Go to file
2019-04-16 16:45:26 +02:00
.github/ISSUE_TEMPLATE Update issue templates 2019-04-12 14:31:52 +02:00
doc some more doc cleanup for release 2019-04-16 16:45:26 +02:00
JSON.sh@022ec337c3 Now the messages id can be accessed in MESSAGE[ID], all updates fetched with getUpdates are processed simultaneously and newlines and certain unicode codepoints are parsed correctly in messages (closes #21) 2016-10-24 22:13:52 +00:00
.gitignore fix sync with JSON 2019-03-30 15:11:33 +01:00
.gitmodules Added a license for the unfortunate souls whose governments don't allow public domain. 2016-04-19 05:49:35 -04:00
bashbot.cron finalize features and descriptions 2019-04-16 13:29:49 +02:00
bashbot.rc finalize features and descriptions 2019-04-16 13:29:49 +02:00
bashbot.sh finalize features and descriptions 2019-04-16 13:29:49 +02:00
calc finalize features and descriptions 2019-04-16 13:29:49 +02:00
commands.sh finalize features and descriptions 2019-04-16 13:29:49 +02:00
LICENSE Added a license for the unfortunate souls whose governments don't allow public domain. 2016-04-19 05:49:35 -04:00
notify finalize features and descriptions 2019-04-16 13:29:49 +02:00
question finalize features and descriptions 2019-04-16 13:29:49 +02:00
README.md some more doc cleanup for release 2019-04-16 16:45:26 +02:00
README.txt some more doc cleanup for release 2019-04-16 16:45:26 +02:00
version finalize features and descriptions 2019-04-16 13:29:49 +02:00

bashbot

A Telegram bot written in bash.

Depends on tmux. Uses JSON.sh.

For full UTF-8 support you need python on your system (optional).

Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M (@gnadelwartz).

Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.

Download latest release from github

Released to the public domain wherever applicable. Elsewhere, consider it released under the WTFPLv2.

Install bashbot

  1. Go to the directory you want to install bashbot, e.g.
    • your $HOME directory (install and run with your user-ID)
    • /usr/local if you want to run as service
  2. Clone the repository:
    git clone --recursive https://github.com/topkecleon/telegram-bot-bash
    
  3. Change to directory telegram-bot.bash, run ./bashbot.sh init and follow the instructions. At this stage you are asked for your Bots token given by botfather.

Update bashbot

Download latest update zip from github, extract all files and copy them to your bashbot dir. Now run sudo ./bashbot.sh init to setup your environment for the new release.

Getting started

Note on Keyboards

To make use of Keyboards easier the keybord format for send_keyboard and send_message "mykeyboardstartshere ..." was changed. Keybords are now defined in an JSON Array notation e.g. "[ \"yes\" , \"no\" ]". This has the advantage that you can create any type of keyboard supported by Telegram. This is an incompatible change for keyboards used in older bashbot versions.

Example Keyboards:

  • yes no in one row
    • OLD format: "yes" "no" (two strings)
    • NEW format: "[ \"yes\" , \"no\" ]" (string containing an array)
  • new keybord layouts, no possible with old format:
    • Yes No in two rows: "[ \"yes\" ] , [ \"no\" ]"
    • numpad style keyboard: "[ \"1\" , \"2\" , \"3\" ] , [ \"4\" , \"5\" , \"6\" ] , [ \"7\" , \"8\" , \"9\" ] , [ \"0\" ]"

Security Considerations

Running a Telegram Bot means it is connected to the public and you never know whats send to your Bot.

Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. More concret examples of security problems are bash's 'quoting hell' and globbing. Implications of wrong quoting

Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. disable globbing (set -f) and quote everthing.

A powerful tool to improve your scripts robustness is shellcheck. You can use it online or install shellcheck locally. All bashbot scripts are checked by shellcheck.

Run your Bot as a restricted user

It's important to run your bot as a user, with almost no access rights.

All files your Bot have write access to are in danger to be overwritten/deleted if your bot is hacked. For the same reason ervery file your Bot can read is in danger of being disclosed. So please restict your Bots access rigths to the absolute minimum.

Never run your Bot as root, this is the most dangerous you can do! Usually the user 'nobody' has almost no rights on Unix/Linux systems. See Expert use on how to run your Bot as an other user.

Secure your Bot installation

Your Bot configuration should not be readable from other users. If someone can read your Bots token he can act as your Bot and has access to all chats you Bot is in!

Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in token must be protected against other users. No one exept you should have write access to the Bot files. The Bot must be restricted to have write access to count and tmp-bot-bash only, all other files should be write protected.

To set access rights for your telegram-bot-bash directory to reasonable default values you must run sudo ./bashbot.sh init after every update or change to your installation directory.

Is this Bot insecure?

Bashbot is no more (in)secure as any other Bot written in any other language. But since YOU are responsible for your bots commands and run the Bot, you should know about the implications ...

That's it!

If you feel that there's something missing or if you found a bug, feel free to submit a pull request!

$$VERSION$$ v0.60-rc2-4-g1bf26b9