small updates and fixes for 1.40

This commit is contained in:
Kay Marquardt (Gnadelwartz) 2021-02-02 20:33:22 +01:00
parent 1440d56f48
commit f9dab50f84
11 changed files with 56 additions and 50 deletions

View File

@ -341,7 +341,7 @@ It features background tasks and interactive chats, and can serve as an interfac
<p>Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.</p>
<p>Bash scripts in general are not designed to be bulletproof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <a href="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a>.</p>
<p>Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible (e.g. set IFS appropriately, disable globbing with <code>set -f</code> and quote everything). In addition remove unused scripts and examples from your Bot (e.g. everything in <code>example/</code>) and disable/remove all unused bot commands.</p>
<p>It's important to escape or remove <code>$</code> in input from user, files or network (<em>as bashbot does</em>). One of the powerful features of Unix shells is variable and command substitution using <code>${}</code> and<code>$()</code> can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped <code>$</code> is included in untrusted input (e.g. <code>$$</code> or <code>$(rm -rf /*)</code>).</p>
<p>It's important to escape or remove <code>$</code> in input from user, files or network (<em>as bashbot does</em>). One of the powerful features of Unix shells is variable and command substitution using <code>${}</code> and <code>$()</code> can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped <code>$</code> is included in untrusted input (e.g. <code>$$</code> or <code>$(rm -rf /*)</code>).</p>
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensively in bashbot development to ensure a high code quality (e.g. it's not allowed to push changes without passing all shellcheck tests). In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
<h3>Use printf whenever possible</h3>
<p>If you're writing a script that accepts external input (e.g. from the user as arguments or the file system), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a>.</p>
@ -350,8 +350,9 @@ It features background tasks and interactive chats, and can serve as an interfac
<p><strong>Never run your Bot as root, this is the most dangerous you can do!</strong> Usually the user 'nobody' has almost no rights on Linux/Unix systems. See <a href="doc/4_expert.md">Expert use</a> on how to run your Bot as an other user.</p>
<h3>Secure your Bot installation</h3>
<p><strong>Your Bot configuration must not be readable by other users.</strong> Everyone who can read your Bots token is able to act as your Bot and has access to all chats the Bot is in!</p>
<p>Everyone with read access to your Bot files can extract your Bots data. Especially your Bot config in<code>config.jssh</code> must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to<code>count.jssh</code> and <code>data-bot-bash</code> only, all other files must be write protected.</p>
<p>To set access rights for your bashbot installation to a reasonable default run<code>sudo ./bashbot.sh init</code> after every update or change to your installation directory.</p>
<p>Everyone with read access to your Bot files can extract your Bots data. Especially your Bot config in <code>config.jssh</code> must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to <code>count.jssh</code>, <code>data-bot-bash/</code> and <code>logs/</code> only, all other files must be write protected.</p>
<p>To set access rights for your bashbot installation to a reasonable default run <code>sudo ./bashbot.sh init</code> after every update or change to your installation directory.</p>
<p><em>Note</em>: Keep old log files in a safe place or even better delete them, they are GDPR relevant and <a href="https://github.com/topkecleon/telegram-bot-bash/issues/174">may contain information</a> you don't want to be public.</p>
<h2>FAQ</h2>
<h3>Is this Bot insecure?</h3>
<p>Bashbot is not more (in)secure than a Bot written in another language. We have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...</p>
@ -365,8 +366,8 @@ It features background tasks and interactive chats, and can serve as an interfac
<li>no database, not event driven, not object oriented ...</li>
</ul>
<h3>Can I have the single bashbot.sh file back?</h3>
<p>At the beginning bashbot was simply the file<code>bashbot.sh</code> that you could copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.</p>
<p>Hey no problem, if you are finished with your cool bot, run<code>dev/make-standalone.sh</code> to create a stripped down version of your bot containing only 'bashbot.sh' and 'commands.sh'! For more information see <a href="doc/7_develop.md">Create a stripped down version of your Bot</a>.</p>
<p>At the beginning bashbot was simply the file <code>bashbot.sh</code> that you could copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.</p>
<p>Hey no problem, if you are finished with your cool bot, run <code>dev/make-standalone.sh</code> to create a stripped down version of your bot containing only 'bashbot.sh' and 'commands.sh'! For more information see <a href="doc/7_develop.md">Create a stripped down version of your Bot</a>.</p>
<h3>Can I send messages from CLI and scripts?</h3>
<p>Of course you can send messages from command line and scripts! Simply install bashbot as <a href="#Your-really-first-bashbot-in-a-nutshell">described here</a>, send the message '/start' to set yourself as botadmin and then stop the bot with <code>./bashbot.sh stop</code>.</p>
<p>Bashbot provides some ready to use scripts for sending messages from command line in <code>bin/</code> dir, e.g. <code>send_message.sh</code>.</p>
@ -391,6 +392,6 @@ It features background tasks and interactive chats, and can serve as an interfac
<p>@Gnadelwartz</p>
<h2>That's it all guys!</h2>
<p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
<h4>$$VERSION$$ v1.40-dev-29-g737be16</h4>
<h4>$$VERSION$$ v1.40-dev-34-g1440d56</h4>
</body>
</html>

