octoleo
/
telegram-bot-bash
mirror of https://github.com/octoleo/telegram-bot-bash.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

Bashbot v0.60-rc2

This commit is contained in:
Kay Marquardt (Gnadelwartz) 2019-04-16 20:43:54 +02:00
parent 591c5834fa
commit 2e3c9753fe
16 changed files with 100 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
README.md
View File

@ -10,7 +10,7 @@ Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M (@gnadel
Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.
[Download latest release from github](https://github.com/topkecleon/telegram-bot-bash/releases)
Bashbot [Documentation](https://github.com/topkecleon/telegram-bot-bash) and [Downloads](https://github.com/topkecleon/telegram-bot-bash/releases) are availible on Githup.
Released to the public domain wherever applicable.
Elsewhere, consider it released under the [WTFPLv2](http://www.wtfpl.net/txt/copying/).
@ -30,72 +30,70 @@ Elsewhere, consider it released under the [WTFPLv2](http://www.wtfpl.net/txt/cop
## Update bashbot
[Download latest update zip from github](https://github.com/topkecleon/telegram-bot-bash/releases), extract all files and copy them to your bashbot dir. Now run ```sudo ./bashbot.sh init``` to setup your environment for the new release.
## Getting started
* [Create Telegram Bot with botfather](doc/1_firstbot.md)
## Bashbot Documentation
* [Create a new Telegram Bot with botfather](doc/1_firstbot.md)
* [Getting Started](doc/2_usage.md)
* Managing your Bot
* Recieve data
* Send Messages
* Send files, location etc.
* Send messages
* Send files, locations, keyboards
* [Advanced Features](doc/3_advanced.md)
* Access Control
* Interactive Chats
* Background Jobs
* Inline queries
* [Expert Use](doc/4_expert.md)
* Handling UTF-8
* Handling UTF-8 character sets
* Run as other user or system service
* Scedule bashbot from Cron
* [Best Practices](doc/5_practice.md)
* Customizing commands.sh
* Seperate Bot logic from command
* Customize commands.sh
* Seperate logic from commands
* Test your Bot with shellcheck
* [Bashbot functions reference](doc/6_reference.md)
* [Bashbot function reference](doc/6_reference.md)
## Note on Keyboards
To make use of Keyboards easier the keybord format for ```send_keyboard``` and ```send_message "mykeyboardstartshere ..."``` was changed.
Keybords are now defined in an JSON Array notation e.g. "[ \\"yes\\" , \\"no\\" ]".
From Version 0.60 on keybord format for ```send_keyboard``` and ```send_message "mykeyboardstartshere ..."``` was changed.
Keybords are now defined in JSON Array notation e.g. "[ \\"yes\\" , \\"no\\" ]".
This has the advantage that you can create any type of keyboard supported by Telegram.
**This is an incompatible change for keyboards used in older bashbot versions.**
*Example Keyboards*:
- yes no in one row
- OLD format: "yes" "no" (two strings)
- NEW format: "[ \\"yes\\" , \\"no\\" ]" (string containing an array)
- OLD format: 'yes' 'no' (two strings)
- NEW format: '[ "yes" , "no" ]' (string containing an array)
- new keybord layouts, no possible with old format:
- Yes No in two rows: "[ \\"yes\\" ] , [ \\"no\\" ]"
- numpad style keyboard: "[ \\"1\\" , \\"2\\" , \\"3\\" ] , [ \\"4\\" , \\"5\\" , \\"6\\" ] , [ \\"7\\" , \\"8\\" , \\"9\\" ] , [ \\"0\\" ]"
- Yes No in two rows: '[ "yes" ] , [ "no" ]'
- numpad style keyboard: '[ "1" , "2" , "3" ] , [ "4" , "5" , "6" ] , [ "7" , "8" , "9" ] , [ "0" ]'
## Security Considerations
Running a Telegram Bot means it is connected to the public and you never know whats send to your Bot.
Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. More concret examples of security problems are bash's 'quoting hell' and globbing. [Implications of wrong quoting](https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells)
Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. More concret examples of security problems are: bash's 'quoting hell' and globbing. [Implications of wrong quoting](https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells)
Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. disable globbing (set -f) and quote everthing.
Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everthing. In addition disable not used Bot commands and delete unused scripts from your Bot, e.g. example scripts 'notify', 'calc', 'question',
A powerful tool to improve your scripts robustness is ```shellcheck```. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). All bashbot scripts are checked by shellcheck.
