mirror of
https://github.com/octoleo/telegram-bot-bash.git
synced 2024-12-28 12:50:44 +00:00
325 lines
12 KiB
Plaintext
325 lines
12 KiB
Plaintext
<h2><img align="middle"
|
|
src="https://raw.githubusercontent.com/odb/official-bash-logo/master/assets/Logo
|
|
s/Icons/PNG/64x64.png" >
|
|
Bashbot - A Telegram bot written in bash.
|
|
</h2>
|
|
Written by Drew (@topkecleon) and Kay M (@gnadelwartz).
|
|
|
|
Contributions by Daniil Gentili (@danog), JuanPotato, BigNerd95, TiagoDanin,
|
|
iicc1 and dcoomber.
|
|
|
|
Released to the public domain wherever applicable.
|
|
Elsewhere, consider it released under the
|
|
[WTFPLv2](http://www.wtfpl.net/txt/copying/).
|
|
|
|
Linted by [#ShellCheck](https://github.com/koalaman/shellcheck)
|
|
|
|
## Prerequisites
|
|
Uses [JSON.sh](http://github.com/dominictarr/JSON.sh) and the magic of sed.
|
|
|
|
Bashbot is written in bash. It depends on commands typically available in a
|
|
Linux/Unix Environment.
|
|
For more concrete information on the common commands provided by recent
|
|
versions of
|
|
[coreutils](https://en.wikipedia.org/wiki/List_of_GNU_Core_Utilities_commands),
|
|
[busybox](https://en.wikipedia.org/wiki/BusyBox#Commands) or
|
|
[toybox](https://landley.net/toybox/help.html), see [Developer
|
|
Notes](doc/7_develop.md#common-commands).
|
|
|
|
**Note for MacOS and BSD Users:** Bashbot will not run without installing
|
|
additional software as it uses modern bash and (gnu) grep/sed features. See
|
|
[Install Bashbot](doc/0_install.md).
|
|
|
|
**Note for embedded systems:** You need to install a "real" bash as the vanilla
|
|
installation of busybox or toybox is not sufficient. See [Install
|
|
Bashbot](doc/0_install.md).
|
|
|
|
Bashbot [Documentation](https://github.com/topkecleon/telegram-bot-bash) and
|
|
[Downloads](https://github.com/topkecleon/telegram-bot-bash/releases) are
|
|
available on [www.github.com](https://www.github.com).
|
|
|
|
## Documentation
|
|
* [Introduction to Telegram Bots](https://core.telegram.org/bots)
|
|
* [Install Bashbot](doc/0_install.md)
|
|
* Install release
|
|
* Install from github
|
|
* Update Bashbot
|
|
* Notes on Updates
|
|
* [Get Bottoken from Botfather](doc/1_firstbot.md)
|
|
* [Getting Started](doc/2_usage.md)
|
|
* Managing your Bot
|
|
* Receive data
|
|
* Send messages
|
|
* Send files, locations, keyboards
|
|
* [Advanced Features](doc/3_advanced.md)
|
|
* Access Control
|
|
* Interactive Chats
|
|
* Background Jobs
|
|
* Inline queries
|
|
* Send message errors
|
|
* [Expert Use](doc/4_expert.md)
|
|
* Handling UTF-8 character sets
|
|
* Run as other user or system service
|
|
* Schedule bashbot from Cron
|
|
* Use from CLI and Scripts
|
|
* Customize Bashbot Environment
|
|
* [Best Practices](doc/5_practice.md)
|
|
* Customize mycommands.sh
|
|
* Overwrite/disable commands
|
|
* Separate logic from commands
|
|
* Test your Bot with shellcheck
|
|
* [Function Reference](doc/6_reference.md)
|
|
* Sending Messages, Files, Keyboards
|
|
* User Access Control
|
|
* Inline Queries
|
|
* jsshDB Bashbot key-value storage
|
|
* Background and Interactive Jobs
|
|
* [Developer Notes](doc/7_develop.md)
|
|
* Debug bashbot
|
|
* Modules, addons, events
|
|
* Setup your environment
|
|
* Bashbot test suite
|
|
* [Examples Directory](examples/README.md)
|
|
|
|
### Your very first bashbot in a nutshell
|
|
|
|
To install and run bashbot you need access to a Linux/Unix command line with
|
|
bash, a [Telegram client](https://telegram.org) and a mobile phone [with a
|
|
Telegram account](https://telegramguide.com/create-a-telegram-account/).
|
|
|
|
First you need to [create a new Telegram Bot token](doc/1_firstbot.md) for your
|
|
bot and write it down.
