fix: mask secret info from bash logs (#2360)

* Do not print secrets such as registration secret and router password to console on selenium grid hub and router startup (#2359)

* fix: mask secret info from bash logs

Signed-off-by: Viet Nguyen Duc <nguyenducviet4496@gmail.com>

---------

Signed-off-by: Viet Nguyen Duc <nguyenducviet4496@gmail.com>
Co-authored-by: Florian Rudisch <frudisch@users.noreply.github.com>

Author: VietND96

Base/Dockerfile

@@ -128,6 +128,7 @@ RUN  if [ "$(dpkg --print-architecture)" = "amd64" ]; then \
 # Add Grid check script
 #======================================
 COPY --chown="${SEL_UID}:${SEL_GID}" check-grid.sh entry_point.sh configs/node/nodeGridUrl.sh configs/node/nodePreStop.sh /opt/bin/
+COPY --chown="${SEL_UID}:${SEL_GID}" mask /usr/local/bin/
 
 #======================================
 # Add Supervisor configuration file

Base/mask

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+SE_MASK_SECRETS_MIN_LENGTH=${SE_MASK_SECRETS_MIN_LENGTH:-3}
+SE_MASK_SECRETS_KEEP_LAST=${SE_MASK_SECRETS_KEEP_LAST:-0}
+if [ "${SE_MASK_SECRETS:-true}" = "true" ]; then
+    n=${SE_MASK_SECRETS_KEEP_LAST}
+    [[ ${#1} -le ${SE_MASK_SECRETS_MIN_LENGTH} ]] && n=$(( ${#1} - ${SE_MASK_SECRETS_MIN_LENGTH} ))
+    a="${1:0:${#1}-n}"
+    a="${a:0:${SE_MASK_SECRETS_MIN_LENGTH}}"
+    b="${1:${#1}-n}"
+    printf "%s%s" "${a//?/*}" "$b"
+else
+    printf "%s" "$1"
+fi

Distributor/start-selenium-grid-distributor.sh

@@ -85,7 +85,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
     SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
   fi
   if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
-    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
+    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
     SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
   fi
   echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
@@ -102,7 +102,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
 fi
 
 if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
-  echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}"
+  echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})"
   SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}"
 fi
 

EventBus/start-selenium-grid-eventbus.sh

@@ -50,7 +50,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
     SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
   fi
   if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
-    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
+    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
     SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
   fi
   echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"

Hub/start-selenium-grid-hub.sh

@@ -53,7 +53,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
     SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
   fi
   if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
-    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
+    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
     SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
   fi
   echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
@@ -70,7 +70,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
 fi
 
 if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
-  echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}"
+  echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})"
   SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}"
 fi
 
@@ -85,7 +85,7 @@ if [ ! -z "$SE_ROUTER_USERNAME" ]; then
 fi
 
 if [ ! -z "$SE_ROUTER_PASSWORD" ]; then
-  echo "Appending Selenium options: --password ${SE_ROUTER_PASSWORD}"
+  echo "Appending Selenium options: --password $(mask ${SE_ROUTER_PASSWORD})"
   SE_OPTS="$SE_OPTS --password ${SE_ROUTER_PASSWORD}"
 fi
 

NodeBase/start-selenium-node.sh

@@ -19,6 +19,8 @@ function append_se_opts() {
   if [[ "${SE_OPTS}" != *"${option}"* ]]; then
     if [ "${log_message}" = "true" ]; then
       echo "Appending Selenium option: ${option} ${value}"
+    else
+      echo "Appending Selenium option: ${option} $(mask ${value})"
     fi
     SE_OPTS="${SE_OPTS} ${option}"
     if [ ! -z "${value}" ]; then
@@ -99,7 +101,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
     SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
   fi
   if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
-    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
+    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
     SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
   fi
   echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
@@ -114,7 +116,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
 fi
 
 if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
-  append_se_opts "--registration-secret" "${SE_REGISTRATION_SECRET}"
+  append_se_opts "--registration-secret" "${SE_REGISTRATION_SECRET}" "false"
 fi
 
 if [ "$GENERATE_CONFIG" = true ]; then

NodeDocker/start-selenium-grid-docker.sh

@@ -73,7 +73,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
     SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
   fi
   if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
-    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
+    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
     SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
   fi
   echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"