### Run your Bot as a restricted user
**It's important to run your bot as a user, with almost no access rights.**
**I recommend to run your bot as a user, with almost no access rights.**
All files your Bot have write access to are in danger to be overwritten/deleted if your bot is hacked.
For the same reason ervery file your Bot can read is in danger of being disclosed. So please restict your Bots access rigths to the absolute minimum.
For the same reason ervery file your Bot can read is in danger to be disclosed. Restict your Bots access rigths to the absolute minimum.
**Never run your Bot as root, this is the most dangerous you can do!** Usually the user 'nobody' has almost no rights on Unix/Linux systems. See Expert use on how to run your Bot as an other user.
**Never run your Bot as root, this is the most dangerous you can do!** Usually the user 'nobody' has almost no rights on Unix/Linux systems. See [Expert use](doc/4_expert.md) on how to run your Bot as an other user.
### Secure your Bot installation
**Your Bot configuration should not be readable from other users.** If someone can read your Bots token he can act as your Bot and has access to all chats you Bot is in!
**Your Bot configuration must no be readable from other users.** Everyone who can read your Bots token can act as your Bot and has access to all chats your Bot is in!
Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in ```token``` must be protected against other users. No one exept you should have write access to the Bot files. The Bot must be restricted to have write access to ```count``` and ```tmp-bot-bash``` only, all other files should be write protected.
Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in ```token``` must be protected against other users. No one exept you must have write access to the Bot files. The Bot must be restricted to have write access to ```count``` and ```tmp-bot-bash``` only, all other files must be write protected.
To set access rights for your telegram-bot-bash directory to reasonable default values you must run ```sudo ./bashbot.sh init``` after every update or change to your installation directory.
To set access rights for your bashbot directory to a reasonable default you must run ```sudo ./bashbot.sh init``` after every update or change to your installation directory.
### Is this Bot insecure?
Bashbot is no more (in)secure as any other Bot written in any other language. But since YOU are responsible for your bots commands and run the Bot, you should know about the implications ...
Bashbot is not more (in)secure as any other Bot written in any other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...
## That's it!
If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
#### $$VERSION$$ v0.60-rc2-4-g1bf26b9
#### $$VERSION$$ v0.60-rc2-5-g591c583

88
README.txt
View File

@ -14,8 +14,9 @@ Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M
Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.
https://github.com/topkecleon/telegram-bot-bash/releases[Download latest
release from github]
Bashbot https://github.com/topkecleon/telegram-bot-bash[Documentation]
and https://github.com/topkecleon/telegram-bot-bash/releases[Downloads]
are availible on Githup.
Released to the public domain wherever applicable. Elsewhere, consider
it released under the http://www.wtfpl.net/txt/copying/[WTFPLv2].
@ -43,49 +44,48 @@ update zip from github], extract all files and copy them to your bashbot
dir. Now run `sudo ./bashbot.sh init` to setup your environment for the
new release.
Getting started
~~~~~~~~~~~~~~~
Bashbot Documentation
~~~~~~~~~~~~~~~~~~~~~
* link:doc/1_firstbot.md[Create Telegram Bot with botfather]
* link:doc/1_firstbot.md[Create a new Telegram Bot with botfather]
* link:doc/2_usage.md[Getting Started]
** Managing your Bot
** Recieve data
** Send Messages
** Send files, location etc.
** Send messages
** Send files, locations, keyboards
* link:doc/3_advanced.md[Advanced Features]
** Access Control
** Interactive Chats
** Background Jobs
** Inline queries
* link:doc/4_expert.md[Expert Use]
** Handling UTF-8
** Handling UTF-8 character sets
** Run as other user or system service
** Scedule bashbot from Cron
* link:doc/5_practice.md[Best Practices]
** Customizing commands.sh
** Seperate Bot logic from command
** Customize commands.sh
** Seperate logic from commands
** Test your Bot with shellcheck
* link:doc/6_reference.md[Bashbot functions reference]
* link:doc/6_reference.md[Bashbot function reference]
Note on Keyboards
~~~~~~~~~~~~~~~~~
To make use of Keyboards easier the keybord format for `send_keyboard`
and `send_message "mykeyboardstartshere ..."` was changed. Keybords are
now defined in an JSON Array notation e.g. "[ \"yes\" , \"no\" ]". This
has the advantage that you can create any type of keyboard supported by
From Version 0.60 on keybord format for `send_keyboard` and
`send_message "mykeyboardstartshere ..."` was changed. Keybords are now
defined in JSON Array notation e.g. "[ \"yes\" , \"no\" ]". This has the
advantage that you can create any type of keyboard supported by
Telegram. *This is an incompatible change for keyboards used in older
bashbot versions.*
_Example Keyboards_:
* yes no in one row
** OLD format: "yes" "no" (two strings)
** NEW format: "[ \"yes\" , \"no\" ]" (string containing an array)
* OLD format: 'yes' 'no' (two strings)
* NEW format: '[ "yes" , "no" ]' (string containing an array)
* new keybord layouts, no possible with old format:
** Yes No in two rows: "[ \"yes\" ] , [ \"no\" ]"
** numpad style keyboard: "[ \"1\" , \"2\" , \"3\" ] , [ \"4\" , \"5\" ,
\"6\" ] , [ \"7\" , \"8\" , \"9\" ] , [ \"0\" ]"
** Yes No in two rows: '[ "yes" ] , [ "no" ]'
** numpad style keyboard: '[ "1" , "2" , "3" ] , [ "4" , "5" , "6" ] , [
"7" , "8" , "9" ] , [ "0" ]'
Security Considerations
~~~~~~~~~~~~~~~~~~~~~~~
@ -95,13 +95,15 @@ know whats send to your Bot.
