doc: better explanation of $ RCE

2025-04-11 16:41:49 +00:00 · 2020-12-29 13:03:46 +01:00 · 2020-12-29 13:03:46 +01:00 · a5307e3a94
commit a5307e3a94
parent d083390dcb
4 changed files with 63 additions and 52 deletions
--- a/README.html
+++ b/README.html
@ -327,7 +327,7 @@ This is bashbot, the Telegram bot written entirely in bash.
 It features background tasks and interactive chats, and can serve as an interface for CLI programs.</code></pre>
 <p>For more Information on how to install, customize and use your new bot, read the <a href="#Documentation">Documentation</a></p>
 <h3>Log files</h3>
-<p>Bashbot actions are logged in BASHBOT.log, Telegram send/receive errors are logged to ERROR.log. Start bashbot in debug mode to get all messages send to / received from Telegram and error messages of bash commands also.</p>
+<p>Bashbot actions are logged to <code>BASHBOT.log</code>, Telegram send/receive errors are logged to <code>ERROR.log</code>. Start bashbot in debug mode to get all messages send to / received from Telegram and error messages of bash commands also.</p>
 <p>To enable debug mode start bashbot with debug as third argument: <code>bashbot start debug</code></p>
 <pre><code>├── logs 
 │   ├── BASHBOT.log      # log what your bot is doing ...
@ -339,8 +339,8 @@ It features background tasks and interactive chats, and can serve as an interfac
 <h2>Security Considerations</h2>
 <p>Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.</p>
 <p>Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <a href="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a></p>
-<p>Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.</p>
+<p>Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition remove unused scripts and examples from your Bot, e.g. everything in <code>example/</code> and disable/remove all not needed bot commands.</p>
-<p>One of the most powerful features of unix shells is variable and command substitution using <code>${}</code> and <code>$()</code>, but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot. So it's more secure to escape or remove '$' in input from user, files or network.</p>
+<p>It's important to escape or remove <code>$</code> in input from user, files or network (<em>as bashbot does</em>) One of the powerful features of unix shells are variable and command substitution using <code>${}</code> and<code>$()</code>, this can lead to remove code execution (RCE) or information disclosing bugs if unescaped <code>$</code> is included in untrusted input, e.g. <code>$$</code> or <code>$(rm -rf /*)</code></p>
 <p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensively in bashbot development to ensure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
 <h3>Use printf whenever possible</h3>
 <p>If you're writing a script and it is taking external input (from the user as arguments or file system...), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a></p>
@ -349,8 +349,8 @@ It features background tasks and interactive chats, and can serve as an interfac
 <p><strong>Never run your Bot as root, this is the most dangerous you can do!</strong> Usually the user 'nobody' has almost no rights on unix/linux systems. See <a href="doc/4_expert.md">Expert use</a> on how to run your Bot as an other user.</p>
 <h3>Secure your Bot installation</h3>
 <p><strong>Your Bot configuration must no be readable from other users.</strong> Everyone who can read your Bots token is able to act as your Bot and has access to all chats the Bot is in!</p>
-<p>Everyone with read access to your Bot files can extract your Bots data. Especially your Bot config in <code>config.jssh</code> must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to <code>count.jssh</code> and <code>data-bot-bash</code> only, all other files must be write protected.</p>
+<p>Everyone with read access to your Bot files can extract your Bots data. Especially your Bot config in<code>config.jssh</code> must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to<code>count.jssh</code> and <code>data-bot-bash</code> only, all other files must be write protected.</p>
-<p>To set access rights for your bashbot installation to a reasonable default run <code>sudo ./bashbot.sh init</code> after every update or change to your installation directory.</p>
+<p>To set access rights for your bashbot installation to a reasonable default run<code>sudo ./bashbot.sh init</code> after every update or change to your installation directory.</p>
