mirror of
https://github.com/octoleo/telegram-bot-bash.git
synced 2024-05-29 16:30:52 +00:00
doc: better explanation of $ RCE
This commit is contained in:
parent
d083390dcb
commit
a5307e3a94
12
README.html
12
README.html
|
@ -327,7 +327,7 @@ This is bashbot, the Telegram bot written entirely in bash.
|
|||
It features background tasks and interactive chats, and can serve as an interface for CLI programs.</code></pre>
|
||||
<p>For more Information on how to install, customize and use your new bot, read the <a href="#Documentation">Documentation</a></p>
|
||||
<h3>Log files</h3>
|
||||
<p>Bashbot actions are logged in BASHBOT.log, Telegram send/receive errors are logged to ERROR.log. Start bashbot in debug mode to get all messages send to / received from Telegram and error messages of bash commands also.</p>
|
||||
<p>Bashbot actions are logged to <code>BASHBOT.log</code>, Telegram send/receive errors are logged to <code>ERROR.log</code>. Start bashbot in debug mode to get all messages send to / received from Telegram and error messages of bash commands also.</p>
|
||||
<p>To enable debug mode start bashbot with debug as third argument: <code>bashbot start debug</code></p>
|
||||
<pre><code>├── logs
|
||||
│ ├── BASHBOT.log # log what your bot is doing ...
|
||||
|
@ -339,8 +339,8 @@ It features background tasks and interactive chats, and can serve as an interfac
|
|||
<h2>Security Considerations</h2>
|
||||
<p>Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.</p>
|
||||
<p>Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <a href="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a></p>
|
||||
<p>Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.</p>
|
||||
<p>One of the most powerful features of unix shells is variable and command substitution using <code>${}</code> and <code>$()</code>, but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot. So it's more secure to escape or remove '$' in input from user, files or network.</p>
|
||||
<p>Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition remove unused scripts and examples from your Bot, e.g. everything in <code>example/</code> and disable/remove all not needed bot commands.</p>
|
||||
<p>It's important to escape or remove <code>$</code> in input from user, files or network (<em>as bashbot does</em>) One of the powerful features of unix shells are variable and command substitution using <code>${}</code> and<code>$()</code>, this can lead to remove code execution (RCE) or information disclosing bugs if unescaped <code>$</code> is included in untrusted input, e.g. <code>$$</code> or <code>$(rm -rf /*)</code></p>
|
||||
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensively in bashbot development to ensure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
|
||||
<h3>Use printf whenever possible</h3>
|
||||
<p>If you're writing a script and it is taking external input (from the user as arguments or file system...), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a></p>
|
||||
|
@ -367,8 +367,8 @@ It features background tasks and interactive chats, and can serve as an interfac
|
|||
<p>At the beginning bashbot was simply the file<code>bashbot.sh</code> you can copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.</p>
|
||||
<p>Hey no Problem, if you are finished with your cool bot run<code>dev/make-standalone.sh</code> to create a stripped down Version of your bot containing only 'bashbot.sh' and 'commands.sh'! For more information see <a href="doc/7_develop.md">Create a stripped down Version of your Bot</a></p>
|
||||
<h3>Can I send messages from CLI and scripts?</h3>
|
||||
<p>Of course, you can send messages from CLI and scripts, simply install bashbot as <a href="#Your-really-first-bashbot-in-a-nutshell">described here</a>, send the message '/start' to set yourself as botadmin and stop the bot with <code>./bashbot.sh stop</code>.</p>
|
||||
<p>Bashbot provides some ready to use scripts ro send messages from command line in <code>bin/</code> dir, e.g. <code>send_message.sh</code>.</p>
|
||||
<p>Of course, you can send messages from command line and scripts, simply install bashbot as <a href="#Your-really-first-bashbot-in-a-nutshell">described here</a>, send the message '/start' to set yourself as botadmin and then stop the bot with <code>./bashbot.sh stop</code>.</p>
