Enforce HTTP/1.1 for internal component JdkHttpClient (#2521)

Signed-off-by: Viet Nguyen Duc <[email protected]>

Author: VietND96

.github/workflows/build-ffmpeg.yml

@@ -4,6 +4,9 @@ on:
   push:
     paths:
       - '.ffmpeg/Dockerfile'
+  pull_request:
+    paths:
+      - '.ffmpeg/Dockerfile'
   workflow_dispatch:
     inputs:
       release:

Base/Dockerfile

@@ -130,6 +130,8 @@ RUN --mount=type=secret,id=SEL_PASSWD \
         org.seleniumhq.selenium:selenium-session-map-jdbc:${MVN_SELENIUM_VERSION} \
         org.postgresql:postgresql:${POSTGRESQL_VERSION} \
         org.seleniumhq.selenium:selenium-session-map-redis:${MVN_SELENIUM_VERSION} \
+        # Patch specific version for CVEs in the dependencies
+        io.lettuce:lettuce-core:6.5.1.RELEASE \
         > /external_jars/.classpath_session_map.txt \
         && chmod 664 /external_jars/.classpath_session_map.txt ; \
      fi \
@@ -185,6 +187,7 @@ ENV SE_BIND_HOST=false \
     SE_STRUCTURED_LOGS=false \
     SE_ENABLE_TRACING=true \
     SE_ENABLE_TLS=false \
+    SE_JAVA_HTTPCLIENT_VERSION="HTTP_1_1" \
     SE_JAVA_SSL_TRUST_STORE="/opt/selenium/secrets/server.jks" \
     SE_JAVA_SSL_TRUST_STORE_PASSWORD="/opt/selenium/secrets/server.pass" \
     SE_JAVA_DISABLE_HOSTNAME_VERIFICATION=true \

Distributor/start-selenium-grid-distributor.sh

@@ -179,6 +179,10 @@ else
   echo "Tracing is disabled"
 fi
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} \

EventBus/start-selenium-grid-eventbus.sh

@@ -109,6 +109,10 @@ else
   echo "Tracing is disabled"
 fi
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} event-bus \

Hub/start-selenium-grid-hub.sh

@@ -159,6 +159,10 @@ else
   echo "Tracing is disabled"
 fi
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} \

NodeBase/start-selenium-node.sh

@@ -171,6 +171,10 @@ CHROME_DRIVER_PATH_PROPERTY=-Dwebdriver.chrome.driver=/usr/bin/chromedriver
 EDGE_DRIVER_PATH_PROPERTY=-Dwebdriver.edge.driver=/usr/bin/msedgedriver
 GECKO_DRIVER_PATH_PROPERTY=-Dwebdriver.gecko.driver=/usr/bin/geckodriver
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   ${CHROME_DRIVER_PATH_PROPERTY} \
   ${EDGE_DRIVER_PATH_PROPERTY} \

NodeDocker/start-selenium-grid-docker.sh

@@ -119,6 +119,10 @@ else
   echo "Tracing is disabled"
 fi
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} node \

NodeFirefox/Dockerfile

@@ -58,6 +58,9 @@ RUN apt-get update -qqy && \
   fi \
   # Download the language pack for Firefox
   && /opt/bin/get_lang_package.sh \
+  # Do one more upgrade to fix possible CVEs from Firefox dependencies
+  && apt-get update -qqy \
+  && apt-get upgrade -yq \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*
 
 #============

Router/start-selenium-grid-router.sh

@@ -160,6 +160,10 @@ else
   echo "Tracing is disabled"
 fi
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} router \

SessionQueue/start-selenium-grid-session-queue.sh

@@ -113,6 +113,10 @@ else
   echo "Tracing is disabled"
 fi
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} sessionqueue \

Sessions/start-selenium-grid-sessions.sh

@@ -148,6 +148,10 @@ fi
 cat "$CONFIG_FILE"
 echo "Starting Selenium Grid Sessions..."
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} sessions \

Standalone/start-selenium-standalone.sh

@@ -162,6 +162,10 @@ CHROME_DRIVER_PATH_PROPERTY=-Dwebdriver.chrome.driver=/usr/bin/chromedriver
 EDGE_DRIVER_PATH_PROPERTY=-Dwebdriver.edge.driver=/usr/bin/msedgedriver
 GECKO_DRIVER_PATH_PROPERTY=-Dwebdriver.gecko.driver=/usr/bin/geckodriver
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   ${CHROME_DRIVER_PATH_PROPERTY} \
   ${EDGE_DRIVER_PATH_PROPERTY} \

StandaloneDocker/start-selenium-grid-docker.sh

@@ -124,6 +124,10 @@ else
   echo "Tracing is disabled"
 fi
 
+if [ -n "${SE_JAVA_HTTPCLIENT_VERSION}" ]; then
+  SE_JAVA_OPTS="$SE_JAVA_OPTS -Dwebdriver.httpclient.version=${SE_JAVA_HTTPCLIENT_VERSION}"
+fi
+
 java ${JAVA_OPTS:-$SE_JAVA_OPTS} \
   -jar /opt/selenium/selenium-server.jar \
   ${EXTRA_LIBS} standalone \

tests/charts/make/chart_test.sh

@@ -40,6 +40,7 @@ CHART_ENABLE_BASIC_AUTH=${CHART_ENABLE_BASIC_AUTH:-"false"}
 BASIC_AUTH_USERNAME=${BASIC_AUTH_USERNAME:-"sysAdminUser"}
 BASIC_AUTH_PASSWORD=${BASIC_AUTH_PASSWORD:-"myStrongPassword"}
 LOG_LEVEL=${LOG_LEVEL:-"INFO"}
+INGRESS_DISABLE_USE_HTTP2=${INGRESS_DISABLE_USE_HTTP2:-false}
 TEST_EXISTING_KEDA=${TEST_EXISTING_KEDA:-"false"}
 TEST_UPGRADE_CHART=${TEST_UPGRADE_CHART:-"false"}
 RENDER_HELM_TEMPLATE_ONLY=${RENDER_HELM_TEMPLATE_ONLY:-"false"}
@@ -290,6 +291,10 @@ if [ "${INGRESS_DISABLE_USE_HTTP2}" = "true" ]; then
   HELM_COMMAND_SET_IMAGES="${HELM_COMMAND_SET_IMAGES} \
   --set ingress.nginx.useHttp2=false \
   "
+else
+  HELM_COMMAND_SET_IMAGES="${HELM_COMMAND_SET_IMAGES} \
+  --set ingress.nginx.useHttp2=true \
+  "
 fi
 
 if [ "${SECURE_CONNECTION_SERVER}" = "true" ]; then