diff --git a/README.html b/README.html index da7e872..5b81f09 100644 --- a/README.html +++ b/README.html @@ -181,6 +181,20 @@ It features background tasks and interactive chats, and can serve as an interfac

Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everthing. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.

Note: Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, pls update if you use an older version! One of the most powerful features of unix shells like bash is variable and command substitution, this can lead to RCE and information disclosing bugs if you do not escape '$' porperly, see Issue #125

A powerful tool to improve your scripts is shellcheck. You can use it online or install shellcheck locally. Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a test suite to check if important functionality is working as expected.

+

use printf whenever possible

+

If you're writing a script and it is taking external input (from the user as arguments, or file names from the file system...), you shouldn't use echo to display it. Use printf whenever possible

+
  # very simple
+  echo "text with variables. PWD=$PWD"
+  printf '%s\n' "text with variables. PWD=$PWD"
+  -> text with variables. PWD=/home/xxx
+
+  # more advanced
+  FLOAT="1.2346777892864" INTEGER="12345.123"
+  echo "text with variabeles. float=$FLOAT, integer=$INTEGER, PWD=$PWD"
+  ->text with variables. float=1.2346777892864, integer=12345.123, PWD=/home/xxx
+
+  printf "text with variables. float=%.2f, integer=%d, PWD=%s\n" "" "$INTEGER" "$PWD"
+  ->text with variables. float=1.23, integer=12345, PWD=/home/xxx

Do not use #!/usr/bin/env bash

We stay with /bin/bash shebang, because it's more save from security perspective.

Using a fixed path to the system provided bash makes it harder for attackers or users to place alternative versions of bash and avoids using a possibly broken, mangled or compromised bash executable.

@@ -210,27 +224,27 @@ It features background tasks and interactive chats, and can serve as an interfac

Can I send messages from CLI and scripts?

Of course, you can send messages from CLI and scripts, simply install bashbot as described here, send the messsage '/start' to set yourself as botadmin and stop the bot with ./bashbot.sh kill.

Run the following commands in your bash shell or script while you are in the installation directory:

-
# prepare bash / script to send commands
-export BASHBOT_HOME="$(pwd)"
-source ./bashbot.sh source
-
-# send me a test message
-send_message "$(cat "$BOTADMIN")" "test"
-
-# send me output of a system command
-send_message "$(<"$BOTADMIN")" "$(df -h)"
+
# prepare bash / script to send commands
+export BASHBOT_HOME="$(pwd)"
+source ./bashbot.sh source
+
+# send me a test message
+send_message "$(cat "$BOTADMIN")" "test"
+
+# send me output of a system command
+send_message "$(<"$BOTADMIN")" "$(df -h)"

For more information see Expert Use

Why do I get "EXPECTED value GOT EOF" on start?

May be your IP is blocked by telegram. You can test this by running curl or wget manually:

-
curl -m 10  https://api.telegram.org/bot
-#curl: (28) Connection timed out after 10001 milliseconds
-
-wget -t 1 -T 10 https://api.telegram.org/bot
-#Connecting to api.telegram.org (api.telegram.org)|46.38.243.234|:443... failed: Connection timed out.
+
curl -m 10  https://api.telegram.org/bot
+#curl: (28) Connection timed out after 10001 milliseconds
+
+wget -t 1 -T 10 https://api.telegram.org/bot
+#Connecting to api.telegram.org (api.telegram.org)|46.38.243.234|:443... failed: Connection timed out.

This may happen if to many wrong requests are sent to api.telegram.org, e.g. using a wrong token or not existing API calls. If you have a fixed IP you can ask telegram service to unblock your ip or change your IP. If you are running a socks or tor proxy on your server look for the BASHBOT_CURL_ARGS lines in 'mycommands.sh' as example.

@Gnadelwartz

That's it!

If you feel that there's something missing or if you found a bug, feel free to submit a pull request!

