octoleo
/
telegram-bot-bash
mirror of https://github.com/octoleo/telegram-bot-bash.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

doc: backticks, new set_chat_xxx functions

This commit is contained in:
Kay Marquardt (Gnadelwartz) 2021-02-17 12:54:00 +01:00
parent f7897fd41b
commit fdbfcebc7c
4 changed files with 29 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.html
View File

@ -341,7 +341,7 @@ It features background tasks and interactive chats, and can serve as an interfac
<p>Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.</p>
<p>Bash scripts in general are not designed to be bulletproof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <a href="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a>.</p>
<p>Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible (e.g. set IFS appropriately, disable globbing with <code>set -f</code> and quote everything). In addition remove unused scripts and examples from your Bot (e.g. everything in <code>example/</code>) and disable/remove all unused bot commands.</p>
<p>It's important to escape or remove <code>$</code> in input from user, files or network (<em>as bashbot does</em>). One of the powerful features of Unix shells is variable and command substitution using <code>${}</code> and <code>$()</code> can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped <code>$</code> is included in untrusted input (e.g. <code>$$</code> or <code>$(rm -rf /*)</code>).</p>
<p>It's important to escape or remove <code>$</code> and <code>\`` in input from user, files or network (_as bashbot does_). One of the powerful features of Unix shells is variable and command substitution using </code>${var}<code>, </code>$(cmd)<code>and</code>`cmd`<code>can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped</code>$<code>or</code> `<code>is included in untrusted input (e.g.</code>$$<code>or</code>$(rm -rf /*)`).</p>
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensively in bashbot development to ensure a high code quality (e.g. it's not allowed to push changes without passing all shellcheck tests). In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
<h3>Use printf whenever possible</h3>
<p>If you're writing a script that accepts external input (e.g. from the user as arguments or the file system), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a>.</p>
@ -392,6 +392,6 @@ It features background tasks and interactive chats, and can serve as an interfac
<p>@Gnadelwartz</p>
<h2>That's it all guys!</h2>
<p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
<h4>$$VERSION$$ v1.41-0-gad1b91f</h4>
<h4>$$VERSION$$ v1.45-dev-36-gf7897fd</h4>
</body>
</html>

7
README.md
View File

@ -146,8 +146,9 @@ Whenever you are processing input from untrusted sources (messages, files, netwo
(e.g. set IFS appropriately, disable globbing with `set -f` and quote everything). In addition remove unused scripts and examples
from your Bot (e.g. everything in `example/`) and disable/remove all unused bot commands.
It's important to escape or remove `$` in input from user, files or network (_as bashbot does_).
One of the powerful features of Unix shells is variable and command substitution using `${}` and `$()` can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped `$` is included in untrusted input (e.g. `$$` or `$(rm -rf /*)`).
It's important to escape or remove `$` and `\`` in input from user, files or network (_as bashbot does_).
One of the powerful features of Unix shells is variable and command substitution using `${var}`, `$(cmd)` and `\`cmd\`` can lead to remote
code execution (RCE) or remote information disclosure (RID) bugs if unescaped `$` or ` \`` is included in untrusted input (e.g. `$$` or `$(rm -rf /*)`).
A powerful tool to improve your scripts is `shellcheck`. You can [use it online](https://www.shellcheck.net/) or
[install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensively in bashbot development
@ -241,4 +242,4 @@ See `mycommnds.sh.dist` for an example.
If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
#### $$VERSION$$ v1.41-0-gad1b91f
#### $$VERSION$$ v1.45-dev-36-gf7897fd

11
README.txt
View File

@ -200,10 +200,11 @@ Whenever you are processing input from untrusted sources (messages, files, netwo
must be as careful as possible (e.g. set IFS appropriately, disable globbing with set -
f and quote everything). In addition remove unused scripts and examples from your Bot
(e.g. everything in example/) and disable/remove all unused bot commands.
It's important to escape or remove $ in input from user, files or network (as bashbot
does). One of the powerful features of Unix shells is variable and command substitution
using ${} and $() can lead to remote code execution (RCE) or remote information disclosure
(RID) bugs if unescaped $ is included in untrusted input (e.g. $$ or $(rm -rf /*)).
It's important to escape or remove $ and \`` in input from user, files or network (_as
bashbot does_). One of the powerful features of Unix shells is variable and command
substitution using${var},$(cmd)and`cmd`can lead to remote code execution (RCE) or remote
information disclosure (RID) bugs if unescaped$or `is included in untrusted input
(e.g.$$or$(rm -rf /*)`).
A powerful tool to improve your scripts is shellcheck. You can use it online [https://
www.shellcheck.net/] or install shellcheck locally [https://github.com/koalaman/
shellcheck#installing]. Shellcheck is used extensively in bashbot development to ensure a
@ -318,5 +319,5 @@ That's it all guys!
If you feel that there's something missing or if you found a bug, feel free to submit a
pull request!
$$VERSION$$ v1.41-0-gad1b91f
$$VERSION$$ v1.45-dev-36-gf7897fd

18
doc/6_reference.md
View File

@ -651,6 +651,15 @@ with description "Bad Request: chat description is not modified"
*usage:* set_chat_description "CHAT[ID]" "new chat description"
##### set_chat_photo
`set_chat_photo` sets a new profile photo for the chat, can't be changed for private chat.
Photo must be a local image file in a supported format (_.jpg, .jpeg, .png, .gif, .bmp, .tiff_)
Same location and naming restrictions as with `send_file` apply.
*usage:* set_chat_photo "CHAT[ID]" "file"
##### new_chat_invite
`new_chat_invite` generate a new invite link for a chat; any previously generated link is revoked.
Returns the new invite link as String on success.
@ -687,6 +696,13 @@ Returns the new invite link as String on success.
*usage:* delete_chat_stickers "CHAT[ID]"
##### set_chatadmin_title
`set_chatadmin_title` set a custom title for an administrator in a supergroup promoted by the bot.
Admin title can be 0-16 characters long, emoji are not allowed.
*usage:* set_chatadmin_title "CHAT[ID]" "USER[ID]" "admin title"
----
### User Access Control
@ -1641,5 +1657,5 @@ The name of your bot is available as bash variable "$ME", there is no need to ca
#### [Prev Best Practice](5_practice.md)
#### [Next Notes for Developers](7_develop.md)
#### $$VERSION$$ v1.45-dev-9-g62b6b61
#### $$VERSION$$ v1.45-dev-36-gf7897fd