|
||||
<p>Bashbot provides some ready to use scripts for sending messages from command line in <code>bin/</code> dir, e.g. <code>send_message.sh</code>.</p>
|
||||
<div class="sourceCode" id="cb4"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb4-1"><a href="#cb4-1" aria-hidden="true" tabindex="-1"></a><span class="ex">bin/send_message.sh</span> BOTADMIN <span class="st">"This is my first message send from CLI"</span></span>
|
||||
<span id="cb4-2"><a href="#cb4-2" aria-hidden="true" tabindex="-1"></a></span>
|
||||
<span id="cb4-3"><a href="#cb4-3" aria-hidden="true" tabindex="-1"></a><span class="ex">bin/send_message.sh</span> <span class="at">--help</span></span></code></pre></div>
|
||||
|
@ -390,6 +390,6 @@ It features background tasks and interactive chats, and can serve as an interfac
|
|||
<p>@Gnadelwartz</p>
|
||||
<h2>That's it all guys!</h2>
|
||||
<p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
|
||||
<h4>$$VERSION$$ v1.21-dev-28-g43f5536</h4>
|
||||
<h4>$$VERSION$$ v1.21-dev-33-gd083390</h4>
|
||||
</body>
|
||||
</html>
|
||||
|
|
20
README.md
20
README.md
|
@ -137,15 +137,21 @@ To enable debug mode start bashbot with debug as third argument: `bashbot start
|
|||
## Security Considerations
|
||||
Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.
|
||||
|
||||
Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see [Implications of wrong quoting](https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells)
|
||||
Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept.
|
||||
Bash programmers often struggle with 'quoting hell' and globbing,
|
||||
see [Implications of wrong quoting](https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells)
|
||||
|
||||
Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.
|
||||
Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible,
|
||||
e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition remove unused scripts and examples
|
||||
from your Bot, e.g. everything in `example/` and disable/remove all not needed bot commands.
|
||||
|
||||
One of the most powerful features of unix shells is variable and command substitution using`${}` and`$()```,
|
||||
but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot.
|
||||
So it's more secure to escape or remove '$' in input from user, files or network.
|
||||
It's important to escape or remove `$` in input from user, files or network (_as bashbot does_)
|
||||
One of the powerful features of unix shells are variable and command substitution using `${}` and`$()`,
|
||||
this can lead to remove code execution (RCE) or information disclosing bugs if unescaped `$` is included in untrusted input, e.g. `$$` or `$(rm -rf /*)`
|
||||
|
||||
A powerful tool to improve your scripts is`shellcheck`. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensively in bashbot development to ensure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests.
|
||||
A powerful tool to improve your scripts is `shellcheck`. You can [use it online](https://www.shellcheck.net/) or
|
||||
[install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensively in bashbot development
|
||||
to ensure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests.
|
||||
In addition bashbot has a [test suite](doc/7_develop.md) to check if important functionality is working as expected.
|
||||
|
||||
### Use printf whenever possible
|
||||
|
@ -233,4 +239,4 @@ See `mycommnds.sh.dist` for an example.
|
|||
|
||||
If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
|
||||
|
||||
#### $$VERSION$$ v1.21-dev-29-g13d15f4
|
||||
#### $$VERSION$$ v1.21-dev-33-gd083390
|
||||
|
|
70
README.txt
70
README.txt
|
@ -143,8 +143,8 @@ the [Documentation](#Documentation)
|
|||
|
||||
### Log files
|
||||
|
||||
Bashbot actions are logged in BASHBOT.log, Telegram send/receive errors are
|
||||
logged to ERROR.log.
|
||||
Bashbot actions are logged to `BASHBOT.log`, Telegram send/receive errors are
|
||||
logged to `ERROR.log`.
|
||||
Start bashbot in debug mode to get all messages send to / received from
|
||||
Telegram and error messages of bash commands also.
