From 0841633dd986cdf9f112ed6a5329f04a576c1ddb Mon Sep 17 00:00:00 2001 From: Kay Marquardt Date: Tue, 19 May 2020 18:27:21 +0200 Subject: [PATCH 1/3] ups, forgot to remove dev exit --- bashbot.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/bashbot.sh b/bashbot.sh index f7b5d04..3c470e0 100755 --- a/bashbot.sh +++ b/bashbot.sh @@ -168,7 +168,6 @@ if [[ ! "${BOTTOKEN}" =~ ^[0-9]{8,10}:[a-zA-Z0-9_-]{35}$ ]]; then echo -e "${ORANGE}Posilbe problem in the charatcers part, len is $(($(wc -c <<<"${BOTTOKEN#*:}")-1))${NC}" fi -exit ################## # here we start with the real stuff From 53bab25459c87743d34ede865fff06928d460f01 Mon Sep 17 00:00:00 2001 From: "Kay Marquardt (Gnadelwartz)" Date: Fri, 22 May 2020 08:33:29 +0200 Subject: [PATCH 2/3] fix shell expansion --- bashbot.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bashbot.sh b/bashbot.sh index 3c470e0..670b1bc 100755 --- a/bashbot.sh +++ b/bashbot.sh @@ -11,7 +11,7 @@ # This file is public domain in the USA and all free countries. # Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying) # -#### $$VERSION$$ V0.94-7-g3d92bf3 +#### $$VERSION$$ V0.94-8-g3d92bf3 # # Exit Codes: # - 0 sucess (hopefully) @@ -688,6 +688,7 @@ start_bot() { fi while true; do UPDATE="$(getJson "$UPD_URL$OFFSET" | "${JSONSHFILE}" -s -b -n | iconv -f utf-8 -t utf-8 -c)" + UPDATE="${UPDATE//$/\\$}" # Offset OFFSET="$(grep <<< "${UPDATE}" '\["result",[0-9]*,"update_id"\]' | tail -1 | cut -f 2)" From feddcabf9c905177b527435b4be9267c5afd22fe Mon Sep 17 00:00:00 2001 From: "Kay Marquardt (Gnadelwartz)" Date: Fri, 22 May 2020 21:42:10 +0200 Subject: [PATCH 3/3] update doc because of RCE bug --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 682ab9e..f47847b 100644 --- a/README.md +++ b/README.md @@ -109,6 +109,9 @@ Bash scripts in general are not designed to be bullet proof, so consider this Bo Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everthing. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands. +**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, pls update if you use an older version! +One of the most powerful features of unix shells like bash is variable and command substitution, this can lead to RCE and information disclosing bugs if you do not escape '$' porperly, see [Issue #125](https://github.com/topkecleon/telegram-bot-bash/issues/125) + A powerful tool to improve your scripts is ```shellcheck```. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a [test suite](doc/7_develop.md) to check if important functionality is working as expected. @@ -140,6 +143,8 @@ To set access rights for your bashbot installation to a reasonable default run ` ### Is this Bot insecure? Bashbot is not more (in)secure as any other Bot written in any other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ... +**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, pls update if you use an older version! + ### Why Bash and not the much better xyz? Well, thats a damn good question ... may be because I'm an Unix/Linux admin from stone age. Nevertheless there are more reasons from my side: