[🐛 Bug]: Auth info in Logs in selenium grid

[amardeep2006]

What happened?

I am running selenium grid and I see username/password in logs. I have auth enabled.
This is visible in both hub and chrome-node logs. It appears as part of capabilities under se:vnc and se:cdp section.

I feel this can be potential security issue. I am not sure what can be the solution but as it's part of INFO logging level, it will be logged almost in most default cases.

Here are few suspected sources I feel. I could not find why it appears in browser node's logs.

selenium/java/src/org/openqa/selenium/grid/distributor/local/LocalDistributor.java

Line 586 in d65e38e

LOG.info(

selenium/java/src/org/openqa/selenium/grid/node/local/LocalNode.java

Line 495 in d65e38e

LOG.info(

How can we reproduce the issue?

I started the grid in hub mode. I suspect the same will appear in Distributor logs as well if I run grid as isolated components.

Relevant log output

10:26:30.043 INFO [LocalNode.newSession] - Session created by the Node. Id: bd64e2f9a306477d40843d3d74660381, Caps: Capabilities {acceptInsecureCerts: false, browserName: chrome, browserVersion: 122.0.6261.94, chrome: {chromedriverVersion: 122.0.6261.94 (880dbf29479c..., userDataDir: /tmp/.org.chromium.Chromium...}, fedcm:accounts: true, goog:chromeOptions: {debuggerAddress: localhost:39807}, networkConnectionEnabled: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), se:bidiEnabled: false, se:cdp: wss://admin:admin@org-se..., se:cdpVersion: 122.0.6261.94, se:vnc: wss://admin:admin@org-se..., se:vncEnabled: true, se:vncLocalAddress: ws://10.42.23.63:7900, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: dismiss and notify, webauthn:extension:credBlob: true, webauthn:extension:largeBlob: true, webauthn:extension:minPinLength: true, webauthn:extension:prf: true, webauthn:virtualAuthenticators: true}

Operating System

Ubuntu

Selenium version

Java 4.18.1

What are the browser(s) and version(s) where you see this issue?

Chrome 122

What are the browser driver(s) and version(s) where you see this issue?

122.0.6261.94

Are you using Selenium Grid?

4.18.1

[github-actions]

@amardeep2006, thank you for creating this issue. We will troubleshoot it as soon as we can.

---

Info for maintainers

Triage this issue by using labels.

If information is missing, add a helpful comment and then I-issue-template label.

If the issue is a question, add the I-question label.

If the issue is valid but there is no time to troubleshoot it, consider adding the help wanted label.

If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C), add the applicable G-* label, and it will provide the correct link and auto-close the issue.

After troubleshooting the issue, please add the R-awaiting answer label.

Thank you!

[github-actions]

This issue is looking for contributors.

Please comment below or reach out to us through our IRC/Slack/Matrix channels if you are interested.

[zhangwt-cn]

Hello, I want to try fixing this bug. Assign to me please

[diemol]

@zhangwt-cn, we do not assign bugs. Feel free to discuss your approach here and we will assist you when you send us a PR.

[VietND96]

If basic auth is not putting in SE_NODE_GRID_URL, then it will not be exposed via capabilities.
In docker-selenium and also helm chart to deploy Grid, we did the exercise that did not put basic auth in URLs anymore.
For running Playwright tests through Selenium Grid has basic auth, as docs https://playwright.dev/java/docs/selenium-grid#passing-additional-headers - use env var e.g SELENIUM_REMOTE_HEADERS="{'Authorization':'Basic base64enc'}"

[github-actions]

This issue is stale because it has been open 280 days with no activity. Remove stale label or comment or this will be closed in 14 days.