telegram-bot-bash/README.md

<h2><img align="middle" src="https://raw.githubusercontent.com/odb/official-bash-logo/master/assets/Logos/Icons/PNG/64x64.png" >
Bashbot - A Telegram bot written in bash.
</h2>
Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M (@gnadelwartz).

Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.

Released to the public domain wherever applicable.
Elsewhere, consider it released under the [WTFPLv2](http://www.wtfpl.net/txt/copying/).

## Prerequisites
Uses [JSON.sh](http://github.com/dominictarr/JSON.sh), but no more TMUX.

Even bashbot is written in bash, it depends on commands typically availible in a Unix/Linux Environment.
More concret on the common commands provided by [coreutils](https://en.wikipedia.org/wiki/List_of_GNU_Core_Utilities_commands), [busybox](https://en.wikipedia.org/wiki/BusyBox#Commands) or [toybox](https://landley.net/toybox/help.html), see [Developer Notes](doc/7_develop.md#common-commands)


Bashbot [Documentation](https://github.com/topkecleon/telegram-bot-bash) and [Downloads](https://github.com/topkecleon/telegram-bot-bash/releases) are availible on www.github.com

## Documentation
* [Introdution to Telegram Bots](https://core.telegram.org/bots)
    * [One Bot to rule them all](https://core.telegram.org/bots#3-how-do-i-create-a-bot)
    * [Bot commands](https://core.telegram.org/bots#commands)
* [Install Bashbot](doc/0_install.md)
    * Install release
    * Install from githup
    * Update Bashbot
    * Notes on Updates
* [Create a new Telegram Bot with botfather](doc/1_firstbot.md)
* [Getting Started](doc/2_usage.md)
    * Managing your Bot
    * Recieve data
    * Send messages
    * Send files, locations, keyboards
* [Advanced Features](doc/3_advanced.md)
    * Access Control
    * Interactive Chats
    * Background Jobs
    * Inline queries
* [Expert Use](doc/4_expert.md)
    * Handling UTF-8 character sets
    * Run as other user or system service
    * Scedule bashbot from Cron
* [Best Practices](doc/5_practice.md)
    * Customize commands.sh
    * Seperate logic from commands
    * Test your Bot with shellcheck
* [Function Reference](doc/6_reference.md)
    * Sending Messages, Files, Keyboards
    * User Access Control
    * Inline Queries
    * Background and Interactive Jobs
* [Deveoper Notess](doc/7_develop.md)
    * Setup your environment
    * Test, Add, Push changes
    * Prepare a new version
    * Bashbot testsuite
* [Customize bashbot environment](doc/8_custom.md)
* [Examples](examples/README.md)


## Security Considerations
Running a Telegram Bot means it is connected to the public and you never know whats send to your Bot.

Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see [Implications of wrong quoting](https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells)

Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everthing. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.

A powerful tool to improve your scripts is ```shellcheck```. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests.
In addition bashbot has a [test suite](doc/7_develop.md) to check if important functionality is working as expected.

### Run your Bot as a restricted user
**I recommend to run your bot as a user, with almost no access rights.** 
All files your Bot have write access to are in danger to be overwritten/deleted if your bot is hacked.
For the same reason ervery file your Bot can read is in danger to be disclosed. Restict your Bots access rigths to the absolute minimum.

**Never run your Bot as root, this is the most dangerous you can do!** Usually the user 'nobody' has almost no rights on Unix/Linux systems. See [Expert use](doc/4_expert.md) on how to run your Bot as an other user.

### Secure your Bot installation
**Your Bot configuration must no be readable from other users.** Everyone who can read your Bots token can act as your Bot and has access to all chats your Bot is in!

Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in ```token``` must be protected against other users. No one exept you must have write access to the Bot files. The Bot must be restricted to have write access to ```count``` and  ```tmp-bot-bash``` only, all other files must be write protected.

To set access rights for your bashbot installation to a reasonable default run ```sudo ./bashbot.sh init``` after every update or change to your installation directory.

## FAQ

### Is this Bot insecure?
Bashbot is not more (in)secure as any other Bot written in any other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...

