Merge pull request #146 Bashbot Version 1.0 preview

Version 1.0 preview

README.html

@@ -191,7 +191,7 @@ <h2>Security Considerations</h2>
 <p>Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.</p>
 <p>Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <a href="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a></p>
 <p>Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.</p>
-<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, please update if you use an older version! see <a href="https://github.com/topkecleon/telegram-bot-bash/issues/125">Issue #125</a></p>
+<p><strong>Note:</strong> Up to version v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, please update if you use an older version! see <a href="https://github.com/topkecleon/telegram-bot-bash/issues/125">Issue #125</a></p>
 <p>One of the most powerful features of unix shells is variable and command substitution using <code>${}</code> and <code>$()</code>, but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot. So it's more secure to escape or remove '$' in input from user, files or network.</p>
 <p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensive in bashbot development to ensure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
 <h3>Use printf whenever possible</h3>
@@ -217,12 +217,12 @@ <h3>Run your Bot as a restricted user</h3>
 <p><strong>Never run your Bot as root, this is the most dangerous you can do!</strong> Usually the user 'nobody' has almost no rights on unix/linux systems. See <a href="doc/4_expert.md">Expert use</a> on how to run your Bot as an other user.</p>
 <h3>Secure your Bot installation</h3>
 <p><strong>Your Bot configuration must no be readable from other users.</strong> Everyone who can read your Bots token is able to act as your Bot and has access to all chats the Bot is in!</p>
-<p>Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in <code>token</code> must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to <code>count</code> and <code>tmp-bot-bash</code> only, all other files must be write protected.</p>
+<p>Everyone with read access to your Bot files can extract your Bots data. Especially your Bot config in <code>config.jssh</code> must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to <code>count.jssh</code> and <code>data-bot-bash</code> only, all other files must be write protected.</p>
 <p>To set access rights for your bashbot installation to a reasonable default run <code>sudo ./bashbot.sh init</code> after every update or change to your installation directory.</p>
 <h2>FAQ</h2>
 <h3>Is this Bot insecure?</h3>
 <p>Bashbot is not more (in)secure as any Bot written in an other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...</p>
-<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, please update if you use an older version!</p>
+<p><strong>Note:</strong> Up to version 0.941 (mai/22/2020) telegram-bot-bash had a remote code execution bug, please update if you use an older version!</p>
 <h3>Why Bash and not the much better xyz?</h3>
 <p>Well, that's a damn good question ... may be because I'm an unix admin from stone age. Nevertheless there are more reasons from my side:</p>
 <ul>
@@ -235,7 +235,7 @@ <h3>Can I have the single bashbot.sh file back?</h3>
 <p>At the beginning bashbot was simply the file <code>bashbot.sh</code> you can copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.</p>
 <p>Hey no Problem, if you are finished with your cool bot run <code>dev/make-standalone.sh</code> to create a stripped down Version of your bot containing only 'bashbot.sh' and 'commands.sh'! For more information see <a href="doc/7_develop.md">Create a stripped down Version of your Bot</a></p>
 <h3>Can I send messages from CLI and scripts?</h3>
-<p>Of course, you can send messages from CLI and scripts, simply install bashbot as <a href="#Your-really-first-bashbot-in-a-nutshell">described here</a>, send the message '/start' to set yourself as botadmin and stop the bot with <code>./bashbot.sh kill</code>.</p>
+<p>Of course, you can send messages from CLI and scripts, simply install bashbot as <a href="#Your-really-first-bashbot-in-a-nutshell">described here</a>, send the message '/start' to set yourself as botadmin and stop the bot with <code>./bashbot.sh stop</code>.</p>
 <p>Run the following commands in your bash shell or script while you are in the installation directory:</p>
 <div class="sourceCode" id="cb5"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb5-1" title="1"><span class="co"># prepare bash / script to send commands</span></a>
 <a class="sourceLine" id="cb5-2" title="2"><span class="bu">export</span> <span class="va">BASHBOT_HOME=</span><span class="st">&quot;</span><span class="va">$(</span><span class="bu">pwd</span><span class="va">)</span><span class="st">&quot;</span></a>
@@ -269,6 +269,6 @@ <h3>Blocked by telegram?</h3>
 <p>@Gnadelwartz</p>
 <h2>That's it!</h2>
 <p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
-<h4>$$VERSION$$ 0.99-0-g2775000</h4>
+<h4>$$VERSION$$ 0.99-2-gacf9d84</h4>
 </body>
 </html>

README.md

@@ -129,7 +129,7 @@ Bash scripts in general are not designed to be bullet proof, so consider this Bo
 
 Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.
 
