Skip to content

Commit

Permalink
bug: ENV variable SE_VNC_PASSWORD contains sensitive data (#2061)
Browse files Browse the repository at this point in the history 
Signed-off-by: Viet Nguyen Duc <nguyenducviet4496@gmail.com>
  • Loading branch information
@VietND96
VietND96 committed Dec 13, 2023
1 parent 93da2b5 commit 7d74d4f
Show file tree
Hide file tree
Showing 7 changed files with 20 additions and 18 deletions.
8 changes: 5 additions & 3 deletions Base/Dockerfile
View file
Expand Up @@ -4,8 +4,9 @@ LABEL authors="Selenium <selenium-developers@googlegroups.com>"
# Arguments to define the version of dependencies to download
ARG VERSION
ARG RELEASE=selenium-${VERSION}
ARG OPENTELEMETRY_VERSION=1.31.0
ARG GRPC_VERSION=1.60.0
# Default value should be aligned with upstream Selenium (https://github.com/SeleniumHQ/selenium/blob/trunk/java/maven_deps.bzl)
ARG OPENTELEMETRY_VERSION=1.28.0
ARG GRPC_VERSION=1.57.1

#Arguments to define the user running Selenium
ARG SEL_USER=seluser
Expand Down Expand Up @@ -115,7 +116,8 @@ COPY supervisord.conf /etc
#==========
RUN touch ${SEL_DIR}/config.toml \
&& wget --no-verbose https://github.com/SeleniumHQ/selenium/releases/download/${RELEASE}/selenium-server-${VERSION}.jar \
-O ${SEL_DIR}/selenium-server.jar
-O ${SEL_DIR}/selenium-server.jar \
&& echo "${SEL_PASSWD}" > ${SEL_DIR}/initialPasswd

Check notice on line 120 in Base/Dockerfile

View workflow job for this annotation

GitHub Actions / Scan Dockerfile vulnerabilities

DS014 

Artifact: Base/Dockerfile\nType: dockerfile\nVulnerability DS014\nSeverity: LOW\nMessage: Shouldn't use both curl and wget\nLink: [DS014](https://avd.aquasec.com/misconfig/ds014)

#=====
# Download observability related jaegar jars and make them available in a separate directory
Expand Down
20 changes: 10 additions & 10 deletions NodeBase/Dockerfile
View file
Expand Up @@ -4,13 +4,16 @@ ARG AUTHORS
FROM ${NAMESPACE}/base:${VERSION}
LABEL authors=${AUTHORS}

ARG NOVNC_VERSION="1.4.0"
ARG WEBSOCKIFY_VERSION="0.11.0"

USER root

#==============
# Xvfb
#==============
RUN apt-get update -qqy \
&& apt-get -qqy install \
&& apt-get -qqy --no-install-recommends install \
xvfb \
pulseaudio \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/*
Expand Down Expand Up @@ -40,7 +43,7 @@ RUN apt-get -qqy update \
# VNC
#=====
RUN apt-get update -qqy \
&& apt-get -qqy install \
&& apt-get -qqy --no-install-recommends install \
x11vnc \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/*

Expand All @@ -49,7 +52,7 @@ RUN apt-get update -qqy \
# A fast, lightweight and responsive window manager
#=========
RUN apt-get update -qqy \
&& apt-get -qqy install \
&& apt-get -qqy --no-install-recommends install \
fluxbox \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/*

Expand Down Expand Up @@ -92,8 +95,6 @@ RUN apt-get -qqy update \
########################################
# noVNC exposes VNC through a web page #
########################################
ENV NOVNC_VERSION="1.4.0" \
WEBSOCKIFY_VERSION="0.11.0"
RUN wget -nv -O noVNC.zip \
"https://github.com/novnc/noVNC/archive/refs/tags/v${NOVNC_VERSION}.zip" \
&& unzip -x noVNC.zip \
Expand All @@ -104,8 +105,8 @@ RUN wget -nv -O noVNC.zip \
"https://github.com/novnc/websockify/archive/refs/tags/v${WEBSOCKIFY_VERSION}.zip" \
&& unzip -x websockify.zip \
&& rm websockify.zip \
&& rm -rf websockify-${WEBSOCKIFY_VERSION}/tests \
&& mv websockify-${WEBSOCKIFY_VERSION} /opt/bin/noVNC/utils/websockify
&& mv websockify-${WEBSOCKIFY_VERSION} /opt/bin/noVNC/utils/websockify \
&& rm -rf /opt/bin/noVNC/utils/websockify/docker /opt/bin/noVNC/utils/websockify/tests