|
|
|
|
Now open a Linux/Unix terminal with bash, create a new directory, change to it
|
|
and install telegram-bot-bash:
|
|
|
|
```bash
|
|
# create bot dir
|
|
mkdir mybot
|
|
cd mybot
|
|
|
|
# download latest release with wget or from
|
|
https://github.com/topkecleon/telegram-bot-bash/releases/latest
|
|
wget "https://github.com/$(wget -q
|
|
"https://github.com/topkecleon/telegram-bot-bash/releases/latest" -O - | egrep
|
|
'/.*/download/.*/.*tar.gz' -o)"
|
|
|
|
# Extract the tar archive and go into bot dir
|
|
tar -xzf *.tar.gz
|
|
cd telegram-bot-bash
|
|
|
|
# initialize your bot
|
|
# Enter your bot token when asked, all other questions can be answered by
|
|
hitting the \<Return\> key.
|
|
./bashbot.sh init
|
|
|
|
# Now start your bot
|
|
./bashbot.sh start
|
|
|
|
Bottoken is valid ...
|
|
Bot Name: yourbotname_bot
|
|
Session Name: yourbotname_bot-startbot
|
|
Bot started successfully.
|
|
```
|
|
|
|
Now open the Telegram App on your mobile phone and start a chat with your bot
|
|
(_your bot's username is shown after 'Bot Name:'_):
|
|
|
|
```
|
|
/start
|
|
|
|
You are Botadmin
|
|
*Available commands*:
|
|
*• /start*: _Start bot and get this message_.
|
|
*• /help*: _Get this message_.
|
|
*• /info*: _Get shorter info message about this bot_....
|
|
|
|
/info
|
|
|
|
This is bashbot, the Telegram bot written entirely in bash.
|
|
It features background tasks and interactive chats, and can serve as an
|
|
interface for CLI programs.
|
|
```
|
|
For more Information on how to install, customize and use your new bot, read
|
|
the [Documentation](#Documentation).
|
|
|
|
### Log files
|
|
|
|
Bashbot actions are logged to `BASHBOT.log`. Telegram send/receive errors are
|
|
logged to `ERROR.log`.
|
|
Start bashbot in debug mode to see all messages sent to / received from
|
|
Telegram, as well as bash command error messages.
|
|
|
|
To enable debug mode, start bashbot with debug as third argument: `bashbot
|
|
start debug`
|
|
|
|
```
|
|
├── logs
|
|
│ ├── BASHBOT.log # log what your bot is doing ...
|
|
│ ├── ERROR.log # connection errors from / to Telegram API
|
|
│ │
|
|
│ ├── DEBUG.log # stdout/stderr of you bot (debug mode enabled)
|
|
│ └── MESSAGE.log # full text of all message send/received (debug mode
|
|
enabled)
|
|
```
|
|
|
|
----
|
|
|
|
## Security Considerations
|
|
Running a Telegram Bot means it is connected to the public and you never know
|
|
what's send to your Bot.
|
|
|
|
Bash scripts in general are not designed to be bulletproof, so consider this
|
|
Bot as a proof of concept.
|
|
Bash programmers often struggle with 'quoting hell' and globbing,
|
|
see [Implications of wrong
|
|
quoting](https://unix.stackexchange.com/questions/171346/security-implications-o
|
|
f-forgetting-to-quote-a-variable-in-bash-posix-shells).
|
|
|
|
Whenever you are processing input from untrusted sources (messages, files,
|
|
network) you must be as careful as possible
|
|
(e.g. set IFS appropriately, disable globbing with `set -f` and quote
|
|
everything). In addition remove unused scripts and examples
|
|
from your Bot (e.g. everything in `example/`) and disable/remove all unused bot
|
|
commands.
|
|
|
|
It's important to escape or remove `$` in input from user, files or network
|
|
(_as bashbot does_).
|
|
One of the powerful features of Unix shells is variable and command
|
|
substitution using `${}` and`$()` can lead to remote code execution (RCE) or
|
|
remote information disclosure (RID) bugs if unescaped `$` is included in
|
|
untrusted input (e.g. `$$` or `$(rm -rf /*)`).
|
|
|
|
A powerful tool to improve your scripts is `shellcheck`. You can [use it
|
|
online](https://www.shellcheck.net/) or
|
|
[install shellcheck
|
|
locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used
|
|
extensively in bashbot development
|
|
to ensure a high code quality (e.g. it's not allowed to push changes without
|
|
passing all shellcheck tests).
|
|
In addition bashbot has a [test suite](doc/7_develop.md) to check if important
|
|
functionality is working as expected.
|
|
|
|
### Use printf whenever possible
|
|
|
|
If you're writing a script that accepts external input (e.g. from the user as
|
|
arguments or the file system),
|
|
you shouldn't use echo to display it. [Use printf whenever
|
|
possible](https://unix.stackexchange.com/a/6581).
|
|
|
|
### Run your Bot as a restricted user
|
|
**I recommend running your bot as a user with almost no access rights.**
|
|
All files your Bot has write access to are in danger of being
|
|
overwritten/deleted if your bot is hacked.
|
|
For the same reason every file your Bot can read is in danger of being
|
|
disclosed. Restrict your Bots access rights to the absolute minimum.