-**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, please update if you use an older version!
+**Note:** Up to version v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, please update if you use an older version!
 see [Issue #125](https://github.com/topkecleon/telegram-bot-bash/issues/125)
 
 One of the most powerful features of unix shells is variable and command substitution using ```${}``` and ```$()```,
@@ -178,7 +178,7 @@ For the same reason every file your Bot can read is in danger to be disclosed. R
 ### Secure your Bot installation
 **Your Bot configuration must no be readable from other users.** Everyone who can read your Bots token is able to act as your Bot and has access to all chats the Bot is in!
 
-Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in ```token``` must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to ```count``` and  ```tmp-bot-bash``` only, all other files must be write protected.
+Everyone with read access to your Bot files can extract your Bots data. Especially your Bot config in ```config.jssh``` must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to ```count.jssh``` and  ```data-bot-bash``` only, all other files must be write protected.
 
 To set access rights for your bashbot installation to a reasonable default run ```sudo ./bashbot.sh init``` after every update or change to your installation directory.
 
@@ -187,7 +187,7 @@ To set access rights for your bashbot installation to a reasonable default run `
 ### Is this Bot insecure?
 Bashbot is not more (in)secure as any Bot written in an other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...
 
-**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, please update if you use an older version!
+**Note:** Up to version 0.941 (mai/22/2020) telegram-bot-bash had a remote code execution bug, please update if you use an older version!
 
 ### Why Bash and not the much better xyz?
 Well, that's a damn good question ... may be because I'm an unix admin from stone age. Nevertheless there are more reasons from my side:
@@ -205,7 +205,7 @@ Hey no Problem, if you are finished with your cool bot run ```dev/make-standalon
 
 ### Can I send messages from CLI and scripts?
 Of course, you can send messages from CLI and scripts, simply install bashbot as [described here](#Your-really-first-bashbot-in-a-nutshell),
-send the message '/start' to set yourself as botadmin and stop the bot with ```./bashbot.sh kill```.
+send the message '/start' to set yourself as botadmin and stop the bot with ```./bashbot.sh stop```.
 
 Run the following commands in your bash shell or script while you are in the installation directory:
 
@@ -261,4 +261,4 @@ bashbotBlockRecover() {
 
 If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
 
-#### $$VERSION$$ 0.99-0-g2775000
+#### $$VERSION$$ 0.99-2-gacf9d84

README.txt

@@ -170,8 +170,8 @@ globbing (set -f) and quote everything. In addition delete unused scripts and
 examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable 
 all not used commands.
 
-**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code 
-execution (RCE) bug, please update if you use an older version!
+**Note:** Up to version v0.941 (mai/22/2020) telegram-bot-bash had a remote 
+code execution (RCE) bug, please update if you use an older version!
 see [Issue #125](https://github.com/topkecleon/telegram-bot-bash/issues/125)
 
 One of the most powerful features of unix shells is variable and command 
@@ -241,10 +241,10 @@ can read your Bots token is able to act as your Bot and has access to all chats
 the Bot is in!
 
 Everyone with read access to your Bot files can extract your Bots data. 
-Especially your Bot Token in ```token``` must be protected against other users. 
-No one except you should have write access to the Bot files. The Bot should be 
-restricted to have write access to ```count``` and  ```tmp-bot-bash``` only, 
-all other files must be write protected.
+Especially your Bot config in ```config.jssh``` must be protected against other 
+users. No one except you should have write access to the Bot files. The Bot 
+should be restricted to have write access to ```count.jssh``` and  
+```data-bot-bash``` only, all other files must be write protected.
 