### Why Bash and not the much better xyz?
Well, thats a damn good question ... may be because I'm an Unix/Linux admin from stone age. Nevertheless there are more reasons from my side:

- bashbot will run everywhere where bash is availible, from ebedded linux to mainframe
- easy to integrate with other shell script, e.g. for sending system message / health status
- no need to install or learn a new programming language, library or framework
- no database, not event driven, not OO ...

#### Can I have the single bashbot.sh file back?
At the beginning bashbot was simply the file ```bashbot.sh``` you can copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.

Hey no Problem, if you are finished with your cool bot run ```dev/make-standalone.sh``` to create a stripped down Version of your bot containing only
'bashbot.sh' and 'commands.sh'! For more information see [Create a stripped down Version of your Bot](doc/7_develop.md)


@Gnadelwartz

## That's it!

If you feel that there's something missing or if you found a bug, feel free to submit a pull request!

#### $$VERSION$$ v0.80-pre-8-gf1ebdbb
align middle heading 2019-05-14 20:02:43 +00:00			`<h2><img align="middle" src="https://raw.githubusercontent.com/odb/official-bash-logo/master/assets/Logos/Icons/PNG/64x64.png" >`
bashbot - a telegram bit written in bash heading 2019-05-14 20:06:50 +00:00			`Bashbot - A Telegram bot written in bash.`
			`</h2>`
tweak readme contribution 2019-03-27 15:53:33 +00:00			`Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M (@gnadelwartz).`