View File

@ -147,7 +147,7 @@ Whenever you are processing input from untrusted sources (messages, files, netwo
from your Bot (e.g. everything in `example/`) and disable/remove all unused bot commands.
It's important to escape or remove `$` in input from user, files or network (_as bashbot does_).
One of the powerful features of Unix shells is variable and command substitution using `${}` and`$()` can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped `$` is included in untrusted input (e.g. `$$` or `$(rm -rf /*)`).
One of the powerful features of Unix shells is variable and command substitution using `${}` and `$()` can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped `$` is included in untrusted input (e.g. `$$` or `$(rm -rf /*)`).
A powerful tool to improve your scripts is `shellcheck`. You can [use it online](https://www.shellcheck.net/) or
[install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensively in bashbot development
@ -169,9 +169,11 @@ For the same reason every file your Bot can read is in danger of being disclosed
### Secure your Bot installation
**Your Bot configuration must not be readable by other users.** Everyone who can read your Bots token is able to act as your Bot and has access to all chats the Bot is in!
Everyone with read access to your Bot files can extract your Bots data. Especially your Bot config in`config.jssh` must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to`count.jssh` and `data-bot-bash` only, all other files must be write protected.
Everyone with read access to your Bot files can extract your Bots data. Especially your Bot config in `config.jssh` must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to `count.jssh`, `data-bot-bash/` and `logs/` only, all other files must be write protected.
To set access rights for your bashbot installation to a reasonable default run`sudo ./bashbot.sh init` after every update or change to your installation directory.
To set access rights for your bashbot installation to a reasonable default run `sudo ./bashbot.sh init` after every update or change to your installation directory.
*Note*: Keep old log files in a safe place or even better delete them, they are GDPR relevant and [may contain information](https://github.com/topkecleon/telegram-bot-bash/issues/174) you don't want to be public.
## FAQ
@ -189,9 +191,9 @@ Well, that's a damn good question... maybe because I'm a Unix admin from the sto
- no database, not event driven, not object oriented ...
### Can I have the single bashbot.sh file back?
At the beginning bashbot was simply the file`bashbot.sh` that you could copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.
At the beginning bashbot was simply the file `bashbot.sh` that you could copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.
Hey no problem, if you are finished with your cool bot, run`dev/make-standalone.sh` to create a stripped down version of your bot containing only
Hey no problem, if you are finished with your cool bot, run `dev/make-standalone.sh` to create a stripped down version of your bot containing only
'bashbot.sh' and 'commands.sh'! For more information see [Create a stripped down version of your Bot](doc/7_develop.md).
### Can I send messages from CLI and scripts?
@ -239,4 +241,4 @@ See `mycommnds.sh.dist` for an example.
If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
#### $$VERSION$$ v1.40-dev-29-g737be16
#### $$VERSION$$ v1.40-dev-34-g1440d56

