Go to file
2019-05-23 20:31:06 +02:00
.github/ISSUE_TEMPLATE Update issue templates 2019-04-12 14:31:52 +02:00
dev autodetect sourcing, add CURL and WGET options, e.g. for using tor 2019-05-23 19:40:15 +02:00
doc autodetect sourcing, add CURL and WGET options, e.g. for using tor 2019-05-23 19:40:15 +02:00
examples start 0.90-dev - convert to array 2019-05-22 18:43:20 +02:00
modules start 0.90-dev - convert to array 2019-05-22 18:43:20 +02:00
test autodetect sourcing, add CURL and WGET options, e.g. for using tor 2019-05-23 19:40:15 +02:00
.gitignore Bashbot Version 0.80 2019-05-22 16:28:06 +02:00
.gitmodules Added a license for the unfortunate souls whose governments don't allow public domain. 2016-04-19 05:49:35 -04:00
bashbot.rc start 0.90-dev - convert to array 2019-05-22 18:43:20 +02:00
bashbot.sh fix missing ME on startup 2019-05-23 20:05:42 +02:00
commands.sh start 0.90-dev - convert to array 2019-05-22 18:43:20 +02:00
LICENSE Added a license for the unfortunate souls whose governments don't allow public domain. 2016-04-19 05:49:35 -04:00
mycommands.sh autodetect sourcing, add CURL and WGET options, e.g. for using tor 2019-05-23 19:40:15 +02:00
README.html fix bashbot.sh source errors and update documentation 2019-05-23 13:32:13 +02:00
README.md FAQ: blocked by api.telegram.org 2019-05-23 20:31:06 +02:00
README.txt fix bashbot.sh source errors and update documentation 2019-05-23 13:32:13 +02:00

Bashbot - A Telegram bot written in bash.

Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M (@gnadelwartz).

Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.

Released to the public domain wherever applicable. Elsewhere, consider it released under the WTFPLv2.

Prerequisites

Uses JSON.sh, but no more TMUX.

Even bashbot is written in bash, it depends on commands typically availible in a Unix/Linux Environment. More concret on the common commands provided by coreutils, busybox or toybox, see Developer Notes

Bashbot Documentation and Downloads are availible on www.github.com

Documentation

Security Considerations

Running a Telegram Bot means it is connected to the public and you never know whats send to your Bot.

Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see Implications of wrong quoting

Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everthing. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.

A powerful tool to improve your scripts is shellcheck. You can use it online or install shellcheck locally. Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a test suite to check if important functionality is working as expected.

Run your Bot as a restricted user

I recommend to run your bot as a user, with almost no access rights. All files your Bot have write access to are in danger to be overwritten/deleted if your bot is hacked. For the same reason ervery file your Bot can read is in danger to be disclosed. Restict your Bots access rigths to the absolute minimum.

Never run your Bot as root, this is the most dangerous you can do! Usually the user 'nobody' has almost no rights on Unix/Linux systems. See Expert use on how to run your Bot as an other user.

Secure your Bot installation

Your Bot configuration must no be readable from other users. Everyone who can read your Bots token can act as your Bot and has access to all chats your Bot is in!

Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in token must be protected against other users. No one exept you must have write access to the Bot files. The Bot must be restricted to have write access to count and tmp-bot-bash only, all other files must be write protected.

To set access rights for your bashbot installation to a reasonable default run sudo ./bashbot.sh init after every update or change to your installation directory.

FAQ

Is this Bot insecure?

Bashbot is not more (in)secure as any other Bot written in any other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...

Why Bash and not the much better xyz?

Well, thats a damn good question ... may be because I'm an Unix/Linux admin from stone age. Nevertheless there are more reasons from my side:

  • bashbot will run everywhere where bash is availible, from ebedded linux to mainframe
  • easy to integrate with other shell script, e.g. for sending system message / health status
  • no need to install or learn a new programming language, library or framework
  • no database, not event driven, not OO ...

Can I have the single bashbot.sh file back?

At the beginning bashbot was simply the file bashbot.sh you can copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.

Hey no Problem, if you are finished with your cool bot run dev/make-standalone.sh to create a stripped down Version of your bot containing only 'bashbot.sh' and 'commands.sh'! For more information see Create a stripped down Version of your Bot

I get "EXPECTED value GOT EOF" on start

May be your IP is blocked by telgram and curl/wget reach it's timeout (default 20s in bashbot). You can test this by running curl or wget manually:

curl -m 10  https://api.telegram.org/bot
curl: (28) Connection timed out after 10001 milliseconds

wget -t 1 -T 10 https://api.telegram.org/bot
Connecting to api.telegram.org (api.telegram.org)|46.38.243.234|:443... failed: Connection timed out.

This may happen if someone send to many wrong requests, e.g. wrong bot token, to api.telegram.org. If you have a fixed IP you can ask telegram service to unblock your ip or change your IP. If you are running a tor proxy on your server you may uncomment the 'BASHBOT_CURL_ARGS' line in 'mycommands.sh'

@Gnadelwartz

That's it!

If you feel that there's something missing or if you found a bug, feel free to submit a pull request!

$$VERSION$$ v0.90-dev-3-g80a4778