如何保护chromedriver使用的端口? [英] How do I protect the ports that chromedriver use?
问题描述
通常,当我运行chromedriver时,我总是得到此输出,我确信每个人在运行chromedriver时都会得到此输出.这不是整个输出,而是关于一个特定句子.
Only local connections are allowed.
Please protect ports used by ChromeDriver and related test frameworks to prevent access by malicious code.
正如标题所说,我总是得到输出.如何确保端口ChromeDriver仅使用受保护的端口?
此INFO消息...
Please protect ports used by ChromeDriver and related test frameworks to prevent access by malicious code.
...是 ChromeDriver v2.46
引起的一个错误的结果.分析
根据讨论 2.46如果进行详细日志记录,则会生成意外的debug.log文件在 记录日志的InitLogging()函数. cc 甚至在调用logging::InitLogging之前(在函数的最后一行)就已经写得太早了.事实证明,在 Linux 和 Mac 操作系统上,此操作为 OK (默认),默认日志目标位于此位置.但是在Windows上,默认日志目标是名为debug.log的文件.
因此, ChromeDriver 小组需要在调用logging::InitLogging之后删除到方法末尾的两个VLOG调用.
此问题已通过提交解决,并且已提供修复程序在 ChromeDriver 73.x
中保护chromedriver使用的端口
关于端口使用,我们无能为力,因为@barancev 提及 ChromeDriver 尝试使用系统查找免费的星历端口依赖的临时端口范围检测器.一个临时端口是一个短暂的端点,由操作系统在程序请求任何可用的用户端口时创建.操作系统从预定义的范围(通常在1024到65535之间)中选择端口号,并在相关的TCP连接终止后释放端口.
默认情况下,系统最多可以创建大约4,000个临时端口,这些端口在Windows Server 2003上同时运行,在Windows Server 2008上大约16,000.
解决方案
升级到 ChromeDriver 73.x 将解决此问题.
Outro
这些日志消息反映了 ChromeDriver-安全注意事项.
ChromeDriver是一个功能强大的工具,它可能在错误的手中造成伤害.使用ChromeDriver时,请遵循以下建议以确保其安全:
- 默认情况下,ChromeDriver仅允许本地连接.如果需要从远程主机连接到它,请在命令行上使用
--whitelisted-ips开关指定允许连接到ChromeDriver的IP地址列表. - 如果可能,请使用无法访问敏感的本地或网络数据的测试帐户运行ChromeDriver. ChromeDriver绝对不能使用特权帐户运行.
- 如果可能,请在受保护的环境(例如Docker或虚拟机)中运行ChromeDriver.
- 使用防火墙来防止未经授权的远程连接到ChromeDriver.
- 如果您通过Selenium Server等第三方工具使用ChromeDriver,请确保也保护这些工具的网络端口.
- 使用最新版本的ChromeDriver和Chrome.
您可以在Chrome 此处.
Normally when I run chromedriver I always get this output which I'm sure everyone gets when running chromedriver. It's not the whole output but about a specif sentence.
Only local connections are allowed.
Please protect ports used by ChromeDriver and related test frameworks to prevent access by malicious code.
As the title says and the output I always get. How do I make sure that the ports ChromeDriver is using only protected ports?
This INFO message...
Please protect ports used by ChromeDriver and related test frameworks to prevent access by malicious code.
... was the result of a bug which got induced with ChromeDriver v2.46
Analysis
As per the discussion 2.46 produces unexpected debug.log file if verbose logging is enabled, within the InitLogging() function of logging.cc some logging messages were written too early even before logging::InitLogging is called (at the last line of the function). This turned out to be OK on Linux and Mac OS, where the default log destination is where it is expected. But on Windows, the default log destination is a file named debug.log.
So ChromeDriver team needed to remove the two VLOG calls to the end of the method, after calling logging::InitLogging.
This issue was addressed through a commit and the fix was available within ChromeDriver 73.x
Protecting the ports that chromedriver use
There is nothing much we can do about the port usage as @barancev mentions ChromeDriver attempts to find a free Ephemeral port using a system-dependent ephemeral port range detector. An ephemeral port is a short-lived endpoint that is created by the operating system when a program requests any available user port. The operating system selects the port number from a predefined range, typically between 1024 and 65535, and releases the port after the related TCP connection terminates.
By default, the system can create a maximum of approximately 4,000 ephemeral ports that run concurrently on Windows Server 2003 and approximately 16,000 on Windows Server 2008.
Solution
Upgrading to ChromeDriver 73.x will solve this issue.
Outro
These log messages were the reflection of ChromeDriver - Security Considerations.
ChromeDriver is a powerful tool, and it can cause harms in the wrong hands. While using ChromeDriver, please follow these suggestions to help keeping it safe:
- By default, ChromeDriver only allows local connections. If you need to connect to it from a remote host, use
--whitelisted-ipsswitch on the command line to specify a list of IP addresses that are allowed to connect to ChromeDriver. - If possible, run ChromeDriver with a test account that has no access to sensitive local or network data. ChromeDriver should never be run with a privileged account.
- If possible, run ChromeDriver in a protected environment such as Docker or virtual machine.
- Use firewall to prevent unauthorized remote connection to ChromeDriver.
- If you are using ChromeDriver through third-party tools such as Selenium Server, be sure to protect the network ports of those tools as well.
- Use the latest versions of ChromeDriver and Chrome.
You can find the list of restricted ports on Chrome here.
这篇关于如何保护chromedriver使用的端口?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