 To set access rights for your bashbot installation to a reasonable default run 
 ```sudo ./bashbot.sh init``` after every update or change to your installation 
@@ -257,7 +257,7 @@ Bashbot is not more (in)secure as any Bot written in an other language, we have
 done our best to make it as secure as possible. But YOU are responsible for the 
 bot commands you wrote and you should know about the risks ...
 
-**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code 
+**Note:** Up to version 0.941 (mai/22/2020) telegram-bot-bash had a remote code 
 execution bug, please update if you use an older version!
 
 ### Why Bash and not the much better xyz?
@@ -286,7 +286,7 @@ down Version of your Bot](doc/7_develop.md)
 Of course, you can send messages from CLI and scripts, simply install bashbot 
 as [described here](#Your-really-first-bashbot-in-a-nutshell),
 send the message '/start' to set yourself as botadmin and stop the bot with 
-```./bashbot.sh kill```.
+```./bashbot.sh stop```.
 
 Run the following commands in your bash shell or script while you are in the 
 installation directory:
@@ -351,4 +351,4 @@ wait
 If you feel that there's something missing or if you found a bug, feel free to 
 submit a pull request!
 
-#### $$VERSION$$ 0.99-0-g2775000
+#### $$VERSION$$ 0.99-2-gacf9d84

bashbot.sh

@@ -3,20 +3,20 @@
 # do not edit, this file will be overwritten on update
 
 # bashbot, the Telegram bot written in bash.
-# Written by Drew (@topkecleon) and Daniil Gentili (@danogentili), KayM (@gnadelwartz).
-# Also contributed: JuanPotato, BigNerd95, TiagoDanin, iicc1.
+# Written by Drew (@topkecleon) KayM (@gnadelwartz).
+# Also contributed: Daniil Gentili (@danogentili), JuanPotato, BigNerd95, TiagoDanin, iicc1.
 # https://github.com/topkecleon/telegram-bot-bash
 
 # Depends on JSON.sh (http://github.com/dominictarr/JSON.sh) (MIT/Apache),
 # This file is public domain in the USA and all free countries.
 # Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
 #
-#### $$VERSION$$ 0.99-0-g2775000
+#### $$VERSION$$ 0.99-10-gb9c8dc0
 #
 # Exit Codes:
 # - 0 success (hopefully)
 # - 1 can't change to dir
-# - 2 can't write to tmp, count or token 
+# - 2 can't write to tmp, count or token
 # - 3 user / command / file not found
 # - 4 unknown command
 # - 5 cannot connect to telegram bot
@@ -39,7 +39,6 @@ fi
 _exists() {
 	[ "$(LC_ALL=C type -t "${1}")" = "file" ]
 }
-
 # execute function if exists
 _exec_if_function() {
 	[ "$(LC_ALL=C type -t "${1}")" != "function" ] && return 1
@@ -50,7 +49,7 @@ _is_function() {
 	[ "$(LC_ALL=C type -t "${1}")" = "function" ]
 }
 # round $1 in international notation! , returns float with $2 decimal digits
-# if $2 is not fiven or is not a positive number, it's set to zero
+# if $2 is not given or is not a positive number zero is assumed
 _round_float() {
 	local digit="${2}"; [[ "${2}" =~ ^[0-9]+$ ]] || digit="0"
 	LC_ALL=C printf "%.${digit}f" "${1}"
@@ -64,13 +63,13 @@ getConfigKey() {
 	[[ "$1" =~ ^[-a-zA-Z0-9,._]+$ ]] || return 3
 	[ -r "${BOTCONFIG}.jssh" ] && sed -n 's/\["'"$1"'"\]\t*"\(.*\)"/\1/p' <"${BOTCONFIG}.jssh" | tail -n 1
 }
-# $1 token
+# check if $1 seems a valid token
 # return true if token seems to be valid
 check_token(){
 	[[ "${1}" =~ ^[0-9]{8,10}:[a-zA-Z0-9_-]{35}$ ]] && return 0
 	return 1
 }
-# log error to ERRORLOG with date
+# log $1 to ERRORLOG with date
 log_error(){
 	printf "%s: %s\n" "$(date)" "$*" >>"${ERRORLOG}"
 }
@@ -110,7 +109,7 @@ fi
 BOTCOMMANDS="start, stop, status, help, init, stats, broadcast, suspendback, resumeback, killback"
 [[ -z "$1" && -z "${SOURCE}" ]] &&  echo -e "${ORANGE}Available commands: ${GREY}${BOTCOMMANDS}${NC}" && exit
 if [ "$1" = "help" ]; then
-		HELP="README"
+		HELP="${BASHBOT_HOME:-.}/README"
 		if [ -n "${CLEAR}" ];then
 			_exists w3m && w3m "$HELP.html" && exit
 			_exists lynx && lynx "$HELP.html" && exit
@@ -129,7 +128,7 @@ fi
 [ -z "${BASHBOT_VAR}" ] && BASHBOT_VAR="$BASHBOT_HOME"
 
 ADDONDIR="${BASHBOT_ETC:-.}/addons"
-RUNUSER="${USER}" # USER is overwritten by bashbot array
+RUNUSER="${USER}" # USER is overwritten by bashbot array :-(, save original
 
