><spanclass="co"># download latest release with wget or from https://github.com/topkecleon/telegram-bot-bash/releases/latest</span></span>
<spanid="cb1-12"><ahref="#cb1-12"aria-hidden="true"tabindex="-1"></a><spanclass="co"># initialize your bot</span></span>
<spanid="cb1-13"><ahref="#cb1-13"aria-hidden="true"tabindex="-1"></a><spanclass="co"># Enter your bot token when asked, all other questions can be answered by hitting the \<Return\> key.</span></span>
<p>Bashbot actions are logged to <code>BASHBOT.log</code>. Telegram send/receive errors are logged to <code>ERROR.log</code>. Start bashbot in debug mode to see all messages sent to / received from Telegram, as well as bash command error messages.</p>
<p>To enable debug mode, start bashbot with debug as third argument: <code>bashbot start debug</code></p>
<p>Bash scripts in general are not designed to be bulletproof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <ahref="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a>.</p>
<p>Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible (e.g. set IFS appropriately, disable globbing with <code>set -f</code> and quote everything). In addition remove unused scripts and examples from your Bot (e.g. everything in <code>example/</code>) and disable/remove all unused bot commands.</p>
<p>It's important to escape or remove <code>$</code> in input from user, files or network (<em>as bashbot does</em>). One of the powerful features of Unix shells is variable and command substitution using <code>${}</code> and<code>$()</code> can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped <code>$</code> is included in untrusted input (e.g. <code>$$</code> or <code>$(rm -rf /*)</code>).</p>
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <ahref="https://www.shellcheck.net/">use it online</a> or <ahref="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensively in bashbot development to ensure a high code quality (e.g. it's not allowed to push changes without passing all shellcheck tests). In addition bashbot has a <ahref="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
<p>If you're writing a script that accepts external input (e.g. from the user as arguments or the file system), you shouldn't use echo to display it. <ahref="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a>.</p>
<p><strong>I recommend running your bot as a user with almost no access rights.</strong> All files your Bot has write access to are in danger of being overwritten/deleted if your bot is hacked. For the same reason every file your Bot can read is in danger of being disclosed. Restrict your Bots access rights to the absolute minimum.</p>
<p><strong>Never run your Bot as root, this is the most dangerous you can do!</strong> Usually the user 'nobody' has almost no rights on Linux/Unix systems. See <ahref="doc/4_expert.md">Expert use</a> on how to run your Bot as an other user.</p>
<p><strong>Your Bot configuration must not be readable by other users.</strong> Everyone who can read your Bots token is able to act as your Bot and has access to all chats the Bot is in!</p>
<p>Everyone with read access to your Bot files can extract your Bots data. Especially your Bot config in<code>config.jssh</code> must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to<code>count.jssh</code> and <code>data-bot-bash</code> only, all other files must be write protected.</p>
<p>To set access rights for your bashbot installation to a reasonable default run<code>sudo ./bashbot.sh init</code> after every update or change to your installation directory.</p>
<p>Bashbot is not more (in)secure than a Bot written in another language. We have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...</p>
<p><strong>Note:</strong> Up to version 0.941 (mai/22/2020) telegram-bot-bash had a remote code execution bug, please update if you use an older version!</p>
<p>At the beginning bashbot was simply the file<code>bashbot.sh</code> that you could copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.</p>
<p>Hey no problem, if you are finished with your cool bot, run<code>dev/make-standalone.sh</code> to create a stripped down version of your bot containing only 'bashbot.sh' and 'commands.sh'! For more information see <ahref="doc/7_develop.md">Create a stripped down version of your Bot</a>.</p>
<p>Of course you can send messages from command line and scripts! Simply install bashbot as <ahref="#Your-really-first-bashbot-in-a-nutshell">described here</a>, send the message '/start' to set yourself as botadmin and then stop the bot with <code>./bashbot.sh stop</code>.</p>
<divclass="sourceCode"id="cb4"><preclass="sourceCode bash"><codeclass="sourceCode bash"><spanid="cb4-1"><ahref="#cb4-1"aria-hidden="true"tabindex="-1"></a><spanclass="ex">bin/send_message.sh</span> BOTADMIN <spanclass="st">"This is my first message send from CLI"</span></span>
<p>This may happen if too many or wrong requests are sent to api.telegram.org, e.g. using a invalid token or invalid API calls. If the block stay for longer time you can ask telegram service to unblock your IP-Address.</p>
<spanid="cb5-2"><ahref="#cb5-2"aria-hidden="true"tabindex="-1"></a><spanclass="co">#curl: (28) Connection timed out after 10001 milliseconds</span></span>
<spanid="cb5-7"><ahref="#cb5-7"aria-hidden="true"tabindex="-1"></a><spanclass="ex">nc</span><spanclass="at">-w</span> 2 api.telegram.org 443 <spanclass="kw">||</span><spanclass="bu">echo</span><spanclass="st">"your IP seems blocked by telegram"</span></span>
<spanid="cb5-8"><ahref="#cb5-8"aria-hidden="true"tabindex="-1"></a><spanclass="co">#your IP seems blocked by telegram</span></span></code></pre></div>
<p>Bashbot offers the option to recover from broken connections (blocked). Therefore you can provide a function named <code>bashbotBlockRecover()</code> in <code>mycommands.sh</code>, the function is called every time when a broken connection is detected.</p>
<p>Possible actions are: Check if network is working, change IP-Address or simply wait some time. See <code>mycommnds.sh.dist</code> for an example.</p>