View File

@ -202,7 +202,7 @@ f and quote everything). In addition remove unused scripts and examples from you
(e.g. everything in example/) and disable/remove all unused bot commands.
It's important to escape or remove $ in input from user, files or network (as bashbot
does). One of the powerful features of Unix shells is variable and command substitution
using ${} and$() can lead to remote code execution (RCE) or remote information disclosure
using ${} and $() can lead to remote code execution (RCE) or remote information disclosure
(RID) bugs if unescaped $ is included in untrusted input (e.g. $$ or $(rm -rf /*)).
A powerful tool to improve your scripts is shellcheck. You can use it online [https://
www.shellcheck.net/] or install shellcheck locally [https://github.com/koalaman/
@ -232,11 +232,14 @@ Secure your Bot installation
Your Bot configuration must not be readable by other users. Everyone who can read your
Bots token is able to act as your Bot and has access to all chats the Bot is in!
Everyone with read access to your Bot files can extract your Bots data. Especially your
Bot config inconfig.jssh must be protected against other users. No one except you should
have write access to the Bot files. The Bot should be restricted to have write access
tocount.jssh and data-bot-bash only, all other files must be write protected.
To set access rights for your bashbot installation to a reasonable default runsudo ./
Bot config in config.jssh must be protected against other users. No one except you should
have write access to the Bot files. The Bot should be restricted to have write access to
count.jssh, data-bot-bash/ and logs/ only, all other files must be write protected.
To set access rights for your bashbot installation to a reasonable default run sudo ./
bashbot.sh init after every update or change to your installation directory.
Note: Keep old log files in a safe place or even better delete them, they are GDPR
relevant and may contain information [https://github.com/topkecleon/telegram-bot-bash/
issues/174] you don't want to be public.
FAQ
@ -264,9 +267,9 @@ Nevertheless there are more reasons from my side:
Can I have the single bashbot.sh file back?
At the beginning bashbot was simply the filebashbot.sh that you could copy everywhere and
At the beginning bashbot was simply the file bashbot.sh that you could copy everywhere and
run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.
Hey no problem, if you are finished with your cool bot, rundev/make-standalone.sh to
Hey no problem, if you are finished with your cool bot, run dev/make-standalone.sh to
create a stripped down version of your bot containing only 'bashbot.sh' and 'commands.sh'!
For more information see Create a stripped down version of your Bot [doc/7_develop.md].
@ -315,5 +318,5 @@ That's it all guys!
If you feel that there's something missing or if you found a bug, feel free to submit a
pull request!
$$VERSION$$ v1.40-dev-29-g737be16
$$VERSION$$ v1.40-dev-34-g1440d56

View File

@ -30,7 +30,7 @@ BOTCOMMANDS="-h help init start stop status suspendback resumeback killb
# 8 - curl/wget missing
# 10 - not bash!
#
#### $$VERSION$$ v1.40-dev-32-gd876f75
#### $$VERSION$$ v1.40-dev-34-g1440d56
##################################################################
# are we running in a terminal?
@ -390,13 +390,13 @@ fi
# $1 URL, $2 filename in DATADIR
# outputs final filename
#download() {
# local empty="no.file" file="${2:-${empty}}"
# if [[ "${file}" = *"/"* ]] || [[ "${file}" = "."* ]]; then file="${empty}"; fi
# while [ -f "${DATADIR:-.}/${file}" ] ; do file="${RANDOM}-${file}"; done
# getJson "$1" >"${DATADIR:-.}/${file}" || return
# printf '%s\n' "${DATADIR:-.}/${file}"
#}
download() {
local empty="no.file" file="${2:-${empty}}"
if [[ "${file}" = *"/"* ]] || [[ "${file}" = "."* ]]; then file="${empty}"; fi
while [ -f "${DATADIR:-.}/${file}" ] ; do file="${RANDOM}-${file}"; done
getJson "$1" >"${DATADIR:-.}/${file}" || return
printf '%s\n' "${DATADIR:-.}/${file}"
}
# $1 postfix, e.g. chatid
# $2 prefix, back- or startbot-

