You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When using the start-selenium-grid-hub.sh or start-selenium-grid-router.sh script the router password and registration secret got printed to the console. For testing usage this is (semi) fine. But when using Selenium Docker Images in a production environment, printing secrets to the console is a security issue. Therefore, all secrets printed to the console are replaced with '***' in this change.
Motivation and Context
Use docker-selenium in production environment without security concerns
Types of changes
Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to change)
Masked sensitive information such as SE_REGISTRATION_SECRET and SE_ROUTER_PASSWORD in console output for both Selenium Grid Hub and Router startup scripts.
Enhances security by preventing sensitive data from being exposed in production environments.
Changes walkthrough 📝
Relevant files
Bug fix
start-selenium-grid-hub.sh
Mask sensitive information in console output for Hub
Hub/start-selenium-grid-hub.sh
Masked the SE_REGISTRATION_SECRET when printing to console.
Masked the SE_ROUTER_PASSWORD when printing to console.
…to console on selenium grid hub and router startup
When using the start-selenium-grid-hub.sh or start-selenium-grid-router.sh script the router password and registration secret got printed to the console.
For testing usage this is (semi) fine. But when using Selenium Docker Images in a production environment, printing secrets to the console is a security issue.
Therefore, all secrets printed to the console are replaced with '***' in this change.
No security concerns. In fact, this PR addresses a security issue by masking sensitive information in console output. The changes prevent the exposure of SE_REGISTRATION_SECRET and SE_ROUTER_PASSWORD by replacing them with '***' in the console logs. This is a good security practice, especially for production environments.
Use a dynamic method to mask sensitive information in log messages
Consider using a more secure method to mask sensitive information. Instead of hardcoding '', you could use a variable or a function to generate a mask of appropriate length.*
Why: The suggestion improves security by dynamically masking the registration secret, which is a better practice than hardcoding a static mask. This change enhances the security of sensitive information in logs.
8
Use a dynamic method to mask sensitive information in router log messages
Similar to the hub script, consider using a dynamic method to mask the registration secret instead of hardcoding ''.*
Why: Similar to the hub script, this suggestion enhances security by dynamically masking the registration secret, preventing exposure of sensitive information in logs.
8
Best practice
Apply consistent masking to all potentially sensitive information in log messages
For consistency, consider applying the same masking technique to the username as well. This ensures all potentially sensitive information is treated equally.
Why: While the username is not as sensitive as passwords or secrets, applying consistent masking improves the uniformity and security of log messages. This is a good practice for maintaining consistency.
7
Apply consistent masking to all potentially sensitive information across different scripts
For consistency across both hub and router scripts, consider masking the username in the router script as well.
Why: Consistent masking of the username across scripts improves uniformity and treats all potentially sensitive information equally, which is a best practice for maintaining security and consistency.
* Do not print secrets such as registration secret and router password to console on selenium grid hub and router startup (#2359)
* fix: mask secret info from bash logs
Signed-off-by: Viet Nguyen Duc <nguyenducviet4496@gmail.com>
---------
Signed-off-by: Viet Nguyen Duc <nguyenducviet4496@gmail.com>
Co-authored-by: Florian Rudisch <frudisch@users.noreply.github.com>
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Description
When using the start-selenium-grid-hub.sh or start-selenium-grid-router.sh script the router password and registration secret got printed to the console. For testing usage this is (semi) fine. But when using Selenium Docker Images in a production environment, printing secrets to the console is a security issue. Therefore, all secrets printed to the console are replaced with '***' in this change.
Motivation and Context
Types of changes
Checklist
PR Type
Bug fix
Description
SE_REGISTRATION_SECRETandSE_ROUTER_PASSWORDin console output for both Selenium Grid Hub and Router startup scripts.Changes walkthrough 📝
start-selenium-grid-hub.sh
Mask sensitive information in console output for HubHub/start-selenium-grid-hub.sh
SE_REGISTRATION_SECRETwhen printing to console.SE_ROUTER_PASSWORDwhen printing to console.start-selenium-grid-router.sh
Mask sensitive information in console output for RouterRouter/start-selenium-grid-router.sh
SE_REGISTRATION_SECRETwhen printing to console.SE_ROUTER_PASSWORDwhen printing to console.