Java 如何保护 chromedriver 使用的端口?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/55442679/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I protect the ports that chromedriver use?
提问by Lewiad
Normally when I run chromedriverI always get this output which I'm sure everyone gets when running chromedriver. It's not the whole output but about a specif sentence.
通常当我运行时,chromedriver我总是得到这个输出,我相信每个人在运行时都会得到chromedriver。这不是整个输出,而是关于一个特定的句子。
Only local connections are allowed.
Please protect ports used by ChromeDriver and related test frameworks to prevent access by malicious code.
As the title says and the output I always get. How do I make sure that the ports ChromeDriver is using only protected ports?
正如标题所说,我总是得到输出。如何确保端口 ChromeDriver 仅使用受保护的端口?
采纳答案by DebanjanB
This INFO message...
此信息消息...
Please protect ports used by ChromeDriver and related test frameworks to prevent access by malicious code.
... was the result of a bug which got induced with ChromeDriver v2.46
...是由ChromeDriver v2.46引起的错误的结果
Analysis
分析
As per the discussion 2.46 produces unexpected debug.log file if verbose logging is enabled, within the InitLogging()function of logging.ccsome logging messages were written too early even before logging::InitLoggingis called (at the last line of the function). This turned out to be OKon Linuxand MacOS, where the default log destination is where it is expected. But on Windows, the default log destination is a file named debug.log.
根据讨论,如果启用详细日志记录,2.46 会生成意外的 debug.log 文件,在logging.cc的InitLogging()函数中,甚至在调用之前(在函数的最后一行),一些日志记录消息写得太早了。事实证明,这是正常的的Linux和Mac的OS,其中默认的日志目标是它的预期。但是在 Windows 上,默认的日志目标是一个名为.logging::InitLoggingdebug.log
So ChromeDriverteam needed to remove the two VLOGcalls to the end of the method, after calling logging::InitLogging.
因此ChromeDriver团队需要VLOG在调用logging::InitLogging.
This issue was addressed through a commitand the fix was available within ChromeDriver 73.x
此问题已通过提交解决,该修复在ChromeDriver 73.x 中可用
Protecting the ports that chromedriver use
保护 chromedriver 使用的端口
There is nothing much we can do about the port usage as @barancev mentionsChromeDriverattempts to find a free Ephemeral portusing a system-dependent ephemeral port range detector. An ephemeral portis a short-lived endpoint that is created by the operating system when a program requests any available user port. The operating system selects the port number from a predefined range, typically between 1024 and 65535, and releases the port after the related TCP connection terminates.
有没有什么我们可以做端口用法@barancev提到ChromeDriver试图找到一个免费的临时端口使用依赖于系统的临时端口范围探测器。一个临时端口是由当程序请求任何可用的用户端口的操作系统创建一个短命的端点。操作系统从预定义的范围中选择端口号,通常在 1024 和 65535 之间,并在相关 TCP 连接终止后释放端口。
By default, the system can create a maximum of approximately 4,000 ephemeral ports that run concurrently on Windows Server 2003 and approximately 16,000 on Windows Server 2008.
默认情况下,系统最多可以创建大约 4,000 个在 Windows Server 2003 上并发运行的临时端口,在 Windows Server 2008 上创建大约 16,000 个。
Solution
解决方案
Upgrading to ChromeDriver 73.xwill solve this issue.
升级到ChromeDriver 73.x将解决这个问题。
Outro
奥特罗
These log messages were the reflection of ChromeDriver - Security Considerations.
这些日志消息反映了ChromeDriver - 安全注意事项。
ChromeDriver is a powerful tool, and it can cause harms in the wrong hands. While using ChromeDriver, please follow these suggestions to help keeping it safe:
ChromeDriver 是一个强大的工具,如果落入坏人之手,可能会造成伤害。使用 ChromeDriver 时,请遵循以下建议以确保其安全:
- By default, ChromeDriver only allows local connections. If you need to connect to it from a remote host, use
--whitelisted-ipsswitch on the command line to specify a list of IP addresses that are allowed to connect to ChromeDriver. - If possible, run ChromeDriver with a test account that has no access to sensitive local or network data. ChromeDriver should never be run with a privileged account.