README.md

@@ -64,6 +64,7 @@ Talk to us at https://www.selenium.dev/support/
   * [Running in Headless mode](#running-in-headless-mode)
   * [Stopping the Node/Standalone after N sessions have been executed](#stopping-the-nodestandalone-after-n-sessions-have-been-executed)
   * [Automatic browser leftovers cleanup](#automatic-browser-leftovers-cleanup)
+  * [Mask sensitive information in console logs](#mask-sensitive-information-in-console-logs)
   * [Secure Connection](#secure-connection)
 * [Building the images](#building-the-images)
 * [Build the images with specific versions](#build-the-images-with-specific-versions)
@@ -1092,7 +1093,7 @@ By default, Selenium is reachable at `http://127.0.0.1:4444/`. Selenium can be c
 environmental variable. In the example below Selenium is reachable at `http://127.0.0.1:4444/selenium-grid/`
 
 ```bash
-$ docker run -d -p 4444:4444 -e SE_SUB_PATH=/selenium-grid/ --name selenium-hub selenium/hub:4.9.0-20230421
+$ docker run -d -p 4444:4444 -e SE_SUB_PATH=/selenium-grid/ --name selenium-hub selenium/hub:4.23.1-20240813
 ```
 
 ### Setting Screen Resolution
@@ -1208,6 +1209,14 @@ running longer than 1 hour (instead of 2 hours), and will remove temp files olde
 
 ---
 
+## Mask sensitive information in console logs
+
+Few variables output like password, secret, etc. are masked in console logs. For debugging purposes, you can disable it by setting `SE_MASK_SECRETS` to `false`
+
+While creating bash script, your can mask the output by using syntax `echo "Current value is $(mask ${YOUR_VARIABLE})`
+
+`SE_MASK_SECRETS_MIN_LENGTH` default is `3`. It means a long string will be masked to `***` to avoid exposing length for brute force attack.
+
 ## Secure connection
 
 By default, there are default self-signed certificates available in the image in location `/opt/selenium/secrets` includes

Router/start-selenium-grid-router.sh

@@ -85,7 +85,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
     SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
   fi
   if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
-    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
+    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
     SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
   fi
   echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
@@ -102,7 +102,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
 fi
 
 if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
-  echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}"
+  echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})"
   SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}"
 fi
 
@@ -117,7 +117,7 @@ if [ ! -z "$SE_ROUTER_USERNAME" ]; then
 fi
 
 if [ ! -z "$SE_ROUTER_PASSWORD" ]; then
-  echo "Appending Selenium options: --password ${SE_ROUTER_PASSWORD}"
+  echo "Appending Selenium options: --password $(mask ${SE_ROUTER_PASSWORD})"
   SE_OPTS="$SE_OPTS --password ${SE_ROUTER_PASSWORD}"
 fi
 

SessionQueue/start-selenium-grid-session-queue.sh

@@ -50,7 +50,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
     SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
   fi
   if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
-    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
+    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
     SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
   fi
   echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
@@ -67,7 +67,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
 fi
 
 if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
-  echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}"
+  echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})"
   SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}"
 fi
 

Sessions/start-selenium-grid-sessions.sh

@@ -65,7 +65,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
     SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
   fi
   if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
-    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
+    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
     SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
   fi
   echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"
@@ -82,7 +82,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
 fi
 
 if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
-  echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}"
+  echo "Appending Selenium options: --registration-secret $(mask ${SE_REGISTRATION_SECRET})"
   SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}"
 fi
 

Standalone/start-selenium-standalone.sh

@@ -19,6 +19,8 @@ function append_se_opts() {
   if [[ "${SE_OPTS}" != *"${option}"* ]]; then
     if [ "${log_message}" = "true" ]; then
       echo "Appending Selenium option: ${option} ${value}"
+    else
+      echo "Appending Selenium option: ${option} $(mask ${value})"
     fi
     SE_OPTS="${SE_OPTS} ${option}"
     if [ ! -z "${value}" ]; then
@@ -47,7 +49,7 @@ if [ ! -z "$SE_ROUTER_USERNAME" ]; then
 fi
 
 if [ ! -z "$SE_ROUTER_PASSWORD" ]; then
-  append_se_opts "--password" "${SE_ROUTER_PASSWORD}"
+  append_se_opts "--password" "${SE_ROUTER_PASSWORD}" "false"
 fi
 
 if [ ! -z "$SE_NODE_ENABLE_MANAGED_DOWNLOADS" ]; then
@@ -97,7 +99,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
     SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
   fi
   if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
-    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
+    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
     SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
   fi
   echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"

StandaloneDocker/start-selenium-grid-docker.sh

@@ -78,7 +78,7 @@ if [ "${SE_ENABLE_TLS}" = "true" ]; then
     SE_JAVA_SSL_TRUST_STORE_PASSWORD="$(cat ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
   fi
   if [ ! -z "${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" ]; then
-    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword"
+    echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=$(mask ${SE_JAVA_SSL_TRUST_STORE_PASSWORD})"
     SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}"
   fi
   echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION}"