-

$$VERSION$$ v0.96-dev3-0-gdddd1ce

+

$$VERSION$$ v0.96-pre-9-gb23aadd

diff --git a/README.md b/README.md index 51c0bfe..56a382a 100644 --- a/README.md +++ b/README.md @@ -116,6 +116,26 @@ One of the most powerful features of unix shells like bash is variable and comma A powerful tool to improve your scripts is ```shellcheck```. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a [test suite](doc/7_develop.md) to check if important functionality is working as expected. +### use printf whenever possible + +If you're writing a script and it is taking external input (from the user as arguments, or file names from the file system...), +you shouldn't use echo to display it. [Use printf whenever possible](https://unix.stackexchange.com/a/6581) + +```bash + # very simple + echo "text with variables. PWD=$PWD" + printf '%s\n' "text with variables. PWD=$PWD" + -> text with variables. PWD=/home/xxx + + # more advanced + FLOAT="1.2346777892864" INTEGER="12345.123" + echo "text with variabeles. float=$FLOAT, integer=$INTEGER, PWD=$PWD" + ->text with variables. float=1.2346777892864, integer=12345.123, PWD=/home/xxx + + printf "text with variables. float=%.2f, integer=%d, PWD=%s\n" "" "$INTEGER" "$PWD" + ->text with variables. float=1.23, integer=12345, PWD=/home/xxx +``` + ### Do not use #!/usr/bin/env bash **We stay with /bin/bash shebang, because it's more save from security perspective.** @@ -198,4 +218,4 @@ This may happen if to many wrong requests are sent to api.telegram.org, e.g. usi If you feel that there's something missing or if you found a bug, feel free to submit a pull request! -#### $$VERSION$$ v0.96-dev3-0-gdddd1ce +#### $$VERSION$$ v0.96-pre-9-gb23aadd diff --git a/README.txt b/README.txt index 288cbd7..0b50d73 100644 --- a/README.txt +++ b/README.txt @@ -163,6 +163,29 @@ allowed to push changes without passing all shellcheck tests. In addition bashbot has a [test suite](doc/7_develop.md) to check if important functionality is working as expected. +### use printf whenever possible + +If you're writing a script and it is taking external input (from the user as +arguments, or file names from the file system...), +you shouldn't use echo to display it. [Use printf whenever +possible](https://unix.stackexchange.com/a/6581) + +```bash + # very simple + echo "text with variables. PWD=$PWD" + printf '%s\n' "text with variables. PWD=$PWD" + -> text with variables. PWD=/home/xxx + + # more advanced + FLOAT="1.2346777892864" INTEGER="12345.123" + echo "text with variabeles. float=$FLOAT, integer=$INTEGER, PWD=$PWD" + ->text with variables. float=1.2346777892864, integer=12345.123, PWD=/home/xxx + + printf "text with variables. float=%.2f, integer=%d, PWD=%s\n" "" "$INTEGER" +"$PWD" + ->text with variables. float=1.23, integer=12345, PWD=/home/xxx +``` + ### Do not use #!/usr/bin/env bash **We stay with /bin/bash shebang, because it's more save from security @@ -281,4 +304,4 @@ in 'mycommands.sh' as example. If you feel that there's something missing or if you found a bug, feel free to submit a pull request! -#### $$VERSION$$ v0.96-dev3-0-gdddd1ce +#### $$VERSION$$ v0.96-pre-9-gb23aadd diff --git a/bashbot.sh b/bashbot.sh index ed7c527..e81cfed 100755 --- a/bashbot.sh +++ b/bashbot.sh @@ -11,7 +11,7 @@ # This file is public domain in the USA and all free countries. # Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying) # -#### $$VERSION$$ v0.96-pre-0-geb49241 +#### $$VERSION$$ v0.96-pre-9-gb23aadd # # Exit Codes: # - 0 sucess (hopefully) @@ -371,7 +371,7 @@ fi # $1 function $2 sleep $3 ... $n arguments sendJsonRetry(){ local retry="${1}"; shift - [[ "${1}" =~ ^[0-9.]