octoleo
/
telegram-bot-bash
mirror of https://github.com/octoleo/telegram-bot-bash.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

explanation for BOTSEND_RETRY explanation and why printf

This commit is contained in:
Kay Marquardt (Gnadelwartz) 2020-06-09 11:57:25 +02:00
parent b23aaddf17
commit f96625ef9d
8 changed files with 97 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
README.html
View File

@ -181,6 +181,20 @@ It features background tasks and interactive chats, and can serve as an interfac
<p>Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everthing. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.</p>
<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, pls update if you use an older version! One of the most powerful features of unix shells like bash is variable and command substitution, this can lead to RCE and information disclosing bugs if you do not escape '$' porperly, see <a href="https://github.com/topkecleon/telegram-bot-bash/issues/125">Issue #125</a></p>
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
<h3>use printf whenever possible</h3>
<p>If you're writing a script and it is taking external input (from the user as arguments, or file names from the file system...), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a></p>
<div class="sourceCode" id="cb3"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb3-1" title="1"> <span class="co"># very simple</span></a>
<a class="sourceLine" id="cb3-2" title="2"> <span class="bu">echo</span> <span class="st">&quot;text with variables. PWD=</span><span class="va">$PWD</span><span class="st">&quot;</span></a>
<a class="sourceLine" id="cb3-3" title="3"> <span class="bu">printf</span> <span class="st">&#39;%s\n&#39;</span> <span class="st">&quot;text with variables. PWD=</span><span class="va">$PWD</span><span class="st">&quot;</span></a>
<a class="sourceLine" id="cb3-4" title="4"> <span class="ex">-</span><span class="op">&gt;</span> text with variables. PWD=/home/xxx</a>
<a class="sourceLine" id="cb3-5" title="5"></a>
<a class="sourceLine" id="cb3-6" title="6"> <span class="co"># more advanced</span></a>
<a class="sourceLine" id="cb3-7" title="7"> <span class="va">FLOAT=</span><span class="st">&quot;1.2346777892864&quot;</span> <span class="va">INTEGER=</span><span class="st">&quot;12345.123&quot;</span></a>
<a class="sourceLine" id="cb3-8" title="8"> <span class="bu">echo</span> <span class="st">&quot;text with variabeles. float=</span><span class="va">$FLOAT</span><span class="st">, integer=</span><span class="va">$INTEGER</span><span class="st">, PWD=</span><span class="va">$PWD</span><span class="st">&quot;</span></a>
<a class="sourceLine" id="cb3-9" title="9"> <span class="ex">-</span><span class="op">&gt;</span>text with variables. float=1.2346777892864, integer=12345.123, PWD=/home/xxx</a>
<a class="sourceLine" id="cb3-10" title="10"></a>
<a class="sourceLine" id="cb3-11" title="11"> <span class="bu">printf</span> <span class="st">&quot;text with variables. float=%.2f, integer=%d, PWD=%s\n&quot;</span> <span class="st">&quot;&quot;</span> <span class="st">&quot;</span><span class="va">$INTEGER</span><span class="st">&quot;</span> <span class="st">&quot;</span><span class="va">$PWD</span><span class="st">&quot;</span></a>
<a class="sourceLine" id="cb3-12" title="12"> <span class="ex">-</span><span class="op">&gt;</span>text with variables. float=1.23, integer=12345, PWD=/home/xxx</a></code></pre></div>
<h3>Do not use #!/usr/bin/env bash</h3>
<p><strong>We stay with /bin/bash shebang, because it's more save from security perspective.</strong></p>
<p>Using a fixed path to the system provided bash makes it harder for attackers or users to place alternative versions of bash and avoids using a possibly broken, mangled or compromised bash executable.</p>
@ -210,27 +224,27 @@ It features background tasks and interactive chats, and can serve as an interfac
<h3>Can I send messages from CLI and scripts?</h3>
<p>Of course, you can send messages from CLI and scripts, simply install bashbot as <a href="#Your-really-first-bashbot-in-a-nutshell">described here</a>, send the messsage '/start' to set yourself as botadmin and stop the bot with <code>./bashbot.sh kill</code>.</p>
<p>Run the following commands in your bash shell or script while you are in the installation directory:</p>
<div class="sourceCode" id="cb3"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb3-1" title="1"><span class="co"># prepare bash / script to send commands</span></a>
<a class="sourceLine" id="cb3-2" title="2"><span class="bu">export</span> <span class="va">BASHBOT_HOME=</span><span class="st">&quot;</span><span class="va">$(</span><span class="bu">pwd</span><span class="va">)</span><span class="st">&quot;</span></a>
<a class="sourceLine" id="cb3-3" title="3"><span class="bu">source</span> ./bashbot.sh source</a>