Bash scripts in general are not designed to be bullet proof, so consider
this Bot as a proof of concept. More concret examples of security
problems are bash's 'quoting hell' and globbing.
problems are: bash's 'quoting hell' and globbing.
https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells[Implications
of wrong quoting]
Whenever you are processing input from from untrusted sources (messages,
files, network) you must be as carefull as possible, e.g. disable
globbing (set -f) and quote everthing.
files, network) you must be as carefull as possible, e.g. set IFS
appropriate, disable globbing (set -f) and quote everthing. In addition
disable not used Bot commands and delete unused scripts from your Bot,
e.g. example scripts 'notify', 'calc', 'question',
A powerful tool to improve your scripts robustness is `shellcheck`. You
can https://www.shellcheck.net/[use it online] or
@ -111,41 +113,41 @@ locally]. All bashbot scripts are checked by shellcheck.
Run your Bot as a restricted user
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
*It's important to run your bot as a user, with almost no access
rights.*
*I recommend to run your bot as a user, with almost no access rights.*
All files your Bot have write access to are in danger to be
overwritten/deleted if your bot is hacked. For the same reason ervery
file your Bot can read is in danger of being disclosed. So please
restict your Bots access rigths to the absolute minimum.
file your Bot can read is in danger to be disclosed. Restict your Bots
access rigths to the absolute minimum.
*Never run your Bot as root, this is the most dangerous you can do!*
Usually the user 'nobody' has almost no rights on Unix/Linux systems.
See Expert use on how to run your Bot as an other user.
See link:doc/4_expert.md[Expert use] on how to run your Bot as an other
user.
Secure your Bot installation
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
*Your Bot configuration should not be readable from other users.* If
someone can read your Bots token he can act as your Bot and has access
to all chats you Bot is in!
*Your Bot configuration must no be readable from other users.* Everyone
who can read your Bots token can act as your Bot and has access to all
chats your Bot is in!
Everyone with read access to your Bot files can extract your Bots data.
Especially your Bot Token in `token` must be protected against other
users. No one exept you should have write access to the Bot files. The
Bot must be restricted to have write access to `count` and
`tmp-bot-bash` only, all other files should be write protected.
users. No one exept you must have write access to the Bot files. The Bot
must be restricted to have write access to `count` and `tmp-bot-bash`
only, all other files must be write protected.
To set access rights for your telegram-bot-bash directory to reasonable
default values you must run `sudo ./bashbot.sh init` after every update
or change to your installation directory.
To set access rights for your bashbot directory to a reasonable default
you must run `sudo ./bashbot.sh init` after every update or change to
your installation directory.
Is this Bot insecure?
^^^^^^^^^^^^^^^^^^^^^
Bashbot is no more (in)secure as any other Bot written in any other
language. But since YOU are responsible for your bots commands and run
the Bot, you should know about the implications ...
Bashbot is not more (in)secure as any other Bot written in any other
language, we have done our best to make it as secure as possible. But
YOU are responsible for the bot commands you wrote and you should know
about the risks ...
That's it!
~~~~~~~~~~
@ -153,5 +155,5 @@ That's it!