+$ ]] && sleep "${1}"; shift + [[ "${1}" =~ ^\ *[0-9.]+\ *$ ]] && sleep "${1}"; shift case "${retry}" in 'sendJson'*) sendJson "$@" @@ -435,7 +435,7 @@ sendJsonResult(){ fi return fi - # we are not blocked, default curl and args are working + # are not blocked, default curl and args are working if [ -n "${BASHBOT_CURL_ARGS}" ] || [ -n "${BASHBOT_CURL}" ]; then BOTSEND_RETRY="2" printf "Possible Problem with \"%s %s\", retry %s with default curl config ...\n"\ diff --git a/doc/7_develop.md b/doc/7_develop.md index 1be455b..f8e5751 100644 --- a/doc/7_develop.md +++ b/doc/7_develop.md @@ -216,18 +216,22 @@ Availible commands in bash, coreutils, busybox and toybox. Do you find curl on t uuencode, wc, wget, which, who, whoami, xargs, yes ``` commands marked with \* are bash builtins, all others are external programms. Calling an external programm is more expensive then using bulitins -or using an internal replacement. Here are some examples of internal replacement for external commands: +or using an internal replacement. Here are some tipps for using builtins.: ```bash HOST="$(hostname)" -> HOST="$HOSTNAME" +DIR="$(pwd)" -> DIR="$PWD"" + seq 1 100 -> {0..100} data="$(cat file)" -> data="$(<"file")" -DIR="$(dirname $0) -> DIR=""${0%/*}/"" +DIR="$(dirname $0) -> DIR="${0%/*}" IAM="($basename $0)" -> IAM="${0##*/}* +ADDME="$ADDME something to add" -> ADDME+=" something to add"" + VAR="$(( 1 + 2 ))" -> (( var=1+2 )) INDEX="$(( ${INDEX} + 1 ))" -> (( INDEX++ )) @@ -328,5 +332,5 @@ fi #### [Prev Function Reference](6_reference.md) -#### $$VERSION$$ v0.96-dev-7-g0153928 +#### $$VERSION$$ v0.96-pre-9-gb23aadd diff --git a/modules/jsonDB.sh b/modules/jsonDB.sh index 8da70b4..ddba7ac 100644 --- a/modules/jsonDB.sh +++ b/modules/jsonDB.sh @@ -5,7 +5,7 @@ # This file is public domain in the USA and all free countries. # Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying) # -#### $$VERSION$$ v0.96-pre-0-geb49241 +#### $$VERSION$$ v0.96-pre-2-g30b5b1a # # source from commands.sh to use jsonDB functions # diff --git a/mycommands.sh b/mycommands.sh index c8e6b67..a75080d 100644 --- a/mycommands.sh +++ b/mycommands.sh @@ -8,7 +8,7 @@ # #### if you start to develop your own bot, use the clean version of this file: # #### mycommands.clean # -#### $$VERSION$$ v0.96-dev-7-g0153928 +#### $$VERSION$$ v0.96-pre-9-gb23aadd # # uncomment the following lines to overwrite info and help messages @@ -29,6 +29,11 @@ export FILE_REGEX="${BASHBOT_ETC}/.*" # example: run bashbot over TOR # export BASHBOT_CURL_ARGS="--socks5-hostname 127.0.0.1:9050" +# unset BASHBOT_RETRY to enable retry in case of recoverable errors, e.g. throtteling +# see logs/ERROR.log for information why send_messages etc. fail +# unset BOTSEND_RETRY +export BOTSEND_RETRY="no" + # set to "yes" and give your bot admin privilegs to remove service messaes from groups export SILENCER="no" diff --git a/mycommands.sh.clean b/mycommands.sh.clean index 7c8c1c4..184fd92 100644 --- a/mycommands.sh.clean +++ b/mycommands.sh.clean @@ -4,7 +4,7 @@ # files: mycommands.sh.clean # copy to mycommands.sh and add all your commands and functions here ... # -#### $$VERSION$$ v0.96-dev-7-g0153928 +#### $$VERSION$$ v0.96-pre-9-gb23aadd # ########## @@ -27,6 +27,11 @@ export INLINE="0" # do NOT set to .* as this allow sending files from all locations! export FILE_REGEX="${BASHBOT_ETC}/.*" +# unset BASHBOT_RETRY to enable retry in case of recoverable errors, e.g. throtteling +# see logs/ERROR.log for information why send_messages etc. fail +# unset BOTSEND_RETRY +export BOTSEND_RETRY="no" + # set to "yes" and give your bot admin privilegs to remove service messaes from groups export SILENCER="no"