From 0a4a7782eeaff6b264a689d5e478bfeaffad7253 Mon Sep 17 00:00:00 2001 From: Viet Nguyen Duc Date: Sun, 18 Aug 2024 07:33:02 +0000 Subject: [PATCH] fix: mask secret info from bash logs (#2360) * Do not print secrets such as registration secret and router password to console on selenium grid hub and router startup (#2359) * fix: mask secret info from bash logs Signed-off-by: Viet Nguyen Duc --------- Signed-off-by: Viet Nguyen Duc Co-authored-by: Florian Rudisch --- Base/Dockerfile | 1 + Base/mask | 14 ++++++++++++++ Distributor/start-selenium-grid-distributor.sh | 4 ++-- EventBus/start-selenium-grid-eventbus.sh | 2 +- Hub/start-selenium-grid-hub.sh | 6 +++--- NodeBase/start-selenium-node.sh | 6 ++++-- NodeDocker/start-selenium-grid-docker.sh | 2 +- README.md | 11 ++++++++++- Router/start-selenium-grid-router.sh | 6 +++--- SessionQueue/start-selenium-grid-session-queue.sh | 4 ++-- Sessions/start-selenium-grid-sessions.sh | 4 ++-- Standalone/start-selenium-standalone.sh | 6 ++++-- StandaloneDocker/start-selenium-grid-docker.sh | 2 +- 13 files changed, 48 insertions(+), 20 deletions(-) create mode 100755 Base/mask diff --git a/Base/Dockerfile b/Base/Dockerfile index d8cbbdf15..8aca5e92d 100644 --- a/Base/Dockerfile +++ b/Base/Dockerfile @@ -128,6 +128,7 @@ RUN if [ "$(dpkg --print-architecture)" = "amd64" ]; then \ # Add Grid check script #====================================== COPY --chown="${SEL_UID}:${SEL_GID}" check-grid.sh entry_point.sh configs/node/nodeGridUrl.sh configs/node/nodePreStop.sh /opt/bin/ +COPY --chown="${SEL_UID}:${SEL_GID}" mask /usr/local/bin/ #====================================== # Add Supervisor configuration file diff --git a/Base/mask b/Base/mask new file mode 100755 index 000000000..480c9e805 --- /dev/null +++ b/Base/mask @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +SE_MASK_SECRETS_MIN_LENGTH=${SE_MASK_SECRETS_MIN_LENGTH:-3} +SE_MASK_SECRETS_KEEP_LAST=${SE_MASK_SECRETS_KEEP_LAST:-0} +if [ "${SE_MASK_SECRETS:-true}" = "true" ]; then + n=${SE_MASK_SECRETS_KEEP_LAST} + [[ ${#1} -le ${SE_MASK_SECRETS_MIN_LENGTH} ]] && n=$(( ${#1} - ${SE_MASK_SECRETS_MIN_LENGTH} )) + a="${1:0:${#1}-n}" + a="${a:0:${SE_MASK_SECRETS_MIN_LENGTH}}" + b="${1:${#1}-n}" + printf "%s%s" "${a//?/*}" "$b" +else + printf "%s" "$1" +fi diff --git a/Distributor/start-selenium-grid-distributor.sh b/Distributor/start-selenium-grid-distributor.sh index 83cdf5406..b09fbaac7 100755 --- a/Distributor/start-selenium-grid-distributor.sh +++ b/Distributor/start-selenium-grid-distributor.sh @@ -85,7 +85,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" fi if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then - echo "Appending Java options: -Djavax.net.ssl.trustStorePassword" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" fi echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}" @@ -102,7 +102,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then fi if [ ! -z "$SE_REGISTRATION_SECRET" ]; then - echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}" + echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})" SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}" fi diff --git a/EventBus/start-selenium-grid-eventbus.sh b/EventBus/start-selenium-grid-eventbus.sh index 5742c8ce3..be663290d 100755 --- a/EventBus/start-selenium-grid-eventbus.sh +++ b/EventBus/start-selenium-grid-eventbus.sh @@ -50,7 +50,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" fi if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then - echo "Appending Java options: -Djavax.net.ssl.trustStorePassword" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" fi echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}" diff --git a/Hub/start-selenium-grid-hub.sh b/Hub/start-selenium-grid-hub.sh index 60cb5086e..9b12fa5f0 100755 --- a/Hub/start-selenium-grid-hub.sh +++ b/Hub/start-selenium-grid-hub.sh @@ -53,7 +53,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" fi if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then - echo "Appending Java options: -Djavax.net.ssl.trustStorePassword" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" fi echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}" @@ -70,7 +70,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then fi if [ ! -z "$SE_REGISTRATION_SECRET" ]; then - echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}" + echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})" SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}" fi @@ -85,7 +85,7 @@ if [ ! -z "$SE_ROUTER_USERNAME" ]; then fi if [ ! -z "$SE_ROUTER_PASSWORD" ]; then - echo "Appending Selenium options: --password ${SE_ROUTER_PASSWORD}" + echo "Appending Selenium options: --password $(mask ${SE_ROUTER_PASSWORD})" SE_OPTS="$SE_OPTS --password ${SE_ROUTER_PASSWORD}" fi diff --git a/NodeBase/start-selenium-node.sh b/NodeBase/start-selenium-node.sh index 7759d7351..95967c09f 100755 --- a/NodeBase/start-selenium-node.sh +++ b/NodeBase/start-selenium-node.sh @@ -19,6 +19,8 @@ function append_se_opts() { if [[ "${SE_OPTS}" != *"${option}"* ]]; then if [ "${log_message}" = "true" ]; then echo "Appending Selenium option: ${option} ${value}" + else + echo "Appending Selenium option: ${option} $(mask ${value})" fi SE_OPTS="${SE_OPTS} ${option}" if [ ! -z "${value}" ]; then @@ -99,7 +101,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" fi if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then - echo "Appending Java options: -Djavax.net.ssl.trustStorePassword" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" fi echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}" @@ -114,7 +116,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then fi if [ ! -z "$SE_REGISTRATION_SECRET" ]; then - append_se_opts "--registration-secret" "${SE_REGISTRATION_SECRET}" + append_se_opts "--registration-secret" "${SE_REGISTRATION_SECRET}" "false" fi if [ "$GENERATE_CONFIG" = true ]; then diff --git a/NodeDocker/start-selenium-grid-docker.sh b/NodeDocker/start-selenium-grid-docker.sh index bac2bba84..d318b32ce 100755 --- a/NodeDocker/start-selenium-grid-docker.sh +++ b/NodeDocker/start-selenium-grid-docker.sh @@ -73,7 +73,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" fi if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then - echo "Appending Java options: -Djavax.net.ssl.trustStorePassword" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" fi echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}" diff --git a/README.md b/README.md index fa4ef9986..ddf8330dc 100644 --- a/README.md +++ b/README.md @@ -64,6 +64,7 @@ Talk to us at https://www.selenium.dev/support/ * [Running in Headless mode](#running-in-headless-mode) * [Stopping the Node/Standalone after N sessions have been executed](#stopping-the-nodestandalone-after-n-sessions-have-been-executed) * [Automatic browser leftovers cleanup](#automatic-browser-leftovers-cleanup) + * [Mask sensitive information in console logs](#mask-sensitive-information-in-console-logs) * [Secure Connection](#secure-connection) * [Building the images](#building-the-images) * [Build the images with specific versions](#build-the-images-with-specific-versions) @@ -1092,7 +1093,7 @@ By default, Selenium is reachable at `http://127.0.0.1:4444/`. Selenium can be c environmental variable. In the example below Selenium is reachable at `http://127.0.0.1:4444/selenium-grid/` ```bash -$ docker run -d -p 4444:4444 -e SE_SUB_PATH=/selenium-grid/ --name selenium-hub selenium/hub:4.9.0-20230421 +$ docker run -d -p 4444:4444 -e SE_SUB_PATH=/selenium-grid/ --name selenium-hub selenium/hub:4.23.1-20240813 ``` ### Setting Screen Resolution @@ -1208,6 +1209,14 @@ running longer than 1 hour (instead of 2 hours), and will remove temp files olde --- +## Mask sensitive information in console logs + +Few variables output like password, secret, etc. are masked in console logs. For debugging purposes, you can disable it by setting `SE_MASK_SECRETS` to `false` + +While creating bash script, your can mask the output by using syntax `echo "Current value is $(mask ${YOUR_VARIABLE})` + +`SE_MASK_SECRETS_MIN_LENGTH` default is `3`. It means a long string will be masked to `***` to avoid exposing length for brute force attack. + ## Secure connection By default, there are default self-signed certificates available in the image in location `/opt/selenium/secrets` includes diff --git a/Router/start-selenium-grid-router.sh b/Router/start-selenium-grid-router.sh index c7e5e5ca2..2158fa623 100755 --- a/Router/start-selenium-grid-router.sh +++ b/Router/start-selenium-grid-router.sh @@ -85,7 +85,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" fi