telegram-bot-bash/README.md

# bashbot
A Telegram bot written in bash.

Depends on [tmux](http://github.com/tmux/tmux).
Uses [JSON.sh](http://github.com/dominictarr/JSON.sh).

For full UTF-8 support you need [python on your system](doc/4_expert.md#UTF-8-Support) (optional).

Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M (@gnadelwartz).

Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.

[Download latest release from github](https://github.com/topkecleon/telegram-bot-bash/releases)

Released to the public domain wherever applicable.
Elsewhere, consider it released under the [WTFPLv2](http://www.wtfpl.net/txt/copying/).


## Install bashbot
1. Go to the directory you want to install bashbot, e.g.
  - your $HOME directory (install and run with your user-ID)
  - /usr/local if you want to run as service
2. Clone the repository:
```
git clone --recursive https://github.com/topkecleon/telegram-bot-bash
```
3. Change to directory ```telegram-bot.bash```, run ```./bashbot.sh init``` and follow the instructions. At this stage you are asked for your Bots token given by botfather.

## Update bashbot
[Download latest update zip from github](https://github.com/topkecleon/telegram-bot-bash/releases) and copy all files to bashbot dir. run ```sudo ./bashbot.sh init```.

## Getting started
 - [Create your first telegram bot](doc/1_firstbot.md)
 - [Make your own Bot](doc/2_usage.md)
   - Managing your own Bot
   - Recieve data
   - Send Messages
   - Send files, location  etc.
 - [Advanced Features](doc/3_advanced.md)
   - Access Control
   - Interactive Chats
   - Background Jobs
   - Inline queries
 - [Expert Use](doc/4_expert.md)
   - Handling UTF-8
   - Run as other user or system service
   - Scedule bashbot from Cron
 - [Best Practices](doc/5_practice.md)
   - Customizing commands.sh
   - Seperate Bot logic from command
   - Test your Bot with shellcheck

## Security Considerations
Running a Telegram Bot means you are conneted to the public, you never know whats send to your Bot.

Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. More concret examples of security problems is bash's 'quoting hell' and globbing. [Implications of wrong quoting](https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells)

Whenever you are processing input from outside your bot you should disable globbing (set -f) and carefully quote everthing.

To improve you scripts we recommend to lint them with [shellcheck](https://www.shellcheck.net/). This can be done online or you can [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). bashbot itself is also linted by shellcheck.

### Run your Bot as a restricted user
Every file your bot can write is in danger to be overwritten/deleted, In case of bad handling of user input every file your Bot can read is in danger of being disclosed.

Never run your Bot as root, this is the most dangerous you can do! Usually the user 'nobody' has almost no rigths on Unix/Linux systems. See Expert use on how to run your Bot as an other user.

### Secure your Bot installation
Everyone who can read your Bot files can extract your Bots data. Especially your Bot Token in ```token``` must be protected against other users. No one exept you should have write access to the Bot files. The Bot itself need write access to ```count``` and  ```tmp-bot-bash``` only, all other files should be write protected.

Runing ```./bashbot.sh init``` sets the Bot permissions to reasonable default values as a starting point.

### Is this Bot insecure?
No - its not less (in)secure as any other Bot written in any other language. But you should know about the implications ...

## That's it!

If you feel that there's something missing or if you found a bug, feel free to submit a pull request!

#### $$VERSION$$ v0.6-rc1-7-g14eb352
Applying new rule of GitHub Markdown 2017-08-27 00:28:32 +00:00			`# bashbot`
initial commie bastard 2015-07-10 05:43:08 +00:00			`A Telegram bot written in bash.`

Added a license for the unfortunate souls whose governments don't allow public domain. Removed JSON.sh and added the project as a submodule. Modified code referencing it accordingly. Added "attach" argument to attach to the tmux session and a default message if no argument is given. Other minor changes. 2016-04-19 09:49:35 +00:00			`Depends on [tmux](http://github.com/tmux/tmux).`
			`Uses [JSON.sh](http://github.com/dominictarr/JSON.sh).`

adjust doc for UTF-8 support 2019-04-13 13:07:49 +00:00			`For full UTF-8 support you need [python on your system](doc/4_expert.md#UTF-8-Support) (optional).`
fix UTF-8 decode of message 2019-04-13 12:50:53 +00:00
tweak readme contribution 2019-03-27 15:53:33 +00:00			`Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M (@gnadelwartz).`

			`Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.`
fix restart in rc file, add init command to setup bashbot environment 2019-03-25 10:11:22 +00:00
Bashbot Version 0.52 - user acls added 2019-04-12 11:14:33 +00:00			`[Download latest release from github](https://github.com/topkecleon/telegram-bot-bash/releases)`
fix restart in rc file, add init command to setup bashbot environment 2019-03-25 10:11:22 +00:00
Added a license for the unfortunate souls whose governments don't allow public domain. Removed JSON.sh and added the project as a submodule. Modified code referencing it accordingly. Added "attach" argument to attach to the tmux session and a default message if no argument is given. Other minor changes. 2016-04-19 09:49:35 +00:00			`Released to the public domain wherever applicable.`
			`Elsewhere, consider it released under the [WTFPLv2](http://www.wtfpl.net/txt/copying/).`
Updated description and added installation instructions, fixed a few typos and bugs. 2016-01-05 16:54:34 +00:00