View File

@ -8,14 +8,14 @@
# | |__/ / |_| | | | | | |_| | |__ | |____( (_| | | |__ _
# |_____/ \___/ |_| |_|\___/ \___) |_______)____|_|\___)_|
#
# this file *MUST* not be edited! place your config and commands in
# the file "mycommands.sh". a clean version is provided as "mycommands.sh.clean"
# this file *MUST* not edited! place your config in the file "mycommands.conf"
# and commands in "mycommands.sh", a clean version is provided as "mycommands.sh.clean"
#
# This file is public domain in the USA and all free countries.
# Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
#
#### $$VERSION$$ v1.35-dev-14-g08a0524
#### $$VERSION$$ v1.40-dev-34-g1440d56
#
# bashbot locale defaults to c.UTF-8, adjust locale in mycommands.sh if needed

View File

@ -132,5 +132,5 @@ You must update to [Version 1.20](https://github.com/topkecleon/telegram-bot-bas
#### [Next Create Bot](1_firstbot.md)
#### $$VERSION$$ v1.30-0-g3266427
#### $$VERSION$$ v1.40-dev-34-g1440d56

View File

@ -295,7 +295,7 @@ In case you need other response values , the array `UPD` contains complete Teleg
## Usage of bashbot functions
#### sending messages
To send messages use the `send_xxx_message`functions.
To send messages use the `send_xxx_message` functions.
To insert line brakes in a message place `\n` in the text.
To send regular text without any markdown use:
@ -311,7 +311,7 @@ To send text with html:
send_html_message "${CHAT[ID]}" "lol <b>bold</b>"
```
To forward messages use the `forward`function:
To forward messages use the `forward` function:
```bash
forward "${CHAT[ID]}" "from_chat_id" "message_id"
```
@ -349,20 +349,20 @@ To send local files or URL's (photo, video, voice, sticker, documents) use the `
send_file "${CHAT[ID]}" "/home/user/dog.jpg" "Lool" "photo"
send_file "${CHAT[ID]}" "https://images-na.ssl-images-amazon.com/images/I/81DQ0FpoSNL._AC_SL1500_.jpg"
```
To send custom keyboards use the `send_keyboard`function:
To send custom keyboards use the `send_keyboard` function:
```bash
send_keyboard "${CHAT[ID]}" "Text that will appear in chat?" '[ "Yep" , "No" ]' # note the single quotes!
send_keyboard "${CHAT[ID]}" "Text that will appear in chat?" "[ \\"Yep\\" , \\"No\\" ]" # within double quotes you must escape the inside double quots
```
To send locations use the `send_location`function:
To send locations use the `send_location` function:
```bash
send_location "${CHAT[ID]}" "Latitude" "Longitude"
```
To send venues use the `send_venue`function:
To send venues use the `send_venue` function:
```bash
send_venue "${CHAT[ID]}" "Latitude" "Longitude" "Title" "Address" "optional foursquare id"
```
To send a chat action use the `send_action`function.
To send a chat action use the `send_action` function.
Allowed values: typing for text messages, upload_photo for photos, record_video or upload_video for videos, record_audio or upload_audio for audio files, upload_document for general files, find_location for locations.
```bash
send_action "${CHAT[ID]}" "action"
@ -372,5 +372,5 @@ send_action "${CHAT[ID]}" "action"
#### [Prev Create Bot](1_firstbot.md)
#### [Next Advanced Usage](3_advanced.md)
#### $$VERSION$$ v1.35-dev-31-ga3eec98
#### $$VERSION$$ v1.40-dev-34-g1440d56

View File

@ -144,7 +144,7 @@ echo "Text that will appear in one message \nwith this text on a new line"
```
In case you want extend a message already containing a location, a file, a keyboard etc.,
with an additionial text simply add ` mytextstartshere additional text`at the end of the string:
with an additionial text simply add ` mytextstartshere additional text` at the end of the string:
```bash
out="Text that will appear mylatstartshere 45 mylongstartshere 45"
[[ "$out" != *'in chat'* ]] && out="$out mytextstartshere in chat."
@ -190,7 +190,7 @@ Note: Background jobs run independent from main bot and continue running until y
In order to enable **inline mode**, send `/setinline` command to [@BotFather](https://telegram.me/botfather) and provide the placeholder text that the user will see in the input field after typing your bots name.
The following commands allows you to send ansers to *inline queries*. To enable bashbot to process inline queries set `INLINE="1"`in 'mycommands.sh'.
The following commands allows you to send ansers to *inline queries*. To enable bashbot to process inline queries set `INLINE="1"` in `mycommands.sh`.
To send messages or links through an *inline query*:
```bash
@ -258,7 +258,7 @@ By default you don't have to care about retry, as bashbot resend the message aft
Only if the retry fails also an error is returned. The downside is that send_message functions will wait until resend is done.
If you want to disable automatic error processing and handle all errors manually (or don't care)
set `BASHBOT_RETRY`to any no zero value.
set `BASHBOT_RETRY` to any no zero value.
[Telegram Bot API error codes](https://github.com/TelegramBotAPI/errors)
@ -266,9 +266,9 @@ set `BASHBOT_RETRY`to any no zero value.
#### Detect bot blocked
If the we can't connect to telegram, e.g. blocked from telegram server but also any other reason,
bashbot set `BOTSENT[ERROR]`to `999`.
bashbot set `BOTSENT[ERROR]` to `999`.
To get a notification on every connection problem create a function named `bashbotBlockRecover`and handle blocks there.
To get a notification on every connection problem create a function named `bashbotBlockRecover` and handle blocks there.
If the function returns true (0 or no value) bashbot will retry once and then return to the calling function.
In case you return any non 0 value bashbot will return to the calling function without retry.
@ -302,5 +302,5 @@ Note: If you disable automatic retry, se above, you disable also connection prob
#### [Prev Getting started](2_usage.md)
#### [Next Expert Use](4_expert.md)
#### $$VERSION$$ v1.30-0-g3266427
#### $$VERSION$$ v1.40-dev-34-g1440d56

