bug: ENV variable SE_VNC_PASSWORD contains sensitive data (#2061)

Signed-off-by: Viet Nguyen Duc <[email protected]>
SeleniumHQ · Dec 13, 2023 · 7d74d4f · 7d74d4f
1 parent 93da2b5
commit 7d74d4f
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 18 deletions.
diff --git a/Base/Dockerfile b/Base/Dockerfile
@@ -4,8 +4,9 @@ LABEL authors="Selenium <[email protected]>"
 # Arguments to define the version of dependencies to download
 ARG VERSION
 ARG RELEASE=selenium-${VERSION}
-ARG OPENTELEMETRY_VERSION=1.31.0
-ARG GRPC_VERSION=1.60.0
+# Default value should be aligned with upstream Selenium (https://github.com/SeleniumHQ/selenium/blob/trunk/java/maven_deps.bzl)
+ARG OPENTELEMETRY_VERSION=1.28.0
+ARG GRPC_VERSION=1.57.1
 
 #Arguments to define the user running Selenium
 ARG SEL_USER=seluser
@@ -115,7 +116,8 @@ COPY supervisord.conf /etc
 #==========
 RUN touch ${SEL_DIR}/config.toml \
   && wget --no-verbose https://github.com/SeleniumHQ/selenium/releases/download/${RELEASE}/selenium-server-${VERSION}.jar \
-    -O ${SEL_DIR}/selenium-server.jar
+    -O ${SEL_DIR}/selenium-server.jar \
+  && echo "${SEL_PASSWD}" > ${SEL_DIR}/initialPasswd
 
 #=====
 # Download observability related jaegar jars and make them available in a separate directory

diff --git a/NodeBase/Dockerfile b/NodeBase/Dockerfile
@@ -4,13 +4,16 @@ ARG AUTHORS
 FROM ${NAMESPACE}/base:${VERSION}
 LABEL authors=${AUTHORS}
 
+ARG NOVNC_VERSION="1.4.0"
+ARG WEBSOCKIFY_VERSION="0.11.0"
+
 USER root
 
 #==============
 # Xvfb
 #==============
 RUN apt-get update -qqy \
-  && apt-get -qqy install \
+  && apt-get -qqy --no-install-recommends install \
     xvfb \
     pulseaudio \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*
@@ -40,7 +43,7 @@ RUN apt-get -qqy update \
 # VNC
 #=====
 RUN apt-get update -qqy \
-  && apt-get -qqy install \
+  && apt-get -qqy --no-install-recommends install \
   x11vnc \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*
 
@@ -49,7 +52,7 @@ RUN apt-get update -qqy \
 # A fast, lightweight and responsive window manager
 #=========
 RUN apt-get update -qqy \
-  && apt-get -qqy install \
+  && apt-get -qqy --no-install-recommends install \
     fluxbox \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*
 
@@ -92,8 +95,6 @@ RUN apt-get -qqy update \
 ########################################
 # noVNC exposes VNC through a web page #
 ########################################
-ENV NOVNC_VERSION="1.4.0" \
-    WEBSOCKIFY_VERSION="0.11.0"
 RUN  wget -nv -O noVNC.zip \
        "https://github.com/novnc/noVNC/archive/refs/tags/v${NOVNC_VERSION}.zip" \
   && unzip -x noVNC.zip \
@@ -104,8 +105,8 @@ RUN  wget -nv -O noVNC.zip \
       "https://github.com/novnc/websockify/archive/refs/tags/v${WEBSOCKIFY_VERSION}.zip" \
   && unzip -x websockify.zip \
   && rm websockify.zip \
-  && rm -rf websockify-${WEBSOCKIFY_VERSION}/tests \
-  && mv websockify-${WEBSOCKIFY_VERSION} /opt/bin/noVNC/utils/websockify
+  && mv websockify-${WEBSOCKIFY_VERSION} /opt/bin/noVNC/utils/websockify \
+  && rm -rf /opt/bin/noVNC/utils/websockify/docker /opt/bin/noVNC/utils/websockify/tests
 
 #=========================================================================================================================================
 # Run this command for executable file permissions for /dev/shm when this is a "child" container running in Docker Desktop and WSL2 distro
@@ -117,13 +118,12 @@ RUN mkdir -p /tmp/.X11-unix && \
     fix-permissions /tmp/.X11-unix
 