 <h2>FAQ</h2>
 <h3>Is this Bot insecure?</h3>
 <p>Bashbot is not more (in)secure as any Bot written in an other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...</p>
@ -364,11 +364,11 @@ It features background tasks and interactive chats, and can serve as an interfac
 <li>no database, not event driven, not object oriented ...</li>
 </ul>
 <h3>Can I have the single bashbot.sh file back?</h3>
-<p>At the beginning bashbot was simply the file <code>bashbot.sh</code> you can copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.</p>
+<p>At the beginning bashbot was simply the file<code>bashbot.sh</code> you can copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.</p>
-<p>Hey no Problem, if you are finished with your cool bot run <code>dev/make-standalone.sh</code> to create a stripped down Version of your bot containing only 'bashbot.sh' and 'commands.sh'! For more information see <a href="doc/7_develop.md">Create a stripped down Version of your Bot</a></p>
+<p>Hey no Problem, if you are finished with your cool bot run<code>dev/make-standalone.sh</code> to create a stripped down Version of your bot containing only 'bashbot.sh' and 'commands.sh'! For more information see <a href="doc/7_develop.md">Create a stripped down Version of your Bot</a></p>
 <h3>Can I send messages from CLI and scripts?</h3>
-<p>Of course, you can send messages from CLI and scripts, simply install bashbot as <a href="#Your-really-first-bashbot-in-a-nutshell">described here</a>, send the message '/start' to set yourself as botadmin and stop the bot with <code>./bashbot.sh stop</code>.</p>
+<p>Of course, you can send messages from command line and scripts, simply install bashbot as <a href="#Your-really-first-bashbot-in-a-nutshell">described here</a>, send the message '/start' to set yourself as botadmin and then stop the bot with <code>./bashbot.sh stop</code>.</p>
-<p>Bashbot provides some ready to use scripts ro send messages from command line in <code>bin/</code> dir, e.g. <code>send_message.sh</code>.</p>
+<p>Bashbot provides some ready to use scripts for sending messages from command line in <code>bin/</code> dir, e.g. <code>send_message.sh</code>.</p>
 <div class="sourceCode" id="cb4"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb4-1"><a href="#cb4-1" aria-hidden="true" tabindex="-1"></a><span class="ex">bin/send_message.sh</span> BOTADMIN <span class="st">&quot;This is my first message send from CLI&quot;</span></span>
 <span id="cb4-2"><a href="#cb4-2" aria-hidden="true" tabindex="-1"></a></span>
 <span id="cb4-3"><a href="#cb4-3" aria-hidden="true" tabindex="-1"></a><span class="ex">bin/send_message.sh</span> <span class="at">--help</span></span></code></pre></div>
@ -390,6 +390,6 @@ It features background tasks and interactive chats, and can serve as an interfac
 <p>@Gnadelwartz</p>
 <h2>That's it all guys!</h2>
 <p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
-<h4>$$VERSION$$ v1.21-dev-28-g43f5536</h4>
+<h4>$$VERSION$$ v1.21-dev-33-gd083390</h4>
 </body>
 </html>
--- a/README.md
+++ b/README.md
@ -137,15 +137,21 @@ To enable debug mode start bashbot with debug as third argument: `bashbot start
 ## Security Considerations
 Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.
-Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see [Implications of wrong quoting](https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells)
+Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept.
 Bash programmers often struggle with 'quoting hell' and globbing,
 see [Implications of wrong quoting](https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells)
-Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.
+Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible,
 e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition remove unused scripts and examples
 from your Bot, e.g. everything in `example/` and disable/remove all not needed bot commands.
-One of the most powerful features of unix shells is variable and command substitution using`${}` and`$()```,
+It's important to escape or remove `$` in input from user, files or network (_as bashbot does_)
-but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot.
+One of the powerful features of unix shells are variable and command substitution using `${}` and`$()`,
-So it's more secure to escape or remove '$' in input from user, files or network.