View File

@ -434,5 +434,5 @@ for every poll until the maximum of BASHBOT_SLEEP ms.
#### [Prev Advanced Use](3_advanced.md)
#### [Next Best Practice](5_practice.md)
#### $$VERSION$$ v1.30-0-g3266427
#### $$VERSION$$ v1.40-dev-34-g1440d56

View File

@ -12,7 +12,7 @@ If you don't have a github account, it may time to [setup a free account now](ht
### Add commands to mycommands.sh only
Do not change `bashbot.sh` and `commands.sh`, instead place your commands in to `mycommands.sh`.
To start with a clean/minimal bot copy `mycommands.sh.clean` to `mycommands.sh` and start editing
the message strings and place commands in the`case ... esac` block of the function mycommands():
the message strings and place commands in the` case ... esac` block of the function mycommands():
```bash
# file: mycommands.sh
# your additional bashbot commands
@ -160,5 +160,5 @@ The second warning is about an unused variable, this is true because in our exam
#### [Prev Best Practice](5_practice.md)
#### [Next Functions Reference](6_reference.md)
#### $$VERSION$$ v1.30-0-g3266427
#### $$VERSION$$ v1.40-dev-34-g1440d56

View File

@ -4,7 +4,7 @@
# File: processUpdates.sh
# Note: DO NOT EDIT! this file will be overwritten on update
#
#### $$VERSION$$ v1.40-dev-33-g969c7a9
#### $$VERSION$$ v1.40-dev-34-g1440d56
##################################################################
##############
@ -82,7 +82,7 @@ process_update() {
process_message "${num}" "${debug}"
printf "%(%c)T: update received FROM=%s CHAT=%s CMD=%s\n" -1 "${USER[USERNAME]:0:20} (${USER[ID]})"\
"${CHAT[USERNAME]:0:20}${CHAT[TITLE]:0:30} (${CHAT[ID]})"\
"${MESSAGE:0:30}${CAPTION:0:30}$(: "${URL[*]/bot*:}"; printf "%s" "${_//[A-Z-]}")" >>"${UPDATELOG}"
"${MESSAGE:0:30}${CAPTION:0:30}$(: "${URLS[*]//bot*:}"; printf "%s" "${_//[A-Z-]}")" >>"${UPDATELOG}"
fi
#####
# process inline and message events