|
||||
|
||||
|
@ -168,29 +168,33 @@ Running a Telegram Bot means it is connected to the public and you never know
|
|||
what's send to your Bot.
|
||||
|
||||
Bash scripts in general are not designed to be bullet proof, so consider this
|
||||
Bot as a proof of concept. Bash programmers often struggle with 'quoting hell'
|
||||
and globbing, see [Implications of wrong
|
||||
Bot as a proof of concept.
|
||||
Bash programmers often struggle with 'quoting hell' and globbing,
|
||||
see [Implications of wrong
|
||||
quoting](https://unix.stackexchange.com/questions/171346/security-implications-o
|
||||
f-forgetting-to-quote-a-variable-in-bash-posix-shells)
|
||||
|
||||
Whenever you are processing input from untrusted sources (messages, files,
|
||||
network) you must be as careful as possible, e.g. set IFS appropriate, disable
|
||||
globbing (set -f) and quote everything. In addition delete unused scripts and
|
||||
examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable
|
||||
all not used commands.
|
||||
network) you must be as careful as possible,
|
||||
e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In
|
||||
addition remove unused scripts and examples
|
||||
from your Bot, e.g. everything in `example/` and disable/remove all not needed
|
||||
bot commands.
|
||||
|
||||
One of the most powerful features of unix shells is variable and command
|
||||
substitution using ```${}``` and ```$()```,
|
||||
but as they are expanded in double quotes, this can lead to RCE and information
|
||||
disclosing bugs in complex scripts like bashbot.
|
||||
So it's more secure to escape or remove '$' in input from user, files or
|
||||
network.
|
||||
It's important to escape or remove `$` in input from user, files or network
|
||||
(_as bashbot does_)
|
||||
One of the powerful features of unix shells are variable and command
|
||||
substitution using `${}` and`$()`,
|
||||
this can lead to remove code execution (RCE) or information disclosing bugs if
|
||||
unescaped `$` is included in untrusted input, e.g. `$$` or `$(rm -rf /*)`
|
||||
|
||||
A powerful tool to improve your scripts is ```shellcheck```. You can [use it
|
||||
online](https://www.shellcheck.net/) or [install shellcheck
|
||||
A powerful tool to improve your scripts is `shellcheck`. You can [use it
|
||||
online](https://www.shellcheck.net/) or
|
||||
[install shellcheck
|
||||
locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used
|
||||
extensively in bashbot development to ensure a high code quality, e.g. it's not
|
||||
allowed to push changes without passing all shellcheck tests.
|
||||
extensively in bashbot development
|
||||
to ensure a high code quality, e.g. it's not allowed to push changes without
|
||||
passing all shellcheck tests.
|
||||
In addition bashbot has a [test suite](doc/7_develop.md) to check if important
|
||||
functionality is working as expected.
|
||||
|
||||
|
@ -218,13 +222,13 @@ can read your Bots token is able to act as your Bot and has access to all chats
|
|||
the Bot is in!
|
||||
|
||||
Everyone with read access to your Bot files can extract your Bots data.
|
||||
Especially your Bot config in ```config.jssh``` must be protected against other
|
||||
Especially your Bot config in`config.jssh` must be protected against other
|
||||
users. No one except you should have write access to the Bot files. The Bot
|
||||
should be restricted to have write access to ```count.jssh``` and
|
||||
```data-bot-bash``` only, all other files must be write protected.
|
||||
should be restricted to have write access to`count.jssh` and `data-bot-bash`
|
||||
only, all other files must be write protected.
|
||||
|
||||
To set access rights for your bashbot installation to a reasonable default run
|
||||
```sudo ./bashbot.sh init``` after every update or change to your installation
|
||||
To set access rights for your bashbot installation to a reasonable default
|
||||
run`sudo ./bashbot.sh init` after every update or change to your installation
|
||||
directory.