			`Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.`
fix restart in rc file, add init command to setup bashbot environment 2019-03-25 10:11:22 +00:00
Added a license for the unfortunate souls whose governments don't allow public domain. Removed JSON.sh and added the project as a submodule. Modified code referencing it accordingly. Added "attach" argument to attach to the tmux session and a default message if no argument is given. Other minor changes. 2016-04-19 09:49:35 +00:00			`Released to the public domain wherever applicable.`
			`Elsewhere, consider it released under the [WTFPLv2](http://www.wtfpl.net/txt/copying/).`
Updated description and added installation instructions, fixed a few typos and bugs. 2016-01-05 16:54:34 +00:00
Version 0.60-rc3 2019-04-17 07:34:02 +00:00			`## Prerequisites`
start, kill, resume, suspend now working 2019-05-19 13:03:44 +00:00			`Uses [JSON.sh](http://github.com/dominictarr/JSON.sh), but no more TMUX.`
add backward compatibility for keyboards from interactive chats 2019-04-16 19:56:46 +00:00
add documentaion and ENV for wget and Telegram URL 2019-05-14 17:58:59 +00:00			`Even bashbot is written in bash, it depends on commands typically availible in a Unix/Linux Environment.`
update doc 2019-05-14 18:55:24 +00:00			`More concret on the common commands provided by [coreutils](https://en.wikipedia.org/wiki/List_of_GNU_Core_Utilities_commands), [busybox](https://en.wikipedia.org/wiki/BusyBox#Commands) or [toybox](https://landley.net/toybox/help.html), see [Developer Notes](doc/7_develop.md#common-commands)`
add documentaion and ENV for wget and Telegram URL 2019-05-14 17:58:59 +00:00
Updated description and added installation instructions, fixed a few typos and bugs. 2016-01-05 16:54:34 +00:00
add backward compatibility for keyboards from interactive chats 2019-04-16 19:56:46 +00:00			`Bashbot [Documentation](https://github.com/topkecleon/telegram-bot-bash) and [Downloads](https://github.com/topkecleon/telegram-bot-bash/releases) are availible on www.github.com`
Updated description and added installation instructions, fixed a few typos and bugs. 2016-01-05 16:54:34 +00:00
Version 0.60-rc3 2019-04-17 07:34:02 +00:00			`## Documentation`
fix nasty workaround for external scripts 2019-04-27 19:10:55 +00:00			`* [Introdution to Telegram Bots](https://core.telegram.org/bots)`
			`* [One Bot to rule them all](https://core.telegram.org/bots#3-how-do-i-create-a-bot)`
add references to bashbot doc 2019-04-27 11:02:10 +00:00			`* [Bot commands](https://core.telegram.org/bots#commands)`
adjust doc to mycommands and new section installation 2019-04-24 14:53:01 +00:00			`* [Install Bashbot](doc/0_install.md)`
			`* Install release`
			`* Install from githup`
			`* Update Bashbot`
			`* Notes on Updates`
Bashbot v0.60-rc2 2019-04-16 18:43:54 +00:00			`* [Create a new Telegram Bot with botfather](doc/1_firstbot.md)`
finalze docs for 0.6 2019-04-16 09:46:37 +00:00			`* [Getting Started](doc/2_usage.md)`
			`* Managing your Bot`
			`* Recieve data`
Bashbot v0.60-rc2 2019-04-16 18:43:54 +00:00			`* Send messages`
			`* Send files, locations, keyboards`
finalze docs for 0.6 2019-04-16 09:46:37 +00:00			`* [Advanced Features](doc/3_advanced.md)`
			`* Access Control`
			`* Interactive Chats`
			`* Background Jobs`
			`* Inline queries`
			`* [Expert Use](doc/4_expert.md)`
Bashbot v0.60-rc2 2019-04-16 18:43:54 +00:00			`* Handling UTF-8 character sets`
finalze docs for 0.6 2019-04-16 09:46:37 +00:00			`* Run as other user or system service`
			`* Scedule bashbot from Cron`
			`* [Best Practices](doc/5_practice.md)`
Bashbot v0.60-rc2 2019-04-16 18:43:54 +00:00			`* Customize commands.sh`
			`* Seperate logic from commands`
finalze docs for 0.6 2019-04-16 09:46:37 +00:00			`* Test your Bot with shellcheck`
adjust documentation 2019-05-10 10:04:49 +00:00			`* [Function Reference](doc/6_reference.md)`
			`* Sending Messages, Files, Keyboards`
			`* User Access Control`
			`* Inline Queries`
			`* Background and Interactive Jobs`
fix nasty workaround for external scripts 2019-04-27 19:10:55 +00:00			`* [Deveoper Notess](doc/7_develop.md)`
			`* Setup your environment`
			`* Test, Add, Push changes`
			`* Prepare a new version`
			`* Bashbot testsuite`
fix make-dist, fix doc links 2019-04-30 12:21:24 +00:00			`* [Customize bashbot environment](doc/8_custom.md)`
fix exmaples spelling 2019-04-29 17:38:54 +00:00			`* [Examples](examples/README.md)`
fix / allow more complex keyboards 2019-04-15 14:32:56 +00:00
move process_inline to bashbot.sh, documentation make-standalone.sh 2019-05-11 16:36:40 +00:00
Security considerations and Typos 2019-03-28 19:59:52 +00:00			`## Security Considerations`
some more doc cleanup for release 2019-04-16 14:45:26 +00:00			`Running a Telegram Bot means it is connected to the public and you never know whats send to your Bot.`
Security considerations and Typos 2019-03-28 19:59:52 +00:00
multibot wrapper example 2019-05-01 12:29:57 +00:00			`Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see [Implications of wrong quoting](https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells)`
Security considerations and Typos 2019-03-28 19:59:52 +00:00
multibot wrapper example 2019-05-01 12:29:57 +00:00			`Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everthing. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.`
Security considerations and Typos 2019-03-28 19:59:52 +00:00
multibot wrapper example 2019-05-01 12:29:57 +00:00			A powerful tool to improve your scripts is ```shellcheck```. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests.
			`In addition bashbot has a [test suite](doc/7_develop.md) to check if important functionality is working as expected.`
split docs in sections 2019-04-09 10:57:53 +00:00
Security considerations and Typos 2019-03-28 19:59:52 +00:00			`### Run your Bot as a restricted user`
Bashbot v0.60-rc2 2019-04-16 18:43:54 +00:00			`I recommend to run your bot as a user, with almost no access rights.`
some more doc cleanup for release 2019-04-16 14:45:26 +00:00			`All files your Bot have write access to are in danger to be overwritten/deleted if your bot is hacked.`
Bashbot v0.60-rc2 2019-04-16 18:43:54 +00:00			`For the same reason ervery file your Bot can read is in danger to be disclosed. Restict your Bots access rigths to the absolute minimum.`
finalze docs for 0.6 2019-04-16 09:46:37 +00:00
Bashbot v0.60-rc2 2019-04-16 18:43:54 +00:00			`Never run your Bot as root, this is the most dangerous you can do! Usually the user 'nobody' has almost no rights on Unix/Linux systems. See [Expert use](doc/4_expert.md) on how to run your Bot as an other user.`
Security considerations and Typos 2019-03-28 19:59:52 +00:00
			`### Secure your Bot installation`
Bashbot v0.60-rc2 2019-04-16 18:43:54 +00:00			`Your Bot configuration must no be readable from other users. Everyone who can read your Bots token can act as your Bot and has access to all chats your Bot is in!`
finalze docs for 0.6 2019-04-16 09:46:37 +00:00
Bashbot v0.60-rc2 2019-04-16 18:43:54 +00:00			Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in ```token``` must be protected against other users. No one exept you must have write access to the Bot files. The Bot must be restricted to have write access to ```count``` and ```tmp-bot-bash``` only, all other files must be write protected.
Security considerations and Typos 2019-03-28 19:59:52 +00:00
add backward compatibility for keyboards from interactive chats 2019-04-16 19:56:46 +00:00			To set access rights for your bashbot installation to a reasonable default run ```sudo ./bashbot.sh init``` after every update or change to your installation directory.
Security considerations and Typos 2019-03-28 19:59:52 +00:00
more save resumeback killback handling 2019-05-20 18:48:49 +00:00			`## FAQ`