<a class="sourceLine" id="cb3-4" title="4"></a>
<a class="sourceLine" id="cb3-5" title="5"><span class="co"># send me a test message</span></a>
<a class="sourceLine" id="cb3-6" title="6"><span class="ex">send_message</span> <span class="st">&quot;</span><span class="va">$(</span><span class="fu">cat</span> <span class="st">&quot;</span><span class="va">$BOTADMIN</span><span class="st">&quot;</span><span class="va">)</span><span class="st">&quot;</span> <span class="st">&quot;test&quot;</span></a>
<a class="sourceLine" id="cb3-7" title="7"></a>
<a class="sourceLine" id="cb3-8" title="8"><span class="co"># send me output of a system command</span></a>
<a class="sourceLine" id="cb3-9" title="9"><span class="ex">send_message</span> <span class="st">&quot;</span><span class="op">$(&lt;</span><span class="st">&quot;</span><span class="va">$BOTADMIN</span><span class="st">&quot;</span><span class="op">)</span><span class="st">&quot;</span> <span class="st">&quot;</span><span class="va">$(</span><span class="fu">df</span> -h<span class="va">)</span><span class="st">&quot;</span></a></code></pre></div>
<div class="sourceCode" id="cb4"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb4-1" title="1"><span class="co"># prepare bash / script to send commands</span></a>
<a class="sourceLine" id="cb4-2" title="2"><span class="bu">export</span> <span class="va">BASHBOT_HOME=</span><span class="st">&quot;</span><span class="va">$(</span><span class="bu">pwd</span><span class="va">)</span><span class="st">&quot;</span></a>
<a class="sourceLine" id="cb4-3" title="3"><span class="bu">source</span> ./bashbot.sh source</a>
<a class="sourceLine" id="cb4-4" title="4"></a>
<a class="sourceLine" id="cb4-5" title="5"><span class="co"># send me a test message</span></a>
<a class="sourceLine" id="cb4-6" title="6"><span class="ex">send_message</span> <span class="st">&quot;</span><span class="va">$(</span><span class="fu">cat</span> <span class="st">&quot;</span><span class="va">$BOTADMIN</span><span class="st">&quot;</span><span class="va">)</span><span class="st">&quot;</span> <span class="st">&quot;test&quot;</span></a>
<a class="sourceLine" id="cb4-7" title="7"></a>
<a class="sourceLine" id="cb4-8" title="8"><span class="co"># send me output of a system command</span></a>
<a class="sourceLine" id="cb4-9" title="9"><span class="ex">send_message</span> <span class="st">&quot;</span><span class="op">$(&lt;</span><span class="st">&quot;</span><span class="va">$BOTADMIN</span><span class="st">&quot;</span><span class="op">)</span><span class="st">&quot;</span> <span class="st">&quot;</span><span class="va">$(</span><span class="fu">df</span> -h<span class="va">)</span><span class="st">&quot;</span></a></code></pre></div>
<p>For more information see <a href="doc/8_custom.md">Expert Use</a></p>
<h3>Why do I get "EXPECTED value GOT EOF" on start?</h3>
<p>May be your IP is blocked by telegram. You can test this by running curl or wget manually:</p>
<div class="sourceCode" id="cb4"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb4-1" title="1"><span class="ex">curl</span> -m 10 https://api.telegram.org/bot</a>
<a class="sourceLine" id="cb4-2" title="2"><span class="co">#curl: (28) Connection timed out after 10001 milliseconds</span></a>
<a class="sourceLine" id="cb4-3" title="3"></a>
<a class="sourceLine" id="cb4-4" title="4"><span class="fu">wget</span> -t 1 -T 10 https://api.telegram.org/bot</a>
<a class="sourceLine" id="cb4-5" title="5"><span class="co">#Connecting to api.telegram.org (api.telegram.org)|46.38.243.234|:443... failed: Connection timed out.</span></a></code></pre></div>
<div class="sourceCode" id="cb5"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb5-1" title="1"><span class="ex">curl</span> -m 10 https://api.telegram.org/bot</a>
<a class="sourceLine" id="cb5-2" title="2"><span class="co">#curl: (28) Connection timed out after 10001 milliseconds</span></a>
<a class="sourceLine" id="cb5-3" title="3"></a>
<a class="sourceLine" id="cb5-4" title="4"><span class="fu">wget</span> -t 1 -T 10 https://api.telegram.org/bot</a>
<a class="sourceLine" id="cb5-5" title="5"><span class="co">#Connecting to api.telegram.org (api.telegram.org)|46.38.243.234|:443... failed: Connection timed out.</span></a></code></pre></div>
<p>This may happen if to many wrong requests are sent to api.telegram.org, e.g. using a wrong token or not existing API calls. If you have a fixed IP you can ask telegram service to unblock your ip or change your IP. If you are running a socks or tor proxy on your server look for the <code>BASHBOT_CURL_ARGS</code> lines in 'mycommands.sh' as example.</p>
<p>@Gnadelwartz</p>
<h2>That's it!</h2>
<p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
<h4>$$VERSION$$ v0.96-dev3-0-gdddd1ce</h4>
<h4>$$VERSION$$ v0.96-pre-9-gb23aadd</h4>
</body>
</html>