 #==============================
-# Generating the VNC password based on the ${SE_VNC_PASSWORD}
+# Generating the VNC password using initial password in Base image
 # Changing ownership to ${SEL_USER}, so the service can be started
 #==============================
 
-ENV SE_VNC_PASSWORD=secret
 RUN mkdir -p ${HOME}/.vnc \
-    && x11vnc -storepasswd ${SE_VNC_PASSWORD} ${HOME}/.vnc/passwd \
+    && x11vnc -storepasswd $(cat ${SEL_DIR}/initialPasswd) ${HOME}/.vnc/passwd \
     && chown -R "${SEL_UID}:${SEL_GID}" ${HOME}/.vnc \
     && fix-permissions ${HOME}/.vnc
 

diff --git a/NodeChrome/Dockerfile b/NodeChrome/Dockerfile
@@ -18,7 +18,7 @@ ARG CHROME_VERSION="google-chrome-stable"
 RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | gpg --dearmor | tee /etc/apt/trusted.gpg.d/google.gpg >/dev/null \
   && echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list \
   && apt-get update -qqy \
-  && apt-get -qqy install \
+  && apt-get -qqy --no-install-recommends install \
     ${CHROME_VERSION:-google-chrome-stable} \
   && rm /etc/apt/sources.list.d/google-chrome.list \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

diff --git a/NodeDocker/Dockerfile b/NodeDocker/Dockerfile
@@ -10,7 +10,7 @@ USER root
 # Socat to proxy docker.sock when mounted
 #==============
 RUN apt-get update -qqy \
-  && apt-get -qqy install socat \
+  && apt-get -qqy --no-install-recommends install socat \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*
 
 USER ${SEL_UID}

diff --git a/NodeEdge/Dockerfile b/NodeEdge/Dockerfile
@@ -16,7 +16,7 @@ ARG EDGE_VERSION="microsoft-edge-stable"
 RUN wget -q -O - https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/trusted.gpg.d/microsoft.gpg >/dev/null \
   && echo "deb https://packages.microsoft.com/repos/edge stable main" >> /etc/apt/sources.list.d/microsoft-edge.list \
   && apt-get update -qqy \
-  && apt-get -qqy install ${EDGE_VERSION} \
+  && apt-get -qqy --no-install-recommends install ${EDGE_VERSION} \
   && rm /etc/apt/sources.list.d/microsoft-edge.list \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*
 

diff --git a/README.md b/README.md
@@ -1302,7 +1302,7 @@ that directory because it is running under the user
 `seluser`. This happens because that is how Docker mounts
 volumes in Linux, more details in this [issue](https://github.com/moby/moby/issues/2259).
 
-There was a fix in this [feature](https://github.com/SeleniumHQ/docker-selenium/issues/1947)
+There was a fix in this feature [#1947](https://github.com/SeleniumHQ/docker-selenium/issues/1947)
 that changed ownership when staring the container.
 
 You are able to configure browser with another download directory and mount the host with it in container by overriding `SE_DOWNLOAD_DIR`.

diff --git a/charts/selenium-grid/README.md b/charts/selenium-grid/README.md
@@ -81,7 +81,7 @@ helm uninstall selenium-grid
 
 ## Ingress Configuration
 
-By default, ingress is enabled without annotations set. If NGINX ingress controller is used, you need to set few annotations to override the default timeout values to avoid 504 errors (see #1808). Since in Selenium Grid the default of `SE_NODE_SESSION_TIMEOUT` and `SE_SESSION_REQUEST_TIMEOUT` is `300` seconds.
+By default, ingress is enabled without annotations set. If NGINX ingress controller is used, you need to set few annotations to override the default timeout values to avoid 504 errors (see [#1808](https://github.com/SeleniumHQ/docker-selenium/issues/1808)). Since in Selenium Grid the default of `SE_NODE_SESSION_TIMEOUT` and `SE_SESSION_REQUEST_TIMEOUT` is `300` seconds.
 
 In order to make user experience better, there are few annotations will be set by default if NGINX ingress controller is used. Mostly relates to timeouts and buffer sizes.