 # OK everything setup, lest start
 if [[ -z "${SOURCE}" && -z "$BASHBOT_HOME" ]] && ! cd "${RUNDIR}" ; then
@@ -155,12 +154,12 @@ COUNTFILE="${BASHBOT_VAR:-.}/count"
 
 LOGDIR="${RUNDIR:-.}/logs"
 
-# we assume everything is already set up correctly if we have TOKEN
+# assume everything already set up correctly if TOKEN is set
 if [ -z "${BOTTOKEN}" ]; then
   # BOTCONFIG does not exist, create
   [ ! -f "${BOTCONFIG}.jssh" ] &&
 		printf '["bot_config_key"]\t"config_key_value"\n' >>"${BOTCONFIG}.jssh"
-  # BOTTOKEN empty read ask user
+  # do we have already a token?
   if [ -z "$(getConfigKey "bottoken")" ]; then
      # convert old token
      if [ -r "${TOKENFILE}" ]; then
@@ -178,7 +177,7 @@ if [ -z "${BOTTOKEN}" ]; then
      [ -n "${token}" ] && printf '["bottoken"]\t"%s"\n'  "${token}" >> "${BOTCONFIG}.jssh"
   fi
 
-  # setup botadmin file
+  # no boteadmin, setup botadmin
   if [ -z "$(getConfigKey "botadmin")" ]; then
      # convert old admin
      if [ -r "${BOTADMIN}" ]; then
@@ -874,7 +873,7 @@ process_message() {
 		LEFTMEBER[USERNAME]="$(JsonDecode "${UPD["result",${num},"message","left_chat_member","username"]}")"
 		LEFTMEMBER[ISBOT]="${UPD["result",${num},"message","left_chat_member","is_bot"]}"
 		[ -z "${MESSAGE[0]}" ] &&\
-		MESSAGE[0]="/_left_chat_member ${NEWMEMBER[ID]} ${LEFTMEMBER[USERNAME]:=${LEFTMEMBER[FIRST_NAME]} ${LEFTMEMBER[LAST_NAME]}}"
+		MESSAGE[0]="/_left_chat_member ${LEFTMEMBER[ID]} ${LEFTMEMBER[USERNAME]:=${LEFTMEMBER[FIRST_NAME]} ${LEFTMEMBER[LAST_NAME]}}"
 	fi
 	if grep -qs -e '\["result",'"${num}"',"message","new_chat_[tp]' <<<"${UPDATE}"; then
 		SERVICE[NEWTITLE]="$(JsonDecode "${UPD["result",${num},"message","new_chat_title"]}")"
@@ -937,8 +936,10 @@ start_bot() {
 	# cleanup countfile on startup
 	jssh_deleteKeyDB "CLEAN_COUNTER_DATABASE_ON_STARTUP" "${COUNTFILE}"
         [ -f "${COUNTFILE}.jssh.flock" ] && rm -f "${COUNTFILE}.jssh.flock"
-	jssh_deleteKeyDB "CLEAN_BOT_BOTCONFIG_ON_STARTUP" "${BOTCONFIG}"
+	# store start time and cleanup botconfig on startup
+	jssh_updateKeyDB "startup" "$(date)" "${BOTCONFIG}"
         [ -f "${BOTCONFIG}.jssh.flock" ] && rm -f "${BOTCONFIG}.jssh.flock"
+	# read blocked users
 	jssh_readDB_async "BASHBOTBLOCKED" "${BLOCKEDFILE}"
 	# inform botadmin about start
 	ADMIN="$(getConfigKey "botadmin")"

commands.sh

@@ -15,7 +15,7 @@
 # This file is public domain in the USA and all free countries.
 # Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
 #
-#### $$VERSION$$ 0.99-0-g2775000
+#### $$VERSION$$ 0.99-5-gaec7345
 #
 
 # adjust your language setting here, e.g.when run from other user or cron.
@@ -27,15 +27,15 @@ export 'LANGUAGE=C.UTF-8'
 unset IFS
 # set -f # if you are paranoid use set -f to disable globbing
 
-#                                                            
+#-----------------------------
 # this file *MUST* not edited!
 # copy "mycommands.sh.dist" to "mycommnds.sh" and change the strings there
 bashbot_info='This is bashbot, the Telegram bot written entirely in bash.
 It features background tasks and interactive chats, and can serve as an interface for CLI programs.
 It currently can send, receive and forward messages, custom keyboards, photos, audio, voice, documents, locations and video files.
 '
 
-#                                                            
+#-----------------------------
 # this file *MUST* not edited!
 # copy "mycommands.sh.dist" to "mycommnds.sh" and change the strings there
 bashbot_help='Place your own commands and messages in mycommands.sh
@@ -52,7 +52,7 @@ Written by Drew (@topkecleon), Daniil Gentili (@danogentili) and KayM(@gnadelwar
 Get the code in my [GitHub](http://github.com/topkecleon/telegram-bot-bash)
 '
 
-# load modues on startup and always on on debug
+# load modules on startup and always on on debug
 if [ -n "${1}" ]; then
     # load all readable modules
     for modules in "${MODULEDIR:-.}"/*.sh ; do
@@ -63,7 +63,7 @@ if [ -n "${1}" ]; then
     done
 fi
 
-#                                                            
+#----------------------------
 # this file *MUST* not edited!
 # copy "mycommands.sh.dist" to "mycommnds.sh" and change the values there
 # defaults to no inline and nonsense home dir