|
|
|
|
**Never run your Bot as root, this is the most dangerous you can do!** Usually
|
|
the user 'nobody' has almost no rights on Linux/Unix systems. See [Expert
|
|
use](doc/4_expert.md) on how to run your Bot as an other user.
|
|
|
|
### Secure your Bot installation
|
|
**Your Bot configuration must not be readable by other users.** Everyone who
|
|
can read your Bots token is able to act as your Bot and has access to all chats
|
|
the Bot is in!
|
|
|
|
Everyone with read access to your Bot files can extract your Bots data.
|
|
Especially your Bot config in`config.jssh` must be protected against other
|
|
users. No one except you should have write access to the Bot files. The Bot
|
|
should be restricted to have write access to`count.jssh` and `data-bot-bash`
|
|
only, all other files must be write protected.
|
|
|
|
To set access rights for your bashbot installation to a reasonable default
|
|
run`sudo ./bashbot.sh init` after every update or change to your installation
|
|
directory.
|
|
|
|
## FAQ
|
|
|
|
### Is this Bot insecure?
|
|
Bashbot is not more (in)secure than a Bot written in another language. We have
|
|
done our best to make it as secure as possible. But YOU are responsible for the
|
|
bot commands you wrote and you should know about the risks ...
|
|
|
|
**Note:** Up to version 0.941 (mai/22/2020) telegram-bot-bash had a remote code
|
|
execution bug, please update if you use an older version!
|
|
|
|
### Why Bash and not the much better xyz?
|
|
Well, that's a damn good question... maybe because I'm a Unix admin from the
|
|
stone age. Nevertheless there are more reasons from my side:
|
|
|
|
- bashbot will run wherever bash and (gnu) sed is available, from embedded
|
|
Linux to mainframe
|
|
- easy to integrate with other shell scripts, e.g. for sending system message /
|
|
health status
|
|
- no need to install or learn a new programming language, library or framework
|
|
- no database, not event driven, not object oriented ...
|
|
|
|
### Can I have the single bashbot.sh file back?
|
|
At the beginning bashbot was simply the file`bashbot.sh` that you could copy
|
|
everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh',
|
|
'modules/*.sh' and much more.
|
|
|
|
Hey no problem, if you are finished with your cool bot,
|
|
run`dev/make-standalone.sh` to create a stripped down version of your bot
|
|
containing only
|
|
'bashbot.sh' and 'commands.sh'! For more information see [Create a stripped
|
|
down version of your Bot](doc/7_develop.md).
|
|
|
|
### Can I send messages from CLI and scripts?
|
|
Of course you can send messages from command line and scripts! Simply install
|
|
bashbot as [described here](#Your-really-first-bashbot-in-a-nutshell),
|
|
send the message '/start' to set yourself as botadmin and then stop the bot
|
|
with `./bashbot.sh stop`.
|
|
|
|
Bashbot provides some ready to use scripts for sending messages from command
|
|
line in `bin/` dir, e.g. `send_message.sh`.
|
|
|
|
```bash
|
|
bin/send_message.sh BOTADMIN "This is my first message send from CLI"
|
|
|
|
bin/send_message.sh --help
|
|
```
|
|
|
|
You can also source bashbot for use in your scripts, for more information see
|
|
[Expert Use](doc/4_expert.md).
|
|
|
|
|
|
### Blocked by telegram?
|
|
This may happen if too many or wrong requests are sent to api.telegram.org,
|
|
e.g. using a invalid token or invalid API calls.
|
|
If the block stay for longer time you can ask telegram service to unblock your
|
|
IP-Address.
|
|
|
|
You can check with curl or wget if you are blocked by Telegram:
|
|
```bash
|
|
curl -m 10 https://api.telegram.org/bot
|
|
#curl: (28) Connection timed out after 10001 milliseconds
|
|
|
|
wget -t 1 -T 10 https://api.telegram.org/bot
|
|
#Connecting to api.telegram.org (api.telegram.org)|46.38.243.234|:443...
|
|
failed: Connection timed out.
|
|
|
|
nc -w 2 api.telegram.org 443 || echo "your IP seems blocked by telegram"
|
|
#your IP seems blocked by telegram
|
|
```
|
|
|
|
Bashbot offers the option to recover from broken connections (blocked).
|
|
Therefore you can provide a function
|
|
named `bashbotBlockRecover()` in `mycommands.sh`, the function is called every
|
|
time when a broken connection is detected.
|
|
|
|
Possible actions are: Check if network is working, change IP-Address or simply
|
|
wait some time.
|
|
See `mycommnds.sh.dist` for an example.
|
|
|
|
---
|
|
|
|
@Gnadelwartz
|
|
|
|
## That's it all guys!
|
|
|
|
If you feel that there's something missing or if you found a bug, feel free to
|
|
submit a pull request!
|
|
|
|
#### $$VERSION$$ v1.21-pre-28-g5415f28
|