If you feel that there's something missing or if you found a bug, feel
free to submit a pull request!
latexmath:[\[VERSION\]] v0.60-rc2-4-g1bf26b9
latexmath:[\[VERSION\]] v0.60-rc2-5-g591c583
++++++++++++++++++++++++++++++++++++++++++++

2
bashbot.cron
View File

@ -7,7 +7,7 @@
# This file is public domain in the USA and all free countries.
# Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
#
#### $$VERSION$$ v0.60-rc2-3-g4a944d9
#### $$VERSION$$ v0.60-rc2-5-g591c583
SHELL=/bin/sh

2
bashbot.rc
View File

@ -1,7 +1,7 @@
#!/bin/sh
# description: Start or stop telegram-bash-bot
#
#### $$VERSION$$ v0.60-rc2-3-g4a944d9
#### $$VERSION$$ v0.60-rc2-5-g591c583
# shellcheck disable=SC2009
# shellcheck disable=SC2181

2
bashbot.sh
View File

@ -10,7 +10,7 @@
# This file is public domain in the USA and all free countries.
# Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
#
#### $$VERSION$$ v0.60-rc2-3-g4a944d9
#### $$VERSION$$ v0.60-rc2-5-g591c583
#
# Exit Codes:
# - 0 sucess (hopefully)

2
calc
View File

@ -3,7 +3,7 @@
# This file is public domain in the USA and all free countries.
# Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
#### $$VERSION$$ v0.60-rc2-3-g4a944d9
#### $$VERSION$$ v0.60-rc2-5-g591c583
# adjust your language setting here
# https://github.com/topkecleon/telegram-bot-bash#setting-up-your-environment

2
commands.sh
View File

@ -4,7 +4,7 @@
# This file is public domain in the USA and all free countries.
# Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
#
#### $$VERSION$$ v0.60-rc2-3-g4a944d9
#### $$VERSION$$ v0.60-rc2-5-g591c583
#
# shellcheck disable=SC2154
# shellcheck disable=SC2034

4
doc/1_firstbot.md
View File

@ -1,4 +1,4 @@
#### [Home](../README.md)
## Create a Telegram Bot with botfather
1. Message @botfather https://telegram.me/botfather with the following
@ -61,5 +61,5 @@ group. This step is up to you actually.
#### [Next Getting started](2_usage.md)
#### $$VERSION$$ v0.60-rc2-4-g1bf26b9
#### $$VERSION$$ v0.60-rc2-5-g591c583

10
doc/2_usage.md
View File

@ -1,3 +1,4 @@
#### [Home](../README.md)
## Gettting Started
All Commands for the Bot are in the ```commands.sh``` file (this should ease upgrades of the bot core). Here you find some examples how to process messages and send out text.
@ -131,14 +132,15 @@ send_message "${CHAT[ID]}" "lol" "safe"
More examples boutsend_message strings can be found in [Advanced Usage](3_advanced.md#Interactive-Chats)
#### Send files, location etc.
#### Send files, locations, keyboards.
To send images, videos, voice files, photos etc. use the ```send_photo``` function (remember to change the safety Regex @ line 14 of command.sh to allow sending files only from certain directories):
```bash
send_file "${CHAT[ID]}" "/home/user/doge.jpg" "Lool"
```
To send custom keyboards use the ```send_keyboard``` function:
```bash
send_keyboard "${CHAT[ID]}" "Text that will appear in chat?" "[ \"Yep\" , \"No\" ]"
send_keyboard "${CHAT[ID]}" "Text that will appear in chat?" '[ "Yep" , "No" ]' # note the simgle quotes!
send_keyboard "${CHAT[ID]}" "Text that will appear in chat?" "[ \\"Yep\\" , \\"No\\" ]" # within double quotes you must excape the inside double quots
```
To send locations use the ```send_location``` function:
```bash
@ -154,8 +156,8 @@ Allowed values: typing for text messages, upload_photo for photos, record_video
send_action "${CHAT[ID]}" "action"
```
#### [Prev Getting started](2_usage.md)
#### [Prev Create Bot](1_firstbot.md)
#### [Next Advanced Usage](3_advanced.md)
#### $$VERSION$$ v0.60-rc2-4-g1bf26b9
#### $$VERSION$$ v0.60-rc2-5-g591c583

6
doc/3_advanced.md
View File

@ -1,4 +1,4 @@
#### [Home](../README.md)
## Advanced Features
### Access control
@ -153,8 +153,8 @@ To send stickers through an *inline query*:
```bash
answer_inline_query "$iQUERY_ID" "cached_sticker" "identifier for the sticker"
```
#### [prev Advanced Usage](3_advanced.md)
#### [Prev Advanced Usage](3_advanced.md)
#### [Next Expert Use](4_expert.md)
#### $$VERSION$$ v0.60-rc2-4-g1bf26b9
#### $$VERSION$$ v0.60-rc2-5-g591c583

3
doc/4_expert.md
View File

@ -1,3 +1,4 @@
#### [Home](../README.md)
## Expert Use
### Handling UTF-8 character sets
@ -103,5 +104,5 @@ An example crontab is provided in ```bashbot.cron```.