22
README.md
View File

@ -116,6 +116,26 @@ One of the most powerful features of unix shells like bash is variable and comma
A powerful tool to improve your scripts is ```shellcheck```. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests.
In addition bashbot has a [test suite](doc/7_develop.md) to check if important functionality is working as expected.
### use printf whenever possible
If you're writing a script and it is taking external input (from the user as arguments, or file names from the file system...),
you shouldn't use echo to display it. [Use printf whenever possible](https://unix.stackexchange.com/a/6581)
```bash
# very simple
echo "text with variables. PWD=$PWD"
printf '%s\n' "text with variables. PWD=$PWD"
-> text with variables. PWD=/home/xxx
# more advanced
FLOAT="1.2346777892864" INTEGER="12345.123"
echo "text with variabeles. float=$FLOAT, integer=$INTEGER, PWD=$PWD"
->text with variables. float=1.2346777892864, integer=12345.123, PWD=/home/xxx
printf "text with variables. float=%.2f, integer=%d, PWD=%s\n" "" "$INTEGER" "$PWD"
->text with variables. float=1.23, integer=12345, PWD=/home/xxx
```
### Do not use #!/usr/bin/env bash
**We stay with /bin/bash shebang, because it's more save from security perspective.**
@ -198,4 +218,4 @@ This may happen if to many wrong requests are sent to api.telegram.org, e.g. usi
If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
#### $$VERSION$$ v0.96-dev3-0-gdddd1ce
#### $$VERSION$$ v0.96-pre-9-gb23aadd

25
README.txt
View File

@ -163,6 +163,29 @@ allowed to push changes without passing all shellcheck tests.
In addition bashbot has a [test suite](doc/7_develop.md) to check if important
functionality is working as expected.
### use printf whenever possible
If you're writing a script and it is taking external input (from the user as
arguments, or file names from the file system...),
you shouldn't use echo to display it. [Use printf whenever
possible](https://unix.stackexchange.com/a/6581)
```bash
# very simple
echo "text with variables. PWD=$PWD"
printf '%s\n' "text with variables. PWD=$PWD"
-> text with variables. PWD=/home/xxx
# more advanced
FLOAT="1.2346777892864" INTEGER="12345.123"
echo "text with variabeles. float=$FLOAT, integer=$INTEGER, PWD=$PWD"
->text with variables. float=1.2346777892864, integer=12345.123, PWD=/home/xxx
printf "text with variables. float=%.2f, integer=%d, PWD=%s\n" "" "$INTEGER"
"$PWD"
->text with variables. float=1.23, integer=12345, PWD=/home/xxx
```
### Do not use #!/usr/bin/env bash
**We stay with /bin/bash shebang, because it's more save from security
@ -281,4 +304,4 @@ in 'mycommands.sh' as example.
If you feel that there's something missing or if you found a bug, feel free to
submit a pull request!
#### $$VERSION$$ v0.96-dev3-0-gdddd1ce
#### $$VERSION$$ v0.96-pre-9-gb23aadd

