mirror of
https://github.com/octoleo/telegram-bot-bash.git
synced 2024-12-31 22:01:46 +00:00
explain why $ in user imput can be dangeruous
This commit is contained in:
parent
eea1de6cbd
commit
8b3e92d233
@ -190,7 +190,8 @@ It features background tasks and interactive chats, and can serve as an interfac
|
|||||||
<p>Running a Telegram Bot means it is connected to the public and you never know whats send to your Bot.</p>
|
<p>Running a Telegram Bot means it is connected to the public and you never know whats send to your Bot.</p>
|
||||||
<p>Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <a href="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a></p>
|
<p>Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <a href="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a></p>
|
||||||
<p>Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everthing. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.</p>
|
<p>Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everthing. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.</p>
|
||||||
<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, pls update if you use an older version! One of the most powerful features of unix shells like bash is variable and command substitution, this can lead to RCE and information disclosing bugs if you do not escape '$' porperly, see <a href="https://github.com/topkecleon/telegram-bot-bash/issues/125">Issue #125</a></p>
|
<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, pls update if you use an older version! see <a href="https://github.com/topkecleon/telegram-bot-bash/issues/125">Issue #125</a></p>
|
||||||
|
<p>One of the most powerful features of unix shells like bash is variable and command substitution using <code>${}</code> and <code>$()</code>, but as they are expanded in doble quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot even bash does much to avoid this. So it's more secure to escape or remove '$' in input from user, files or network.</p>
|
||||||
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
|
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
|
||||||
<h3>use printf whenever possible</h3>
|
<h3>use printf whenever possible</h3>
|
||||||
<p>If you're writing a script and it is taking external input (from the user as arguments, or file names from the file system...), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a></p>
|
<p>If you're writing a script and it is taking external input (from the user as arguments, or file names from the file system...), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a></p>
|
||||||
@ -256,6 +257,6 @@ It features background tasks and interactive chats, and can serve as an interfac
|
|||||||
<p>@Gnadelwartz</p>
|
<p>@Gnadelwartz</p>
|
||||||
<h2>That's it!</h2>
|
<h2>That's it!</h2>
|
||||||
<p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
|
<p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
|
||||||
<h4>$$VERSION$$ v0.98-dev-10-g74caa49</h4>
|
<h4>$$VERSION$$ v0.98-dev-42-geea1de6</h4>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
10
README.md
10
README.md
@ -127,8 +127,12 @@ Bash scripts in general are not designed to be bullet proof, so consider this Bo
|
|||||||
|
|
||||||
Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everthing. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.
|
Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everthing. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.
|
||||||
|
|
||||||
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, pls update if you use an older version!
|
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, pls update if you use an older version!
|
||||||
One of the most powerful features of unix shells like bash is variable and command substitution, this can lead to RCE and information disclosing bugs if you do not escape '$' porperly, see [Issue #125](https://github.com/topkecleon/telegram-bot-bash/issues/125)
|
see [Issue #125](https://github.com/topkecleon/telegram-bot-bash/issues/125)
|
||||||
|
|
||||||
|
One of the most powerful features of unix shells like bash is variable and command substitution using ```${}``` and ```$()```,
|
||||||
|
but as they are expanded in doble quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot
|
||||||
|
even bash does much to avoid this. So it's more secure to escape or remove '$' in input from user, files or network.
|
||||||
|
|
||||||
A powerful tool to improve your scripts is ```shellcheck```. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests.
|
A powerful tool to improve your scripts is ```shellcheck```. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests.
|
||||||
In addition bashbot has a [test suite](doc/7_develop.md) to check if important functionality is working as expected.
|
In addition bashbot has a [test suite](doc/7_develop.md) to check if important functionality is working as expected.
|
||||||
@ -235,4 +239,4 @@ This may happen if to many wrong requests are sent to api.telegram.org, e.g. usi
|
|||||||
|
|
||||||
If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
|
If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
|
||||||
|
|
||||||
#### $$VERSION$$ v0.98-dev-10-g74caa49
|
#### $$VERSION$$ v0.98-dev-42-geea1de6
|
||||||
|
16
README.txt
16
README.txt
@ -168,12 +168,16 @@ globbing (set -f) and quote everthing. In addition delete unused scripts and
|
|||||||
examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable
|
examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable
|
||||||
all not used commands.
|
all not used commands.
|
||||||
|
|
||||||
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code
|
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code
|
||||||
execution bug, pls update if you use an older version!
|
execution (RCE) bug, pls update if you use an older version!
|
||||||
|
see [Issue #125](https://github.com/topkecleon/telegram-bot-bash/issues/125)
|
||||||
|
|
||||||
One of the most powerful features of unix shells like bash is variable and
|
One of the most powerful features of unix shells like bash is variable and
|
||||||
command substitution, this can lead to RCE and information disclosing bugs if
|
command substitution using ```${}``` and ```$()```,
|
||||||
you do not escape '$' porperly, see [Issue
|
but as they are expanded in doble quotes, this can lead to RCE and information
|
||||||
#125](https://github.com/topkecleon/telegram-bot-bash/issues/125)
|
disclosing bugs in complex scripts like bashbot
|
||||||
|
even bash does much to avoid this. So it's more secure to escape or remove '$'
|
||||||
|
in input from user, files or network.
|
||||||
|
|
||||||
A powerful tool to improve your scripts is ```shellcheck```. You can [use it
|
A powerful tool to improve your scripts is ```shellcheck```. You can [use it
|
||||||
online](https://www.shellcheck.net/) or [install shellcheck
|
online](https://www.shellcheck.net/) or [install shellcheck
|
||||||
@ -324,4 +328,4 @@ in 'mycommands.sh' as example.
|
|||||||
If you feel that there's something missing or if you found a bug, feel free to
|
If you feel that there's something missing or if you found a bug, feel free to
|
||||||
submit a pull request!
|
submit a pull request!
|
||||||
|
|
||||||
#### $$VERSION$$ v0.98-dev-10-g74caa49
|
#### $$VERSION$$ v0.98-dev-42-geea1de6
|
||||||
|
Loading…
Reference in New Issue
Block a user