#### [Prev Expert Use](4_expert.md)
#### [Next Best Practice](5_practice.md)
#### $$VERSION$$ v0.60-rc2-4-g1bf26b9
#### $$VERSION$$ v0.60-rc2-5-g591c583

3
doc/5_practice.md
View File

@ -1,3 +1,4 @@
#### [Home](../README.md)
## Best Practices
### Customize commands.sh only
@ -111,5 +112,5 @@ The second warning is about an unused variable, this is true because in our exam
#### [Prev Best Practice](5_practice.md)
#### [Next Functions Reference](6_reference.md)
#### $$VERSION$$ v0.60-rc2-4-g1bf26b9
#### $$VERSION$$ v0.60-rc2-5-g591c583

12
doc/6_reference.md
View File

@ -1,3 +1,4 @@
#### [Home](../README.md)
## Bashbot function reference
### Send, forward, delete messages
@ -122,12 +123,11 @@ send_file "${CHAT[ID]}" "https://www.domain,com/something.gif" "Something"
##### send_keyboard
Note: since version 0.6 send_keyboard was changed to use native "JSON Array" notation as used from Telegram. Example Keybord Array definitions:
- yes no in one row
- OLD format: "yes" "no" (two strings)
- NEW format: "[ \\"yes\\" , \\"no\\" ]" (string containing an array)
- OLD format: 'yes' 'no' (two strings)
- NEW format: '[ "yes" , "no" ]' (string containing an array)
- new keybord layouts, no possible with old format:
- Yes No in two rows: "[ \\"yes\\" ] , [ \\"no\\" ]"
- numpad style keyboard: "[ \\"1\\" , \\"2\\" , \\"3\\" ] , [ \\"4\\" , \\"5\\" , \\"6\\" ] , [ \\"7\\" , \\"8\\" , \\"9\\" ] , [ \\"0\\" ]"
- Yes No in two rows: '[ "yes" ] , [ "no" ]'
- numpad style keyboard: '[ "1" , "2" , "3" ] , [ "4" , "5" , "6" ] , [ "7" , "8" , "9" ] , [ "0" ]'
*usage:* send_keyboard "chat-id" "keyboard"
@ -348,5 +348,5 @@ Send Input from Telegram to waiting Interactive Chat.
#### [Prev Best Practice](5_practice.md)
#### $$VERSION$$ v0.60-rc2-4-g1bf26b9
#### $$VERSION$$ v0.60-rc2-5-g591c583

2
notify
View File

@ -2,7 +2,7 @@
# This file is public domain in the USA and all free countries.
# Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
#### $$VERSION$$ v0.60-rc2-3-g4a944d9
#### $$VERSION$$ v0.60-rc2-5-g591c583
# adjust your language setting here
# https://github.com/topkecleon/telegram-bot-bash#setting-up-your-environment

4
question
View File

@ -3,7 +3,7 @@
# This file is public domain in the USA and all free countries.
# Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
#### $$VERSION$$ v0.60-rc2-3-g4a944d9
#### $$VERSION$$ v0.60-rc2-5-g591c583
# adjust your language setting here
# https://github.com/topkecleon/telegram-bot-bash#setting-up-your-environment
@ -19,7 +19,7 @@ Would you like some tea (y/n)?"
read -r answer
[[ $answer =~ ^([yY][eE][sS]|[yY])$ ]] && echo "OK then, here you go: http://www.rivertea.com/blog/wp-content/uploads/2013/12/Green-Tea.jpg" || echo "OK then."
until [ "$SUCCESS" = "y" ] ;do
echo 'Do you like Music? mykeyboardstartshere "Yass!" "No"'
echo 'Do you like Music? mykeyboardstartshere "Yass!" , "No"'
read -r answer
case $answer in
'Yass!') echo "Goody! mykeyboardendshere";SUCCESS=y;;

2
version
View File

@ -1,6 +1,6 @@
#!/bin/bash
#
#### $$VERSION$$ v0.60-rc2-3-g4a944d9
#### $$VERSION$$ v0.60-rc2-5-g591c583
# shellcheck disable=SC2016
#
# Easy Versioning in git: