Bashbot - A Telegram bot written in bash.
Bashbot - A Telegram bot written in bash.
Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.
+Contributions by Daniil Gentili (@danogentili), JuanPotato, BigNerd95, TiagoDanin, and iicc1.
Released to the public domain wherever applicable. Elsewhere, consider it released under the WTFPLv2.
+Linted by #ShellCheck
Uses JSON.sh and the magic of sed.
Even bashbot is written in bash, it depends on commands typically available in a Unix/Linux Environment. More concret on the common commands provided by recent versions of coreutils, busybox or toybox, see Developer Notes
@@ -153,11 +154,11 @@ Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M (@gnadelTo install and run bashbot you need access to a linux/unix command line. If you don't know how to get access to a linux/unix/bsd like command line you should stop reading here :-(
+To install and run bashbot you need access to a linux/unix command line. If you don't know how to get access to a linux/unix command line you should stop reading here :-(
In addition you need a Telegram client and a mobile phone to register an account. If you don't want to register for Telegram you should stop reading here ;-)
After you're registered to Telegram send a message to @botfather, create a new Telegram Bot token and write it down. You need the token to install the bot.
-Now open a linux/unix/bsd terminal and check if bash is installed: which bash && echo "bash installed!". If you get an error message bash is not installed.
Create a new directory and change to it: mkdir tbb; cd tbb and download the latest '*.tar.gz' file from https://github.com/topkecleon/telegram-bot-bash/releases. This can be done with the commands:
Now open a terminal and check if bash is installed: which bash && echo "bash installed!". If you get an error message bash is not installed.
Create a new directory, change to it: mkdir tbb; cd tbb and download the latest '*.tar.gz' file from https://github.com/topkecleon/telegram-bot-bash/releases. This can be done with the commands:
Extract the '*.tar.gz' file and change to bashbot directory: tar -xzf *.tar.gz; cd telegram-bot-bash, install bashbot: ./bashbot.sh init and enter your bot token when asked. All other questions can be answered by hitting the <Return> key.
That's all, now you can start your bot with ./bashbot.sh start and send him messages:
Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.
Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see Implications of wrong quoting
-Whenever you are processing input from from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.
-Note: Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, pls update if you use an older version! see Issue #125
-One of the most powerful features of unix shells like bash is variable and command substitution using ${} and $(), but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot even bash does much to avoid this. So it's more secure to escape or remove '$' in input from user, files or network.
A powerful tool to improve your scripts is shellcheck. You can use it online or install shellcheck locally. Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a test suite to check if important functionality is working as expected.
If you're writing a script and it is taking external input (from the user as arguments, or file names from the file system...), you shouldn't use echo to display it. Use printf whenever possible
+Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.
+Note: Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, please update if you use an older version! see Issue #125
+One of the most powerful features of unix shells is variable and command substitution using ${} and $(), but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot. So it's more secure to escape or remove '$' in input from user, files or network.
A powerful tool to improve your scripts is shellcheck. You can use it online or install shellcheck locally. Shellcheck is used extensive in bashbot development to ensure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a test suite to check if important functionality is working as expected.
If you're writing a script and it is taking external input (from the user as arguments or file system...), you shouldn't use echo to display it. Use printf whenever possible
# very simple
echo "text with variables. PWD=$PWD"
printf '%s\n' "text with variables. PWD=$PWD"
@@ -209,26 +210,26 @@ It features background tasks and interactive chats, and can serve as an interfac
->text with variables. float=1.23, integer=12345, PWD=/home/xxxWe stay with /bin/bash shebang, because it's more save from security perspective.
-Using a fixed path to the system provided bash makes it harder for attackers or users to place alternative versions of bash and avoids using a possibly broken, mangled or compromised bash executable.
+Use of a fixed path to the system provided bash makes it harder for attackers or users to place alternative versions of bash and avoids using a possibly broken, mangled or compromised bash executable.
If you are a BSD / MacOS user or must to use an other bash location, see Install Bashbot
I recommend to run your bot as a user, with almost no access rights. All files your Bot have write access to are in danger to be overwritten/deleted if your bot is hacked. For the same reason every file your Bot can read is in danger to be disclosed. Restict your Bots access rights to the absolute minimum.
-Never run your Bot as root, this is the most dangerous you can do! Usually the user 'nobody' has almost no rights on Unix/Linux systems. See Expert use on how to run your Bot as an other user.
+I recommend to run your bot as a user, with almost no access rights. All files your Bot have write access to are in danger to be overwritten/deleted if your bot is hacked. For the same reason every file your Bot can read is in danger to be disclosed. Restrict your Bots access rights to the absolute minimum.
+Never run your Bot as root, this is the most dangerous you can do! Usually the user 'nobody' has almost no rights on unix/linux systems. See Expert use on how to run your Bot as an other user.
Your Bot configuration must no be readable from other users. Everyone who can read your Bots token can act as your Bot and has access to all chats your Bot is in!
-Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in token must be protected against other users. No one except you must have write access to the Bot files. The Bot must be restricted to have write access to count and tmp-bot-bash only, all other files must be write protected.
Your Bot configuration must no be readable from other users. Everyone who can read your Bots token is able to act as your Bot and has access to all chats the Bot is in!
+Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in token must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to count and tmp-bot-bash only, all other files must be write protected.
To set access rights for your bashbot installation to a reasonable default run sudo ./bashbot.sh init after every update or change to your installation directory.
Bashbot is not more (in)secure as any other Bot written in any other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...
-Note: Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, pls update if you use an older version!
+Bashbot is not more (in)secure as any Bot written in an other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...
+Note: Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, please update if you use an older version!
Well, that's a damn good question ... may be because I'm an Unix/Linux admin from stone age. Nevertheless there are more reasons from my side:
+Well, that's a damn good question ... may be because I'm an unix admin from stone age. Nevertheless there are more reasons from my side:
At the beginning bashbot was simply the file bashbot.sh you can copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.
For more information see Expert Use
This may happen if to many wrong requests are sent to api.telegram.org, e.g. using a wrong token or not existing API calls. If you have a fixed IP you can ask telegram service to unblock your ip or change your IP. If you are running a tor proxy on your server you may uncomment the BASHBOT_CURL_ARGS line in 'mycommands.sh'
You can test if younare blockeds by running curl or wget manually:
+This may happen if to many or wrong requests are sent to api.telegram.org, e.g. using a invalid token or not existing API calls. If the block stay for longer time you can ask telegram service to unblock your IP-Adress.
+You can check with curl or wget if you are blocked by Telegram:
curl -m 10 https://api.telegram.org/bot
#curl: (28) Connection timed out after 10001 milliseconds
wget -t 1 -T 10 https://api.telegram.org/bot
#Connecting to api.telegram.org (api.telegram.org)|46.38.243.234|:443... failed: Connection timed out.Since Version 0.96 bashbot offers the option to recover from broken connections (aka blocked). Therefore you can provide a function named bashbotBlockRecover() in mycommands.sh. If the function exists it is called every time when a broken connection is detected.
Possible actions are: Check if network is working, change IP-Adress or simply wait some time.
+If everything seems OK return 0 for retry or any non 0 value to give up.
+# called when bashbot sedn command failed because we can not connect to telegram
+# return 0 to retry, return non 0 to give up
+bashbotBlockRecover() {
+ # place your commands to unblock here, e.g. change IP-Adess or simply wait
+ sleep 60 && return 0 # may be temporary
+ return 1
+ }
+@Gnadelwartz
If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
-