if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then - echo "Appending Java options: -Djavax.net.ssl.trustStorePassword" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" fi echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}" @@ -102,7 +102,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then fi if [ ! -z "$SE_REGISTRATION_SECRET" ]; then - echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}" + echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})" SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}" fi @@ -117,7 +117,7 @@ if [ ! -z "$SE_ROUTER_USERNAME" ]; then fi if [ ! -z "$SE_ROUTER_PASSWORD" ]; then - echo "Appending Selenium options: --password ${SE_ROUTER_PASSWORD}" + echo "Appending Selenium options: --password $(mask ${SE_ROUTER_PASSWORD})" SE_OPTS="$SE_OPTS --password ${SE_ROUTER_PASSWORD}" fi diff --git a/SessionQueue/start-selenium-grid-session-queue.sh b/SessionQueue/start-selenium-grid-session-queue.sh index e96d75ca3..fba1f28ab 100755 --- a/SessionQueue/start-selenium-grid-session-queue.sh +++ b/SessionQueue/start-selenium-grid-session-queue.sh @@ -50,7 +50,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" fi if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then - echo "Appending Java options: -Djavax.net.ssl.trustStorePassword" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" fi echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}" @@ -67,7 +67,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then fi if [ ! -z "$SE_REGISTRATION_SECRET" ]; then - echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}" + echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})" SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}" fi diff --git a/Sessions/start-selenium-grid-sessions.sh b/Sessions/start-selenium-grid-sessions.sh index 142168cc4..55c9a771e 100755 --- a/Sessions/start-selenium-grid-sessions.sh +++ b/Sessions/start-selenium-grid-sessions.sh @@ -65,7 +65,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" fi if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then - echo "Appending Java options: -Djavax.net.ssl.trustStorePassword" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" fi echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}" @@ -82,7 +82,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then fi if [ ! -z "$SE_REGISTRATION_SECRET" ]; then - echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}" + echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})" SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}" fi diff --git a/Standalone/start-selenium-standalone.sh b/Standalone/start-selenium-standalone.sh index cddda008e..2434b94d7 100755 --- a/Standalone/start-selenium-standalone.sh +++ b/Standalone/start-selenium-standalone.sh @@ -19,6 +19,8 @@ function append_se_opts() { if [[ "${SE_OPTS}" != *"${option}"* ]]; then if [ "${log_message}" = "true" ]; then echo "Appending Selenium option: ${option} ${value}" + else + echo "Appending Selenium option: ${option} $(mask ${value})" fi SE_OPTS="${SE_OPTS} ${option}" if [ ! -z "${value}" ]; then @@ -47,7 +49,7 @@ if [ ! -z "$SE_ROUTER_USERNAME" ]; then fi if [ ! -z "$SE_ROUTER_PASSWORD" ]; then - append_se_opts "--password" "${SE_ROUTER_PASSWORD}" + append_se_opts "--password" "${SE_ROUTER_PASSWORD}" "false" fi if [ ! -z "$SE_NODE_ENABLE_MANAGED_DOWNLOADS" ]; then @@ -97,7 +99,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" fi if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then - echo "Appending Java options: -Djavax.net.ssl.trustStorePassword" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" fi echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}" diff --git a/StandaloneDocker/start-selenium-grid-docker.sh b/StandaloneDocker/start-selenium-grid-docker.sh index f9e77e53d..081b70fe3 100755 --- a/StandaloneDocker/start-selenium-grid-docker.sh +++ b/StandaloneDocker/start-selenium-grid-docker.sh @@ -78,7 +78,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" fi if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then - echo "Appending Java options: -Djavax.net.ssl.trustStorePassword" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})" SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" fi echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"