#=========================================================================================================================================
# Run this command for executable file permissions for /dev/shm when this is a "child" container running in Docker Desktop and WSL2 distro
Expand All @@ -117,13 +118,12 @@ RUN mkdir -p /tmp/.X11-unix && \
fix-permissions /tmp/.X11-unix

#==============================
# Generating the VNC password based on the ${SE_VNC_PASSWORD}
# Generating the VNC password using initial password in Base image
# Changing ownership to ${SEL_USER}, so the service can be started
#==============================

ENV SE_VNC_PASSWORD=secret
RUN mkdir -p ${HOME}/.vnc \
&& x11vnc -storepasswd ${SE_VNC_PASSWORD} ${HOME}/.vnc/passwd \
&& x11vnc -storepasswd $(cat ${SEL_DIR}/initialPasswd) ${HOME}/.vnc/passwd \
&& chown -R "${SEL_UID}:${SEL_GID}" ${HOME}/.vnc \
&& fix-permissions ${HOME}/.vnc

Expand Down
2 changes: 1 addition & 1 deletion NodeChrome/Dockerfile
View file
Expand Up @@ -18,7 +18,7 @@ ARG CHROME_VERSION="google-chrome-stable"
RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | gpg --dearmor | tee /etc/apt/trusted.gpg.d/google.gpg >/dev/null \
&& echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list \
&& apt-get update -qqy \
&& apt-get -qqy install \
&& apt-get -qqy --no-install-recommends install \
${CHROME_VERSION:-google-chrome-stable} \
&& rm /etc/apt/sources.list.d/google-chrome.list \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/*
Expand Down
2 changes: 1 addition & 1 deletion NodeDocker/Dockerfile
View file
Expand Up @@ -10,7 +10,7 @@ USER root
# Socat to proxy docker.sock when mounted
#==============
RUN apt-get update -qqy \
&& apt-get -qqy install socat \
&& apt-get -qqy --no-install-recommends install socat \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/*

USER ${SEL_UID}
Expand Down
2 changes: 1 addition & 1 deletion NodeEdge/Dockerfile
View file
Expand Up @@ -16,7 +16,7 @@ ARG EDGE_VERSION="microsoft-edge-stable"
RUN wget -q -O - https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/trusted.gpg.d/microsoft.gpg >/dev/null \
&& echo "deb https://packages.microsoft.com/repos/edge stable main" >> /etc/apt/sources.list.d/microsoft-edge.list \
&& apt-get update -qqy \
&& apt-get -qqy install ${EDGE_VERSION} \
&& apt-get -qqy --no-install-recommends install ${EDGE_VERSION} \
&& rm /etc/apt/sources.list.d/microsoft-edge.list \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/*

Expand Down
2 changes: 1 addition & 1 deletion README.md
View file
Expand Up @@ -1302,7 +1302,7 @@ that directory because it is running under the user
`seluser`. This happens because that is how Docker mounts
volumes in Linux, more details in this [issue](https://github.com/moby/moby/issues/2259).

There was a fix in this [feature](https://github.com/SeleniumHQ/docker-selenium/issues/1947)
There was a fix in this feature [#1947](https://github.com/SeleniumHQ/docker-selenium/issues/1947)
that changed ownership when staring the container.

You are able to configure browser with another download directory and mount the host with it in container by overriding `SE_DOWNLOAD_DIR`.
Expand Down
2 changes: 1 addition & 1 deletion charts/selenium-grid/README.md
View file
Expand Up @@ -81,7 +81,7 @@ helm uninstall selenium-grid

## Ingress Configuration

By default, ingress is enabled without annotations set. If NGINX ingress controller is used, you need to set few annotations to override the default timeout values to avoid 504 errors (see #1808). Since in Selenium Grid the default of `SE_NODE_SESSION_TIMEOUT` and `SE_SESSION_REQUEST_TIMEOUT` is `300` seconds.
By default, ingress is enabled without annotations set. If NGINX ingress controller is used, you need to set few annotations to override the default timeout values to avoid 504 errors (see [#1808](https://github.com/SeleniumHQ/docker-selenium/issues/1808)). Since in Selenium Grid the default of `SE_NODE_SESSION_TIMEOUT` and `SE_SESSION_REQUEST_TIMEOUT` is `300` seconds.

In order to make user experience better, there are few annotations will be set by default if NGINX ingress controller is used. Mostly relates to timeouts and buffer sizes.

Expand Down

0 comments on commit 7d74d4f

Please sign in to comment.