Skip to content

Commit

Permalink
fix: mask secret info from bash logs (#2360)
Browse files Browse the repository at this point in the history
* Do not print secrets such as registration secret and router password to console on selenium grid hub and router startup (#2359)

* fix: mask secret info from bash logs

Signed-off-by: Viet Nguyen Duc <[email protected]>

---------

Signed-off-by: Viet Nguyen Duc <[email protected]>
Co-authored-by: Florian Rudisch <[email protected]>
  • Loading branch information
VietND96 and frudisch authored Aug 18, 2024
1 parent 40676da commit 0a4a778
Show file tree
Hide file tree
Showing 13 changed files with 48 additions and 20 deletions.
1 change: 1 addition & 0 deletions Base/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ RUN if [ "$(dpkg --print-architecture)" = "amd64" ]; then \
# Add Grid check script
#======================================
COPY --chown="${SEL_UID}:${SEL_GID}" check-grid.sh entry_point.sh configs/node/nodeGridUrl.sh configs/node/nodePreStop.sh /opt/bin/
COPY --chown="${SEL_UID}:${SEL_GID}" mask /usr/local/bin/

#======================================
# Add Supervisor configuration file
Expand Down
14 changes: 14 additions & 0 deletions Base/mask
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#!/usr/bin/env bash

SE_MASK_SECRETS_MIN_LENGTH=${SE_MASK_SECRETS_MIN_LENGTH:-3}
SE_MASK_SECRETS_KEEP_LAST=${SE_MASK_SECRETS_KEEP_LAST:-0}
if [ "${SE_MASK_SECRETS:-true}" = "true" ]; then
n=${SE_MASK_SECRETS_KEEP_LAST}
[[ ${#1} -le ${SE_MASK_SECRETS_MIN_LENGTH} ]] && n=$(( ${#1} - ${SE_MASK_SECRETS_MIN_LENGTH} ))
a="${1:0:${#1}-n}"
a="${a:0:${SE_MASK_SECRETS_MIN_LENGTH}}"
b="${1:${#1}-n}"
printf "%s%s" "${a//?/*}" "$b"
else
printf "%s" "$1"
fi
4 changes: 2 additions & 2 deletions Distributor/start-selenium-grid-distributor.sh
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
fi
if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
fi
echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
Expand All @@ -102,7 +102,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
fi

if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}"
echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})"
SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}"
fi

Expand Down
2 changes: 1 addition & 1 deletion EventBus/start-selenium-grid-eventbus.sh
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
fi
if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
fi
echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
Expand Down
6 changes: 3 additions & 3 deletions Hub/start-selenium-grid-hub.sh
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
fi
if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
fi
echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
Expand All @@ -70,7 +70,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
fi

if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}"
echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})"
SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}"
fi

Expand All @@ -85,7 +85,7 @@ if [ ! -z "$SE_ROUTER_USERNAME" ]; then
fi

if [ ! -z "$SE_ROUTER_PASSWORD" ]; then
echo "Appending Selenium options: --password ${SE_ROUTER_PASSWORD}"
echo "Appending Selenium options: --password $(mask ${SE_ROUTER_PASSWORD})"
SE_OPTS="$SE_OPTS --password ${SE_ROUTER_PASSWORD}"
fi

Expand Down
6 changes: 4 additions & 2 deletions NodeBase/start-selenium-node.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ function append_se_opts() {
if [[ "${SE_OPTS}" != *"${option}"* ]]; then
if [ "${log_message}" = "true" ]; then
echo "Appending Selenium option: ${option} ${value}"
else
echo "Appending Selenium option: ${option} $(mask ${value})"
fi
SE_OPTS="${SE_OPTS} ${option}"
if [ ! -z "${value}" ]; then
Expand Down Expand Up @@ -99,7 +101,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
fi
if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
fi
echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
Expand All @@ -114,7 +116,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
fi

if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
append_se_opts "--registration-secret" "${SE_REGISTRATION_SECRET}"
append_se_opts "--registration-secret" "${SE_REGISTRATION_SECRET}" "false"
fi

