Package io.jenkins.plugins.auditlogger

Class RouteAwareUrlMatcher

java.lang.Object
io.jenkins.plugins.auditlogger.RouteAwareUrlMatcher
public class RouteAwareUrlMatcher extends Object
Route-aware URL matching for security-critical Jenkins operations. SECURITY: Replaces naive string matching (contains/endsWith) with proper route analysis. Prevents bypass via: - Arbitrary prefixes (/static/lol/restart) - Arbitrary suffixes (query params, fragments) - Job/view names that happen to match keywords - Jenkins' flexible path routing Methodology: 1. Normalize the URI (strip context, fragments, query params) 2. Parse the path into segments 3. Match against known action patterns 4. Validate segment count and structure 5. Extract relevant identifiers

  • Constructor Details

    • RouteAwareUrlMatcher

      public RouteAwareUrlMatcher()

  • Method Details

    • isRestartAction

      public static boolean isRestartAction(String uri)
      Checks if URI is a restart action endpoint. Valid patterns: - /restart, /safeRestart (global) - /manage/restart, /manage/safeRestart (manage page) - /updateCenter/restart, /updateCenter/safeRestart (post-plugin-install flow) Invalid patterns that would bypass string matching: - /static/restart (prefix noise) - /job/restart (job name collision) - /view/script (view name "script")

    • isPluginManagerAction

      public static boolean isPluginManagerAction(String uri)
      Checks if URI accesses plugin manager endpoints. Valid patterns must start with /pluginManager or /plugin and NOT be something like /job/plugins/...

    • isPluginInstallAction

      public static boolean isPluginInstallAction(String uri)
      Checks if URI is an exact plugin installation endpoint.

    • isPluginUpdateAction

      public static boolean isPluginUpdateAction(String uri)
      Checks if URI is an exact plugin update endpoint.

    • classifyPluginLifecycleAction

      public static String classifyPluginLifecycleAction(String uri)
      Classifies exact plugin lifecycle endpoints for enable, disable, and uninstall actions.

    • isConfigurationChange

      public static boolean isConfigurationChange(String uri)
      Checks if URI is a configuration/security change endpoint. Valid patterns: - /configureSecurity, /manage/configureSecurity, /manage/configureSecurity/configure - /manage/configure, /configSubmit, /manage/configSubmit

    • extractUriParameter

      public static String extractUriParameter(String uri, String paramName)
      Extracts the parameter value safely from URI. Handles URL encoding and prevents injection via getQueryParams.

    • extractPluginName

      public static String extractPluginName(String uri)
      Extracts plugin name from plugin manager URIs. /pluginManager/plugin/git/uninstall → git /plugin/git/doUninstall → git

    • isLikelyJobName

      public static boolean isLikelyJobName(String segment)
      Checks if a URI path segment is a known Jenkins job/item name vs. a route keyword. This helps prevent false positives where a job happens to be named "script" or "restart".