Enforce HTTP/1.1 for internal component JdkHttpClient (#2521)

VietND96 · web-flow · commit 8e8f0745052b · 2024-12-19T13:33:23.000+07:00
Signed-off-by: Viet Nguyen Duc &lt;nguyenducviet4496@gmail.com&gt;
diff --git a/.github/workflows/build-ffmpeg.yml b/.github/workflows/build-ffmpeg.yml
@@ -4,6 +4,9 @@ on:
   push:
     paths:
       - '.ffmpeg/Dockerfile'
+  pull_request:
+    paths:
+      - '.ffmpeg/Dockerfile'
   workflow_dispatch:
     inputs:
       release:
diff --git a/Base/Dockerfile b/Base/Dockerfile
@@ -130,6 +130,8 @@ RUN --mount=type=secret,id=SEL_PASSWD \
         org.seleniumhq.selenium:selenium-session-map-jdbc:${MVN_SELENIUM_VERSION} \
         org.postgresql:postgresql:${POSTGRESQL_VERSION} \
         org.seleniumhq.selenium:selenium-session-map-redis:${MVN_SELENIUM_VERSION} \
+        # Patch specific version for CVEs in the dependencies
+        io.lettuce:lettuce-core:6.5.1.RELEASE \
         > /external_jars/.classpath_session_map.txt \
         && chmod 664 /external_jars/.classpath_session_map.txt ; \
      fi \
@@ -185,6 +187,7 @@ ENV SE_BIND_HOST=false \
     SE_STRUCTURED_LOGS=false \
     SE_ENABLE_TRACING=true \
     SE_ENABLE_TLS=false \
+    SE_JAVA_HTTPCLIENT_VERSION="HTTP_1_1" \
     SE_JAVA_SSL_TRUST_STORE="/opt/selenium/secrets/server.jks" \
     SE_JAVA_SSL_TRUST_STORE_PASSWORD="/opt/selenium/secrets/server.pass" \
     SE_JAVA_DISABLE_HOSTNAME_VERIFICATION=true \
diff --git a/Distributor/start-selenium-grid-distributor.sh b/Distributor/start-selenium-grid-distributor.sh
@@ -179,6 +179,10 @@ else
   echo "Tracing is disabled"
 fi
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} \
diff --git a/EventBus/start-selenium-grid-eventbus.sh b/EventBus/start-selenium-grid-eventbus.sh
@@ -109,6 +109,10 @@ else
   echo "Tracing is disabled"
 fi
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} event-bus \
diff --git a/Hub/start-selenium-grid-hub.sh b/Hub/start-selenium-grid-hub.sh
@@ -159,6 +159,10 @@ else
   echo "Tracing is disabled"
 fi
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} \
diff --git a/NodeBase/start-selenium-node.sh b/NodeBase/start-selenium-node.sh
@@ -171,6 +171,10 @@ CHROME_DRIVER_PATH_PROPERTY=-Dwebdriver.chrome.driver=/usr/bin/chromedriver
 EDGE_DRIVER_PATH_PROPERTY=-Dwebdriver.edge.driver=/usr/bin/msedgedriver
 GECKO_DRIVER_PATH_PROPERTY=-Dwebdriver.gecko.driver=/usr/bin/geckodriver
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   ${CHROME_DRIVER_PATH_PROPERTY} \
   ${EDGE_DRIVER_PATH_PROPERTY} \
diff --git a/NodeDocker/start-selenium-grid-docker.sh b/NodeDocker/start-selenium-grid-docker.sh
@@ -119,6 +119,10 @@ else
   echo "Tracing is disabled"
 fi
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} node \
diff --git a/NodeFirefox/Dockerfile b/NodeFirefox/Dockerfile
@@ -58,6 +58,9 @@ RUN apt-get update -qqy && \
   fi \
   # Download the language pack for Firefox
   && /opt/bin/get_lang_package.sh \
+  # Do one more upgrade to fix possible CVEs from Firefox dependencies
+  && apt-get update -qqy \
+  && apt-get upgrade -yq \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*
 
 #============
diff --git a/Router/start-selenium-grid-router.sh b/Router/start-selenium-grid-router.sh
@@ -160,6 +160,10 @@ else
   echo "Tracing is disabled"
 fi
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} router \
diff --git a/SessionQueue/start-selenium-grid-session-queue.sh b/SessionQueue/start-selenium-grid-session-queue.sh
@@ -113,6 +113,10 @@ else
   echo "Tracing is disabled"
 fi
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} sessionqueue \
diff --git a/Sessions/start-selenium-grid-sessions.sh b/Sessions/start-selenium-grid-sessions.sh
@@ -148,6 +148,10 @@ fi
 cat "$CONFIG_FILE"
 echo "Starting Selenium Grid Sessions..."
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} sessions \
diff --git a/Standalone/start-selenium-standalone.sh b/Standalone/start-selenium-standalone.sh
@@ -162,6 +162,10 @@ CHROME_DRIVER_PATH_PROPERTY=-Dwebdriver.chrome.driver=/usr/bin/chromedriver
 EDGE_DRIVER_PATH_PROPERTY=-Dwebdriver.edge.driver=/usr/bin/msedgedriver
 GECKO_DRIVER_PATH_PROPERTY=-Dwebdriver.gecko.driver=/usr/bin/geckodriver
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   ${CHROME_DRIVER_PATH_PROPERTY} \
   ${EDGE_DRIVER_PATH_PROPERTY} \
diff --git a/StandaloneDocker/start-selenium-grid-docker.sh b/StandaloneDocker/start-selenium-grid-docker.sh
@@ -124,6 +124,10 @@ else
   echo "Tracing is disabled"
 fi
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} standalone \
diff --git a/tests/charts/make/chart_test.sh b/tests/charts/make/chart_test.sh
@@ -40,6 +40,7 @@ CHART_ENABLE_BASIC_AUTH=${CHART_ENABLE_BASIC_AUTH:-"false"}
 BASIC_AUTH_USERNAME=${BASIC_AUTH_USERNAME:-"sysAdminUser"}
 BASIC_AUTH_PASSWORD=${BASIC_AUTH_PASSWORD:-"myStrongPassword"}
 LOG_LEVEL=${LOG_LEVEL:-"INFO"}
+INGRESS_DISABLE_USE_HTTP2=${INGRESS_DISABLE_USE_HTTP2:-false}
 TEST_EXISTING_KEDA=${TEST_EXISTING_KEDA:-"false"}
 TEST_UPGRADE_CHART=${TEST_UPGRADE_CHART:-"false"}
 RENDER_HELM_TEMPLATE_ONLY=${RENDER_HELM_TEMPLATE_ONLY:-"false"}
@@ -290,6 +291,10 @@ if [ "${INGRESS_DISABLE_USE_HTTP2}" = "true" ]; then
   HELM_COMMAND_SET_IMAGES="${HELM_COMMAND_SET_IMAGES} \
   --set ingress.nginx.useHttp2=false \
   "
+else
+  HELM_COMMAND_SET_IMAGES="${HELM_COMMAND_SET_IMAGES} \
+  --set ingress.nginx.useHttp2=true \
+  "
 fi
 
 if [ "${SECURE_CONNECTION_SERVER}" = "true" ]; then