|
||||
|
||||
## FAQ
|
||||
|
@ -249,24 +253,24 @@ health status
|
|||
- no database, not event driven, not object oriented ...
|
||||
|
||||
### Can I have the single bashbot.sh file back?
|
||||
At the beginning bashbot was simply the file ```bashbot.sh``` you can copy
|
||||
At the beginning bashbot was simply the file`bashbot.sh` you can copy
|
||||
everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh',
|
||||
'modules/*.sh' and much more.
|
||||
|
||||
Hey no Problem, if you are finished with your cool bot run
|
||||
```dev/make-standalone.sh``` to create a stripped down Version of your bot
|
||||
Hey no Problem, if you are finished with your cool bot
|
||||
run`dev/make-standalone.sh` to create a stripped down Version of your bot
|
||||
containing only
|
||||
'bashbot.sh' and 'commands.sh'! For more information see [Create a stripped
|
||||
down Version of your Bot](doc/7_develop.md)
|
||||
|
||||
### Can I send messages from CLI and scripts?
|
||||
Of course, you can send messages from CLI and scripts, simply install bashbot
|
||||
as [described here](#Your-really-first-bashbot-in-a-nutshell),
|
||||
send the message '/start' to set yourself as botadmin and stop the bot with
|
||||
```./bashbot.sh stop```.
|
||||
Of course, you can send messages from command line and scripts, simply install
|
||||
bashbot as [described here](#Your-really-first-bashbot-in-a-nutshell),
|
||||
send the message '/start' to set yourself as botadmin and then stop the bot
|
||||
with `./bashbot.sh stop`.
|
||||
|
||||
Bashbot provides some ready to use scripts ro send messages from command line
|
||||
in `bin/` dir, e.g. `send_message.sh`.
|
||||
Bashbot provides some ready to use scripts for sending messages from command
|
||||
line in `bin/` dir, e.g. `send_message.sh`.
|
||||
|
||||
```bash
|
||||
bin/send_message.sh BOTADMIN "This is my first message send from CLI"
|
||||
|
@ -315,4 +319,4 @@ See `mycommnds.sh.dist` for an example.
|
|||
If you feel that there's something missing or if you found a bug, feel free to
|
||||
submit a pull request!
|
||||
|
||||
#### $$VERSION$$ v1.21-dev-28-g43f5536
|
||||
#### $$VERSION$$ v1.21-dev-33-gd083390
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
# This file is public domain in the USA and all free countries.
|
||||
# Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
|
||||
#
|
||||
#### $$VERSION$$ v1.20-0-g2ab00a2
|
||||
#### $$VERSION$$ v1.21-dev-33-gd083390
|
||||
#
|
||||
# source from commands.sh to use jsonDB functions
|
||||
#
|
||||
|
@ -331,8 +331,9 @@ function jssh_updateArray_async() {
|
|||
# read JSON.sh style data and asssign to an ARRAY
|
||||
# $1 ARRAY name, must be declared with "declare -A ARRAY" before calling
|
||||
Json2Array() {
|
||||
# match ["....."]\t and replace \t with = and print quote true false escape not escaped $
|
||||
# shellcheck disable=SC1091,SC1090
|
||||
[ -z "$1" ] || source <( printf "$1"'=( %s )' "$(sed -E -n -e '/\["[-0-9a-zA-Z_,."]+"\]\+*\t/ s/\t/=/gp' -e 's/=(true|false)/="\1"/')" )
|
||||
[ -z "$1" ] || source <( printf "$1"'=( %s )' "$(sed -E -n -e '/\["[-0-9a-zA-Z_,."]+"\]\+*\t/ s/\t/=/p' -e 's/=(true|false)/="\1"/' -e 's/([^\]|^)\$/\1\\$/g')" )
|
||||
}
|
||||
# get Config Key from jssh file without jsshDB
|
||||
# output ARRAY as JSON.sh style data
|
||||
|
|
Loading…
Reference in New Issue
Block a user