Security considerations and Typos 2019-03-28 19:59:52 +00:00			`### Is this Bot insecure?`
Bashbot v0.60-rc2 2019-04-16 18:43:54 +00:00			`Bashbot is not more (in)secure as any other Bot written in any other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...`
Expert use: Run as system service or from cron 2019-03-25 14:12:13 +00:00
why bash? 2019-04-27 14:28:17 +00:00			`### Why Bash and not the much better xyz?`
fix stupid mynewlinestartshere mistake 2019-04-27 13:48:03 +00:00			`Well, thats a damn good question ... may be because I'm an Unix/Linux admin from stone age. Nevertheless there are more reasons from my side:`

			`- bashbot will run everywhere where bash is availible, from ebedded linux to mainframe`
why bash? 2019-04-27 14:28:17 +00:00			`- easy to integrate with other shell script, e.g. for sending system message / health status`
			`- no need to install or learn a new programming language, library or framework`
fix stupid mynewlinestartshere mistake 2019-04-27 13:48:03 +00:00			`- no database, not event driven, not OO ...`
fix nasty workaround for external scripts 2019-04-27 19:10:55 +00:00
more save resumeback killback handling 2019-05-20 18:48:49 +00:00			`#### Can I have the single bashbot.sh file back?`
			At the beginning bashbot was simply the file ```bashbot.sh``` you can copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.

			Hey no Problem, if you are finished with your cool bot run ```dev/make-standalone.sh``` to create a stripped down Version of your bot containing only
			`'bashbot.sh' and 'commands.sh'! For more information see [Create a stripped down Version of your Bot](doc/7_develop.md)`


why bash? 2019-04-27 14:28:17 +00:00			`@Gnadelwartz`
fix stupid mynewlinestartshere mistake 2019-04-27 13:48:03 +00:00
add root warning, explaning UTF-8 handling 2019-03-24 12:57:49 +00:00			`## That's it!`
Updated description and added installation instructions, fixed a few typos and bugs. 2016-01-05 16:54:34 +00:00
			`If you feel that there's something missing or if you found a bug, feel free to submit a pull request!`
prepare for v0.5, add version numbers to files 2019-03-28 15:51:33 +00:00
more save resumeback killback handling 2019-05-20 18:48:49 +00:00			`#### $$VERSION$$ v0.80-pre-8-gf1ebdbb`