From 62300d7882cfc44d9977aac6b97e8fd44a195c3b Mon Sep 17 00:00:00 2001 From: Meg McRoberts Date: Tue, 26 Oct 2021 19:50:00 -0700 Subject: [PATCH 1/6] Draft for review: Security notes for Pipeline authors --- content/doc/book/security/_chapter.yml | 3 ++ .../doc/book/security/pipeline-authors.adoc | 33 +++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 content/doc/book/security/pipeline-authors.adoc diff --git a/content/doc/book/security/_chapter.yml b/content/doc/book/security/_chapter.yml index f7a36d799c28..bc747dcc4a51 100644 --- a/content/doc/book/security/_chapter.yml +++ b/content/doc/book/security/_chapter.yml @@ -18,3 +18,6 @@ sections: # Further references - services + +# New files +- pipeline-authors diff --git a/content/doc/book/security/pipeline-authors.adoc b/content/doc/book/security/pipeline-authors.adoc new file mode 100644 index 000000000000..1e6fcedcfebf --- /dev/null +++ b/content/doc/book/security/pipeline-authors.adoc @@ -0,0 +1,33 @@ +--- +title: Security Practices for Pipeline Authors +layout: section +--- +ifdef::backend-html5[] +:toc: +ifdef::env-github[:imagesdir: ../resources] +ifndef::env-github[:imagesdir: ../../resources] +:hide-uri-scheme: +endif::[] + +The job of securing the Jenkins instance falls mostly on administrators but Pipeline authors must also adhere to good security practices. +We summarize these here. + +== Use Credentials to Access Resources + +If your Pipeline needs to access external resources such as a database, artifact repository, or cloud, be sure to use credentials [add link] for authorization rather than coding the username/password, secret text, or other identifiers in your Pipeline. + +== Handle String Interpolation Properly + +Understand Groovy +link:/doc/book/pipeline/jenkinsfile/#string-interpolation[string interpolation] +and be very careful when passing sensitive data such as environment variables. +Never enclose sensitive environment variables in single quotes! +Data inside single quotes is subject to Groovy string interpolation, which means that Groovy evaluates the string and passes the actual value through where it may be visible as an argument to the `sh` or `bat` step or some other facility. +Data that is enclosed in double quotes is passed to the interpreter (`sh`, `bat`, `powershell`, or `pwsh` for evaluation and so is secure. + +See +link:/doc/book/pipeline/jenkinsfile/#interpolation-of-sensitive-environment-variables[Interpolation of sensitive environment variables] +and +link:/doc/book/pipeline/jenkinsfile/#injection-via-interpolation[Injection via interpolation] +for more details. + From 65f7788cd4fe6dcc2337a6480a47b8064b5040fc Mon Sep 17 00:00:00 2001 From: Meg McRoberts Date: Mon, 1 Nov 2021 03:34:43 -0700 Subject: [PATCH 2/6] "hard coding" Co-authored-by: Wadeck Follonier --- content/doc/book/security/pipeline-authors.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/doc/book/security/pipeline-authors.adoc b/content/doc/book/security/pipeline-authors.adoc index 1e6fcedcfebf..4bf16aa6c636 100644 --- a/content/doc/book/security/pipeline-authors.adoc +++ b/content/doc/book/security/pipeline-authors.adoc @@ -14,7 +14,7 @@ We summarize these here. == Use Credentials to Access Resources -If your Pipeline needs to access external resources such as a database, artifact repository, or cloud, be sure to use credentials [add link] for authorization rather than coding the username/password, secret text, or other identifiers in your Pipeline. +If your Pipeline needs to access external resources such as a database, artifact repository, or cloud, be sure to use credentials [add link] for authorization rather than hard coding the username/password, secret text, or other identifiers in your Pipeline. == Handle String Interpolation Properly From c19604a6afaded32e3fed894bcdc90d48ec9958f Mon Sep 17 00:00:00 2001 From: Meg McRoberts Date: Mon, 1 Nov 2021 03:35:33 -0700 Subject: [PATCH 3/6] double quotes vs single quotes Co-authored-by: Wadeck Follonier --- content/doc/book/security/pipeline-authors.