- If possible, run ChromeDriver in a protected environment such as Docker or virtual machine.
- Use firewall to prevent unauthorized remote connection to ChromeDriver.
- If you are using ChromeDriver through third-party tools such as Selenium Server, be sure to protect the network ports of those tools as well.
- Use the latest versions of ChromeDriver and Chrome.
- 默认情况下,ChromeDriver 只允许本地连接。如果您需要从远程主机连接到它,请
--whitelisted-ips在命令行上使用switch 指定允许连接到 ChromeDriver 的 IP 地址列表。 - 如果可能,请使用无法访问敏感本地或网络数据的测试帐户运行 ChromeDriver。ChromeDriver 不应使用特权帐户运行。
- 如果可能,请在受保护的环境(例如 Docker 或虚拟机)中运行 ChromeDriver。
- 使用防火墙防止未经授权的远程连接到 ChromeDriver。
- 如果您通过 Selenium Server 等第三方工具使用 ChromeDriver,请务必同时保护这些工具的网络端口。
- 使用最新版本的 ChromeDriver 和 Chrome。
You can find the list of restricted ports on Chrome here.
您可以在此处找到 Chrome 上受限端口的列表。
回答by user13015278
I too had the same issue, all i did was add https to the link. eg: driver.get("https://www.yahoo.com");
我也有同样的问题,我所做的只是在链接中添加 https。例如:driver.get(" https://www.yahoo.com");
This solved the problem and my scripts are running.
这解决了问题,我的脚本正在运行。
回答by Keet Sugathadasa
This is just an informational message. Nothing to be worried about. Even I get the following message.
这只是一条信息性消息。没什么好担心的。即使我收到以下消息。
Starting ChromeDriver 83.0.4103.39 (ccbf011cb2d2b19b506d844400483861342c20cd-refs/branch-heads/4103@{#416}) on port 9515
Only local connections are allowed.
Please see https://chromedriver.chromium.org/security-considerations for suggestions on keeping ChromeDriver safe.
ChromeDriver was started successfully.
Let me breakdown the message and explain.
让我分解消息并解释一下。
Part 1: Please protect ports used by ChromeDriver
第1部分: Please protect ports used by ChromeDriver
This is applicable to any program. The ports need to be protected whereas outsiders are not allowed to access. Since you are using the default whitelisting in Chromedriver, you get the message Only local connections are allowed.
这适用于任何程序。端口需要受到保护,而不允许外人访问。由于您在 Chromedriver 中使用默认白名单,因此您会收到消息Only local connections are allowed。
When you run this driver, it will enable your scripts to access this and run commands on Google Chrome.
当您运行此驱动程序时,它将使您的脚本能够访问它并在 Google Chrome 上运行命令。
This can be done via scripts running in the local network (Only local connections are allowed.) or via scripts running on outside networks (All remote connections are allowed.). It is always safer to use the Local Connection option. By default your Chromedriver is accessible via port 9515.
这可以通过在本地网络 ( Only local connections are allowed.) 中运行的脚本或通过在外部网络 ( All remote connections are allowed.)上运行的脚本来完成。使用本地连接选项总是更安全。默认情况下,您的 Chromedriver 可通过端口访问9515。
See this answerif you wish to allow all connections instead of just local.
如果您希望允许所有连接而不仅仅是本地连接,请参阅此答案。
Part 2: prevent access by malicious code
第2部分: prevent access by malicious code
There are different kinds of scripts that check whether these ports are open. Since you have opened the Chromedriver only allowing local connectionsit is much safer, and you have to only worry about the scripts in your machine, that might try to hit the port of the Chromedriver.
有多种脚本可以检查这些端口是否打开。由于您只打开了 Chromedriver 允许local connections它更安全,并且您只需担心机器中的脚本,这可能会尝试访问 Chromedriver 的端口。
But, if you had whitelisted IPs, other than the local connections, then you have to protect the ports using firewall rules, via the Cloud service provider or your Operating System.
但是,如果您将 IP 列入白名单local connections,那么您必须使用防火墙规则,通过云服务提供商或您的操作系统来保护端口。
For more information, please see the Security Configurations given be ChromeDriver.
有关更多信息,请参阅ChromeDriver 给出的安全配置。
