explain why $ in user imput can be dangeruous

This commit is contained in:
Kay Marquardt (Gnadelwartz) 2020-06-18 14:00:38 +02:00
parent eea1de6cbd
commit 8b3e92d233
3 changed files with 20 additions and 11 deletions

View File

@ -190,7 +190,8 @@ It features background tasks and interactive chats, and can serve as an interfac
<p>Running a Telegram Bot means it is connected to the public and you never know whats send to your Bot.</p>
<p>Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <a href="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a></p>
<p>Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everthing. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.</p>
<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, pls update if you use an older version! One of the most powerful features of unix shells like bash is variable and command substitution, this can lead to RCE and information disclosing bugs if you do not escape '$' porperly, see <a href="https://github.com/topkecleon/telegram-bot-bash/issues/125">Issue #125</a></p>
<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, pls update if you use an older version! see <a href="https://github.com/topkecleon/telegram-bot-bash/issues/125">Issue #125</a></p>
<p>One of the most powerful features of unix shells like bash is variable and command substitution using <code>${}</code> and <code>$()</code>, but as they are expanded in doble quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot even bash does much to avoid this. So it's more secure to escape or remove '$' in input from user, files or network.</p>
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
<h3>use printf whenever possible</h3>
<p>If you're writing a script and it is taking external input (from the user as arguments, or file names from the file system...), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a></p>
@ -256,6 +257,6 @@ It features background tasks and interactive chats, and can serve as an interfac
<p>@Gnadelwartz</p>
<h2>That's it!</h2>
<p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
<h4>$$VERSION$$ v0.98-dev-10-g74caa49</h4>
<h4>$$VERSION$$ v0.98-dev-42-geea1de6</h4>
</body>
</html>

View File

@ -127,8 +127,12 @@ Bash scripts in general are not designed to be bullet proof, so consider this Bo
Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everthing. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, pls update if you use an older version!
One of the most powerful features of unix shells like bash is variable and command substitution, this can lead to RCE and information disclosing bugs if you do not escape '$' porperly, see [Issue #125](https://github.com/topkecleon/telegram-bot-bash/issues/125)
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, pls update if you use an older version!
see [Issue #125](https://github.com/topkecleon/telegram-bot-bash/issues/125)
One of the most powerful features of unix shells like bash is variable and command substitution using ```${}``` and ```$()```,
but as they are expanded in doble quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot
even bash does much to avoid this. So it's more secure to escape or remove '$' in input from user, files or network.
A powerful tool to improve your scripts is ```shellcheck```. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests.
In addition bashbot has a [test suite](doc/7_develop.md) to check if important functionality is working as expected.
@ -235,4 +239,4 @@ This may happen if to many wrong requests are sent to api.telegram.org, e.g. usi
If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
#### $$VERSION$$ v0.98-dev-10-g74caa49
#### $$VERSION$$ v0.98-dev-42-geea1de6

View File

@ -168,12 +168,16 @@ globbing (set -f) and quote everthing. In addition delete unused scripts and
examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable
all not used commands.
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code
execution bug, pls update if you use an older version!
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code
execution (RCE) bug, pls update if you use an older version!
see [Issue #125](https://github.com/topkecleon/telegram-bot-bash/issues/125)
One of the most powerful features of unix shells like bash is variable and
command substitution, this can lead to RCE and information disclosing bugs if
you do not escape '$' porperly, see [Issue
#125](https://github.com/topkecleon/telegram-bot-bash/issues/125)
command substitution using ```${}``` and ```$()```,
but as they are expanded in doble quotes, this can lead to RCE and information
disclosing bugs in complex scripts like bashbot
even bash does much to avoid this. So it's more secure to escape or remove '$'
in input from user, files or network.
A powerful tool to improve your scripts is ```shellcheck```. You can [use it
online](https://www.shellcheck.net/) or [install shellcheck
@ -324,4 +328,4 @@ in 'mycommands.sh' as example.
If you feel that there's something missing or if you found a bug, feel free to
submit a pull request!
#### $$VERSION$$ v0.98-dev-10-g74caa49
#### $$VERSION$$ v0.98-dev-42-geea1de6