+this can lead to remove code execution (RCE) or information disclosing bugs if unescaped `$` is included in untrusted input, e.g. `$$` or `$(rm -rf /*)`
-A powerful tool to improve your scripts is`shellcheck`. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensively in bashbot development to ensure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests.
+A powerful tool to improve your scripts is `shellcheck`. You can [use it online](https://www.shellcheck.net/) or
 [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensively in bashbot development
 to ensure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests.
 In addition bashbot has a [test suite](doc/7_develop.md) to check if important functionality is working as expected.
 ### Use printf whenever possible
@ -233,4 +239,4 @@ See `mycommnds.sh.dist` for an example.
 If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
-#### $$VERSION$$ v1.21-dev-29-g13d15f4
+#### $$VERSION$$ v1.21-dev-33-gd083390
--- a/README.txt
+++ b/README.txt
@ -143,8 +143,8 @@ the [Documentation](#Documentation)
 ### Log files
-Bashbot actions are logged in BASHBOT.log, Telegram send/receive errors are 
+Bashbot actions are logged to `BASHBOT.log`, Telegram send/receive errors are 
-logged to ERROR.log.
+logged to `ERROR.log`.
 Start bashbot in debug mode to get all messages send to / received from 
 Telegram and error messages of bash commands also.
@ -168,29 +168,33 @@ Running a Telegram Bot means it is connected to the public and you never know
 what's send to your Bot.
 Bash scripts in general are not designed to be bullet proof, so consider this 
-Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' 
+Bot as a proof of concept.
-and globbing, see [Implications of wrong 
+Bash programmers often struggle with 'quoting hell' and globbing,
 see [Implications of wrong 
 quoting](https://unix.stackexchange.com/questions/171346/security-implications-o
 f-forgetting-to-quote-a-variable-in-bash-posix-shells)
 Whenever you are processing input from untrusted sources (messages, files, 
-network) you must be as careful as possible, e.g. set IFS appropriate, disable 
+network) you must be as careful as possible,
-globbing (set -f) and quote everything. In addition delete unused scripts and 
+e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In 
-examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable 
+addition remove unused scripts and examples
-all not used commands.
+from your Bot, e.g. everything in `example/` and disable/remove all not needed 
 bot commands.
-One of the most powerful features of unix shells is variable and command 
+It's important to escape or remove `$` in input from user, files or network 
-substitution using ```${}``` and ```$()```,
+(_as bashbot does_)
-but as they are expanded in double quotes, this can lead to RCE and information 
+One of the powerful features of unix shells are variable and command 
-disclosing bugs in complex scripts like bashbot.
+substitution using `${}` and`$()`,
-So it's more secure to escape or remove '$' in input from user, files or 
+this can lead to remove code execution (RCE) or information disclosing bugs if 
-network.
+unescaped `$` is included in untrusted input, e.g. `$$` or `$(rm -rf /*)`
-A powerful tool to improve your scripts is ```shellcheck```. You can [use it 
+A powerful tool to improve your scripts is `shellcheck`. You can [use it 
-online](https://www.shellcheck.net/) or [install shellcheck 
+online](https://www.shellcheck.net/) or
 [install shellcheck 
 locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used 
-extensively in bashbot development to ensure a high code quality, e.g. it's not 
+extensively in bashbot development
-allowed to push changes without passing all shellcheck tests.
+to ensure a high code quality, e.g. it's not allowed to push changes without 
 passing all shellcheck tests.
 In addition bashbot has a [test suite](doc/7_develop.md) to check if important 
 functionality is working as expected.
@ -218,13 +222,13 @@ can read your Bots token is able to act as your Bot and has access to all chats
 the Bot is in!
 Everyone with read access to your Bot files can extract your Bots data. 
-Especially your Bot config in ```config.jssh``` must be protected against other 
+Especially your Bot config in`config.jssh` must be protected against other 
 users. No one except you should have write access to the Bot files. The Bot 
-should be restricted to have write access to ```count.jssh``` and  
+should be restricted to have write access to`count.jssh` and `data-bot-bash` 
-```data-bot-bash``` only, all other files must be write protected.