split docs in sections 2019-04-09 10:57:53 +00:00			`## Install bashbot`
fix restart in rc file, add init command to setup bashbot environment 2019-03-25 10:11:22 +00:00			`1. Go to the directory you want to install bashbot, e.g.`
Bashbot Version 5.1 shellcheck testet 2019-04-10 09:53:58 +00:00			`- your $HOME directory (install and run with your user-ID)`
			`- /usr/local if you want to run as service`
fix restart in rc file, add init command to setup bashbot environment 2019-03-25 10:11:22 +00:00			`2. Clone the repository:`
Updated description and added installation instructions, fixed a few typos and bugs. 2016-01-05 16:54:34 +00:00			```
Updated readme. 2016-04-19 19:01:01 +00:00			`git clone --recursive https://github.com/topkecleon/telegram-bot-bash`
Updated description and added installation instructions, fixed a few typos and bugs. 2016-01-05 16:54:34 +00:00			```
Expert use: Run as system service or from cron 2019-03-25 14:12:13 +00:00			3. Change to directory ```telegram-bot.bash```, run ```./bashbot.sh init``` and follow the instructions. At this stage you are asked for your Bots token given by botfather.
fix restart in rc file, add init command to setup bashbot environment 2019-03-25 10:11:22 +00:00
Bashbot Version 0.52 - user acls added 2019-04-12 11:14:33 +00:00			`## Update bashbot`
			[Download latest update zip from github](https://github.com/topkecleon/telegram-bot-bash/releases) and copy all files to bashbot dir. run ```sudo ./bashbot.sh init```.
init changes username in bashbot.rc also 2019-03-27 14:03:02 +00:00
split docs in sections 2019-04-09 10:57:53 +00:00			`## Getting started`
			`- [Create your first telegram bot](doc/1_firstbot.md)`
			`- [Make your own Bot](doc/2_usage.md)`
			`- Managing your own Bot`
			`- Recieve data`
			`- Send Messages`
			`- Send files, location etc.`
best practice 2019-04-10 20:23:24 +00:00			`- [Advanced Features](doc/3_advanced.md)`
Bashbot Version 0.52 - user acls added 2019-04-12 11:14:33 +00:00			`- Access Control`
split docs in sections 2019-04-09 10:57:53 +00:00			`- Interactive Chats`
			`- Background Jobs`
			`- Inline queries`
			`- [Expert Use](doc/4_expert.md)`
			`- Handling UTF-8`
			`- Run as other user or system service`
			`- Scedule bashbot from Cron`
toc best practice 2019-04-10 20:25:21 +00:00			`- [Best Practices](doc/5_practice.md)`
best practice 2019-04-10 20:23:24 +00:00			`- Customizing commands.sh`
			`- Seperate Bot logic from command`
			`- Test your Bot with shellcheck`
Security considerations and Typos 2019-03-28 19:59:52 +00:00
			`## Security Considerations`
			`Running a Telegram Bot means you are conneted to the public, you never know whats send to your Bot.`

			`Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. More concret examples of security problems is bash's 'quoting hell' and globbing. [Implications of wrong quoting](https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells)`

			`Whenever you are processing input from outside your bot you should disable globbing (set -f) and carefully quote everthing.`

split docs in sections 2019-04-09 10:57:53 +00:00			`To improve you scripts we recommend to lint them with [shellcheck](https://www.shellcheck.net/). This can be done online or you can [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). bashbot itself is also linted by shellcheck.`

Security considerations and Typos 2019-03-28 19:59:52 +00:00			`### Run your Bot as a restricted user`
			`Every file your bot can write is in danger to be overwritten/deleted, In case of bad handling of user input every file your Bot can read is in danger of being disclosed.`

			`Never run your Bot as root, this is the most dangerous you can do! Usually the user 'nobody' has almost no rigths on Unix/Linux systems. See Expert use on how to run your Bot as an other user.`

			`### Secure your Bot installation`
			Everyone who can read your Bot files can extract your Bots data. Especially your Bot Token in ```token``` must be protected against other users. No one exept you should have write access to the Bot files. The Bot itself need write access to ```count``` and ```tmp-bot-bash``` only, all other files should be write protected.

use sudo for bashbot.sh init 2019-04-08 09:46:29 +00:00			Runing ```./bashbot.sh init``` sets the Bot permissions to reasonable default values as a starting point.
Security considerations and Typos 2019-03-28 19:59:52 +00:00
			`### Is this Bot insecure?`
some typo, specify exit codes 2019-04-01 10:52:25 +00:00			`No - its not less (in)secure as any other Bot written in any other language. But you should know about the implications ...`
Expert use: Run as system service or from cron 2019-03-25 14:12:13 +00:00
add root warning, explaning UTF-8 handling 2019-03-24 12:57:49 +00:00			`## That's it!`
Updated description and added installation instructions, fixed a few typos and bugs. 2016-01-05 16:54:34 +00:00
			`If you feel that there's something missing or if you found a bug, feel free to submit a pull request!`
prepare for v0.5, add version numbers to files 2019-03-28 15:51:33 +00:00
dev3-rc1 candidate 2019-04-15 12:17:18 +00:00			`#### $$VERSION$$ v0.6-rc1-7-g14eb352`