6
bashbot.sh
View File

@ -11,7 +11,7 @@
# This file is public domain in the USA and all free countries.
# Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
#
#### $$VERSION$$ v0.96-pre-0-geb49241
#### $$VERSION$$ v0.96-pre-9-gb23aadd
#
# Exit Codes:
# - 0 sucess (hopefully)
@ -371,7 +371,7 @@ fi
# $1 function $2 sleep $3 ... $n arguments
sendJsonRetry(){
local retry="${1}"; shift
[[ "${1}" =~ ^[0-9.]+$ ]] && sleep "${1}"; shift
[[ "${1}" =~ ^\ *[0-9.]+\ *$ ]] && sleep "${1}"; shift
case "${retry}" in
'sendJson'*)
sendJson "$@"
@ -435,7 +435,7 @@ sendJsonResult(){
fi
return
fi
# we are not blocked, default curl and args are working
# are not blocked, default curl and args are working
if [ -n "${BASHBOT_CURL_ARGS}" ] || [ -n "${BASHBOT_CURL}" ]; then
BOTSEND_RETRY="2"
printf "Possible Problem with \"%s %s\", retry %s with default curl config ...\n"\

10
doc/7_develop.md
View File

@ -216,18 +216,22 @@ Availible commands in bash, coreutils, busybox and toybox. Do you find curl on t
uuencode, wc, wget, which, who, whoami, xargs, yes
```
commands marked with \* are bash builtins, all others are external programms. Calling an external programm is more expensive then using bulitins
or using an internal replacement. Here are some examples of internal replacement for external commands:
or using an internal replacement. Here are some tipps for using builtins.:
```bash
HOST="$(hostname)" -> HOST="$HOSTNAME"
DIR="$(pwd)" -> DIR="$PWD""
seq 1 100 -> {0..100}
data="$(cat file)" -> data="$(<"file")"
DIR="$(dirname $0) -> DIR=""${0%/*}/""
DIR="$(dirname $0) -> DIR="${0%/*}"
IAM="($basename $0)" -> IAM="${0##*/}*
ADDME="$ADDME something to add" -> ADDME+=" something to add""
VAR="$(( 1 + 2 ))" -> (( var=1+2 ))
INDEX="$(( ${INDEX} + 1 ))" -> (( INDEX++ ))
@ -328,5 +332,5 @@ fi
#### [Prev Function Reference](6_reference.md)
#### $$VERSION$$ v0.96-dev-7-g0153928
#### $$VERSION$$ v0.96-pre-9-gb23aadd

2
modules/jsonDB.sh
View File

@ -5,7 +5,7 @@
# This file is public domain in the USA and all free countries.
# Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
#
#### $$VERSION$$ v0.96-pre-0-geb49241
#### $$VERSION$$ v0.96-pre-2-g30b5b1a
#
# source from commands.sh to use jsonDB functions
#

7
mycommands.sh
View File

@ -8,7 +8,7 @@
# #### if you start to develop your own bot, use the clean version of this file:
# #### mycommands.clean
#
#### $$VERSION$$ v0.96-dev-7-g0153928
#### $$VERSION$$ v0.96-pre-9-gb23aadd
#
# uncomment the following lines to overwrite info and help messages
@ -29,6 +29,11 @@ export FILE_REGEX="${BASHBOT_ETC}/.*"
# example: run bashbot over TOR
# export BASHBOT_CURL_ARGS="--socks5-hostname 127.0.0.1:9050"
# unset BASHBOT_RETRY to enable retry in case of recoverable errors, e.g. throtteling
# see logs/ERROR.log for information why send_messages etc. fail
# unset BOTSEND_RETRY
export BOTSEND_RETRY="no"
# set to "yes" and give your bot admin privilegs to remove service messaes from groups
export SILENCER="no"

7
mycommands.sh.clean
View File

@ -4,7 +4,7 @@
# files: mycommands.sh.clean
# copy to mycommands.sh and add all your commands and functions here ...
#
#### $$VERSION$$ v0.96-dev-7-g0153928
#### $$VERSION$$ v0.96-pre-9-gb23aadd
#
##########
@ -27,6 +27,11 @@ export INLINE="0"
# do NOT set to .* as this allow sending files from all locations!
export FILE_REGEX="${BASHBOT_ETC}/.*"
# unset BASHBOT_RETRY to enable retry in case of recoverable errors, e.g. throtteling
# see logs/ERROR.log for information why send_messages etc. fail
# unset BOTSEND_RETRY
export BOTSEND_RETRY="no"
# set to "yes" and give your bot admin privilegs to remove service messaes from groups
export SILENCER="no"