Draft for review: script security

[StackScribe]

This is intended as a small document that just summarizes "best practices" about script security with links to other documents for details.

@daniel-beck @Wadeck @MarkEWaite This is my first stab at this. The odds of errors, omissions, or wrong style are pretty high so feel free to critique harshly.

Also, not sure how this happened but the system-administration/backing-up.adoc file has been included here. That was in https://github.com/jenkins-infra/jenkins.io/pull/4668 which has been merged. I'll figure it out but, until I do, just ignore that part of this PR.

[StackScribe]

Question posed to gitter on 15 Feb 2022, should be answered somewhere in conjunction with this:

hello i'm trying to figure out how the script approval thingy works, we've got a file which contains both approvedScriptHashes and approvedSignatures approvedScriptHashes I assume are whole .groovy scripts (well, looking at the code it's a bit more complicated than that, there's "language:" prepended to it before hashing) approvedSignatures looks like methods which are explicitely allowed question is, if Jenkins calls an "unknown" .groovy script from a pipeline and its hash is not in approvedScriptHashes, will it run line by line as long as all methods are explicitly allowed?

[jglick]

if Jenkins calls an "unknown" .groovy script from a pipeline

Like a load step? From a sandboxed pipeline? If so then

will it run line by line as long as all methods are explicitly allowed?

yes. If not, then it will just be run (no hash check). No admin should ever approve a script which delegates to some other unspecified script. That would be like signing a blank check and taping it to your front door.

[github-actions[bot]]

Please take a moment and address the merge conflicts of your pull request. Thanks!

[github-actions[bot]]

Please take a moment and address the merge conflicts of your pull request. Thanks!