+only, all other files must be write protected.
-To set access rights for your bashbot installation to a reasonable default run 
+To set access rights for your bashbot installation to a reasonable default 
-```sudo ./bashbot.sh init``` after every update or change to your installation 
+run`sudo ./bashbot.sh init` after every update or change to your installation 
 directory.
 ## FAQ
@ -249,24 +253,24 @@ health status
 - no database, not event driven, not object oriented ...
 ### Can I have the single bashbot.sh file back?
-At the beginning bashbot was simply the file ```bashbot.sh``` you can copy 
+At the beginning bashbot was simply the file`bashbot.sh` you can copy 
 everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 
 'modules/*.sh' and much more.
-Hey no Problem, if you are finished with your cool bot run 
+Hey no Problem, if you are finished with your cool bot 
-```dev/make-standalone.sh``` to create a stripped down Version of your bot 
+run`dev/make-standalone.sh` to create a stripped down Version of your bot 
 containing only
 'bashbot.sh' and 'commands.sh'! For more information see [Create a stripped 
 down Version of your Bot](doc/7_develop.md)
 ### Can I send messages from CLI and scripts?
-Of course, you can send messages from CLI and scripts, simply install bashbot 
+Of course, you can send messages from command line and scripts, simply install 
-as [described here](#Your-really-first-bashbot-in-a-nutshell),
+bashbot as [described here](#Your-really-first-bashbot-in-a-nutshell),
-send the message '/start' to set yourself as botadmin and stop the bot with 
+send the message '/start' to set yourself as botadmin and then stop the bot 
-```./bashbot.sh stop```.
+with `./bashbot.sh stop`.
-Bashbot provides some ready to use scripts ro send messages from command line 
+Bashbot provides some ready to use scripts for sending messages from command 
-in `bin/` dir, e.g. `send_message.sh`.
+line in `bin/` dir, e.g. `send_message.sh`.
 ```bash
 bin/send_message.sh BOTADMIN "This is my first message send from CLI"
@ -315,4 +319,4 @@ See `mycommnds.sh.dist` for an example.
 If you feel that there's something missing or if you found a bug, feel free to 
 submit a pull request!
-#### $$VERSION$$ v1.21-dev-28-g43f5536
+#### $$VERSION$$ v1.21-dev-33-gd083390
--- a/modules/jsonDB.sh
+++ b/modules/jsonDB.sh
@ -5,7 +5,7 @@
 # This file is public domain in the USA and all free countries.
 # Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
 #
-#### $$VERSION$$ v1.20-0-g2ab00a2
+#### $$VERSION$$ v1.21-dev-33-gd083390
 #
 # source from commands.sh to use jsonDB functions
 #
@ -331,8 +331,9 @@ function jssh_updateArray_async() {
 # read JSON.sh style data and asssign to an ARRAY
 # $1 ARRAY name, must be declared with "declare -A ARRAY" before calling
 Json2Array() {
 	# 							match ["....."]\t and replace \t with = and print     quote true false            escape not escaped $
 	# shellcheck disable=SC1091,SC1090
-	[ -z "$1" ] || source <( printf "$1"'=( %s )' "$(sed -E -n -e '/\["[-0-9a-zA-Z_,."]+"\]\+*\t/ s/\t/=/gp' -e 's/=(true|false)/="\1"/')" )
+	[ -z "$1" ] || source <( printf "$1"'=( %s )' "$(sed -E -n -e '/\["[-0-9a-zA-Z_,."]+"\]\+*\t/ s/\t/=/p' -e 's/=(true|false)/="\1"/' -e 's/([^\]|^)\$/\1\\$/g')" )
 }
 # get Config Key from jssh file without jsshDB
 # output ARRAY as JSON.sh style data