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/doc/book/security/pipeline-authors.adoc b/content/doc/book/security/pipeline-authors.adoc index 4bf16aa6c636..00444377464d 100644 --- a/content/doc/book/security/pipeline-authors.adoc +++ b/content/doc/book/security/pipeline-authors.adoc @@ -21,9 +21,9 @@ If your Pipeline needs to access external resources such as a database, artifact Understand Groovy link:/doc/book/pipeline/jenkinsfile/#string-interpolation[string interpolation] and be very careful when passing sensitive data such as environment variables. -Never enclose sensitive environment variables in single quotes! -Data inside single quotes is subject to Groovy string interpolation, which means that Groovy evaluates the string and passes the actual value through where it may be visible as an argument to the `sh` or `bat` step or some other facility. -Data that is enclosed in double quotes is passed to the interpreter (`sh`, `bat`, `powershell`, or `pwsh` for evaluation and so is secure. +Never enclose sensitive environment variables in double quotes! +Data inside double quotes is subject to Groovy string interpolation, which means that Groovy evaluates the string and passes the actual value through where it may be visible as an argument to the `sh` or `bat` step or some other facility. +Data that is enclosed in single quotes is passed to the interpreter (`sh`, `bat`, `powershell`, or `pwsh` for evaluation and so is secure. See link:/doc/book/pipeline/jenkinsfile/#interpolation-of-sensitive-environment-variables[Interpolation of sensitive environment variables] From eeeb8ed1293876351765e354511d20cb9a6985ba Mon Sep 17 00:00:00 2001 From: Meg McRoberts Date: Tue, 11 Jan 2022 01:05:40 -0800 Subject: [PATCH 4/6] add comma Co-authored-by: Kristin Whetstone --- content/doc/book/security/pipeline-authors.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/doc/book/security/pipeline-authors.adoc b/content/doc/book/security/pipeline-authors.adoc index 00444377464d..ca698288c6cd 100644 --- a/content/doc/book/security/pipeline-authors.adoc +++ b/content/doc/book/security/pipeline-authors.adoc @@ -9,7 +9,7 @@ ifndef::env-github[:imagesdir: ../../resources] :hide-uri-scheme: endif::[] -The job of securing the Jenkins instance falls mostly on administrators but Pipeline authors must also adhere to good security practices. +The job of securing the Jenkins instance falls mostly on administrators, but Pipeline authors must also adhere to good security practices. We summarize these here. == Use Credentials to Access Resources From 22eb3807ca37c3b36ef7fa8303d95688860400ea Mon Sep 17 00:00:00 2001 From: Meg McRoberts Date: Tue, 11 Jan 2022 04:01:58 -0800 Subject: [PATCH 5/6] link to credentials page --- content/doc/book/security/pipeline-authors.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/doc/book/security/pipeline-authors.adoc b/content/doc/book/security/pipeline-authors.adoc index ca698288c6cd..1272edcaf3e8 100644 --- a/content/doc/book/security/pipeline-authors.adoc +++ b/content/doc/book/security/pipeline-authors.adoc @@ -14,7 +14,9 @@ We summarize these here. == Use Credentials to Access Resources -If your Pipeline needs to access external resources such as a database, artifact repository, or cloud, be sure to use credentials [add link] for authorization rather than hard coding the username/password, secret text, or other identifiers in your Pipeline. +If your Pipeline needs to access external resources such as a database, artifact repository, or cloud, be sure to use +link:/doc/book/using/using-credentials/[credentials] +for authorization rather than hard coding the username/password, secret text, or other identifiers in your Pipeline. == Handle String Interpolation Properly From c203b46db422a3b5bbda249c8099ce798bce1a55 Mon Sep 17 00:00:00 2001 From: Meg McRoberts Date: Tue, 11 Jan 2022 17:17:08 -0800 Subject: [PATCH 6/6] Use "See" for xref to Credentials page --- content/doc/book/security/pipeline-authors.adoc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/content/doc/book/security/pipeline-authors.adoc b/content/doc/book/security/pipeline-authors.adoc index 1272edcaf3e8..e67d6685f46b 100644 --- a/content/doc/book/security/pipeline-authors.adoc +++ b/content/doc/book/security/pipeline-authors.adoc @@ -14,9 +14,8 @@ We summarize these here. == Use Credentials to Access Resources -If your Pipeline needs to access external resources such as a database, artifact repository, or cloud, be sure to use -link:/doc/book/using/using-credentials/[credentials] -for authorization rather than hard coding the username/password, secret text, or other identifiers in your Pipeline. +If your Pipeline needs to access external resources such as a database, artifact repository, or cloud, be sure to use credentials for authorization rather than hard coding the username/password, secret text, or other identifiers in your Pipeline. +See link:/doc/book/using/using-credentials/[Using Credentials] for more information. == Handle String Interpolation Properly