if [ "$GENERATE_CONFIG" = true ]; then
Expand Down
2 changes: 1 addition & 1 deletion NodeDocker/start-selenium-grid-docker.sh
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
fi
if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
fi
echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
Expand Down
11 changes: 10 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ Talk to us at https://www.selenium.dev/support/
* [Running in Headless mode](#running-in-headless-mode)
* [Stopping the Node/Standalone after N sessions have been executed](#stopping-the-nodestandalone-after-n-sessions-have-been-executed)
* [Automatic browser leftovers cleanup](#automatic-browser-leftovers-cleanup)
* [Mask sensitive information in console logs](#mask-sensitive-information-in-console-logs)
* [Secure Connection](#secure-connection)
* [Building the images](#building-the-images)
* [Build the images with specific versions](#build-the-images-with-specific-versions)
Expand Down Expand Up @@ -1092,7 +1093,7 @@ By default, Selenium is reachable at `http://127.0.0.1:4444/`. Selenium can be c
environmental variable. In the example below Selenium is reachable at `http://127.0.0.1:4444/selenium-grid/`

```bash
$ docker run -d -p 4444:4444 -e SE_SUB_PATH=/selenium-grid/ --name selenium-hub selenium/hub:4.9.0-20230421
$ docker run -d -p 4444:4444 -e SE_SUB_PATH=/selenium-grid/ --name selenium-hub selenium/hub:4.23.1-20240813
```

### Setting Screen Resolution
Expand Down Expand Up @@ -1208,6 +1209,14 @@ running longer than 1 hour (instead of 2 hours), and will remove temp files olde

---

## Mask sensitive information in console logs

Few variables output like password, secret, etc. are masked in console logs. For debugging purposes, you can disable it by setting `SE_MASK_SECRETS` to `false`

While creating bash script, your can mask the output by using syntax `echo "Current value is $(mask ${YOUR_VARIABLE})`

`SE_MASK_SECRETS_MIN_LENGTH` default is `3`. It means a long string will be masked to `***` to avoid exposing length for brute force attack.

## Secure connection

By default, there are default self-signed certificates available in the image in location `/opt/selenium/secrets` includes
Expand Down
6 changes: 3 additions & 3 deletions Router/start-selenium-grid-router.sh
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
fi
if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
fi
echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
Expand All @@ -102,7 +102,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
fi

if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}"
echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})"
SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}"
fi

Expand All @@ -117,7 +117,7 @@ if [ ! -z "$SE_ROUTER_USERNAME" ]; then
fi

if [ ! -z "$SE_ROUTER_PASSWORD" ]; then
echo "Appending Selenium options: --password ${SE_ROUTER_PASSWORD}"
echo "Appending Selenium options: --password $(mask ${SE_ROUTER_PASSWORD})"
SE_OPTS="$SE_OPTS --password ${SE_ROUTER_PASSWORD}"
fi

Expand Down
4 changes: 2 additions & 2 deletions SessionQueue/start-selenium-grid-session-queue.sh
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
fi
if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
fi
echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
Expand All @@ -67,7 +67,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
fi

if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}"
echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})"
SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}"
fi

Expand Down
4 changes: 2 additions & 2 deletions Sessions/start-selenium-grid-sessions.sh
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
fi
if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
fi
echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
Expand All @@ -82,7 +82,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
fi

if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}"
echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})"
SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}"
fi

Expand Down
6 changes: 4 additions & 2 deletions Standalone/start-selenium-standalone.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ function append_se_opts() {
if [[ "${SE_OPTS}" != *"${option}"* ]]; then
if [ "${log_message}" = "true" ]; then
echo "Appending Selenium option: ${option} ${value}"
else
echo "Appending Selenium option: ${option} $(mask ${value})"
fi
SE_OPTS="${SE_OPTS} ${option}"
if [ ! -z "${value}" ]; then
Expand Down Expand Up @@ -47,7 +49,7 @@ if [ ! -z "$SE_ROUTER_USERNAME" ]; then
fi

if [ ! -z "$SE_ROUTER_PASSWORD" ]; then
append_se_opts "--password" "${SE_ROUTER_PASSWORD}"
append_se_opts "--password" "${SE_ROUTER_PASSWORD}" "false"
fi

if [ ! -z "$SE_NODE_ENABLE_MANAGED_DOWNLOADS" ]; then
Expand Down Expand Up @@ -97,7 +99,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
fi
if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
fi
echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
Expand Down
2 changes: 1 addition & 1 deletion StandaloneDocker/start-selenium-grid-docker.sh
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
fi
if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
fi
echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
Expand Down

0 comments on commit 0a4a778

Please sign in to comment.