Add regex support for parameter filtering and improve permission handling

[F11GAR0]

Summary

This PR addresses two critical issues in the copyArtifacts parameter filtering:

• Regex Support: ParametersBuildFilter now supports regular expressions in parameter values
• Permission Handling: Improved error handling when build environment access is restricted

Changes Made

1. Regex Support in Parameter Filtering

• Problem: Parameter filters like VERSION=8.* failed to match builds with VERSION=8.0.0 because only exact string matching was supported.
• Solution: Added intelligent parameter matching that:
  • Automatically detects regex patterns (containing .*+?^$()[]{}|)
  • Uses Pattern.matcher() for regex matching
  • Falls back to exact string matching for plain values
  • Handles invalid regex gracefully

Examples:

// Now works: regex matching
copyArtifacts(parameters: "VERSION=8.*")    // matches 8.0.0, 8.1.0, etc.
copyArtifacts(parameters: "BRANCH=main")    // exact matching
copyArtifacts(parameters: "TAG=v1\\..*")    // escaped regex

2. Improved Permission Handling

• Problem: Parameter filtering failed when run.getEnvironment() threw exceptions due to permission restrictions.
• Solution: Added fallback mechanism:
  • First attempts getEnvironment() for full compatibility
  • Falls back to extracting parameters from ParametersAction
  • Enhanced error handling prevents build selection failures

3. Debug Logging

Added comprehensive FINE-level logging for troubleshooting:

• Build selection process details
• Parameter matching results
• Permission access issues
• Regex vs exact matching indicators

Testing

• Added test case testFilterByParametersWithRestrictedAccess() covering regex matching
• All existing tests pass
• Backward compatibility maintained

Breaking Changes

None. All existing parameter filters continue to work exactly as before.

[Copilot]

Pull request overview

This PR adds regex support for parameter filtering in the CopyArtifact plugin and attempts to improve permission handling when build environment access is restricted. The changes introduce automatic regex pattern detection based on the presence of special characters, add fallback logic for extracting parameters when getEnvironment() fails, and include extensive debug logging.

Changes:

• Added regex matching capability to ParametersBuildFilter with automatic pattern detection
• Implemented fallback mechanism to extract parameters from ParametersAction when getEnvironment() fails
• Added comprehensive FINE-level debug logging across multiple classes

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 10 comments.

File	Description
src/main/java/hudson/plugins/copyartifact/ParametersBuildFilter.java	Implements regex matching logic, adds fallback for parameter extraction, includes new helper method matchesParameterValue() and extensive logging
src/test/java/hudson/plugins/copyartifact/CopyArtifactTest.java	Adds test case for regex matching functionality (though test name suggests restricted access testing)
src/main/java/hudson/plugins/copyartifact/CopyArtifact.java	Adds debug logging for build selection process
src/main/java/hudson/plugins/copyartifact/BuildSelector.java	Adds debug logging for build selection process

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The isValid method doesn't include the same fallback mechanism that was added to isSelectable. If getEnvironment() throws an exception due to permission restrictions or other reasons, isValid will return false, preventing the filter from being used at all - even though the builds might have the required parameters accessible via ParametersAction.

For consistency with the isSelectable fix, isValid should also attempt to extract parameters from ParametersAction when getEnvironment() fails.

Suggested change

	new Object[]{run.getNumber(), ex.getMessage()});
	new Object[]{run.getNumber(), ex.getMessage()});
	// Fallback: attempt to determine validity from ParametersAction if environment is not accessible
	ParametersAction parametersAction = run.getAction(ParametersAction.class);
	if (parametersAction != null) {
	boolean allPresent = true;
	for (StringParameterValue spv : filters) {
	ParameterValue pv = parametersAction.getParameter(spv.getName());
	if (pv == null) {
	LOGGER.log(Level.FINE,
	"ParametersBuildFilter.isValid: Build #{0} missing parameter {1} in ParametersAction fallback, continuing search",
	new Object[]{run.getNumber(), spv.getName()});
	allPresent = false;
	break;
	}
	}
	if (allPresent) {
	LOGGER.log(Level.FINE,
	"ParametersBuildFilter.isValid: Found valid build #{0} for job {1} using ParametersAction fallback",
	new Object[]{run.getNumber(), job.getFullName()});
	return true;
	}
	}

[Copilot]

The regex detection pattern checks for the presence of any regex special character, but this means a value like "8." will be treated as a regex. However, if the user intends to match the literal string "8." (which is a valid version number format in some systems), they would have to escape it as "8\.\*", which is unintuitive.

The PR description shows "TAG=v1\.." as an example, but this creates ambiguity: is the user escaping dots to match literal dots, or are they writing a regex? With the current implementation, both "v1.." and "v1\..*" would be treated as regex because they contain special characters.

Consider one of the following approaches:

1. Require an explicit opt-in mechanism for regex (e.g., a "regex:" prefix or a separate configuration field)
2. Document the escaping requirements very clearly
3. Use a different heuristic (e.g., only treat as regex if it starts/ends with specific markers)

[Copilot]

The same CaptureEnvironmentBuilder instance (envStep) is being reused and added to multiple different FreeStyleProject instances. Each time a new project 'p' is created, the same envStep is added to its builder list.

This could lead to unexpected behavior because:

1. The same builder instance is shared across multiple projects
2. When checking envStep.getEnvVars(), it's unclear which project's environment is being captured

The test should create a new CaptureEnvironmentBuilder instance for each project, similar to the pattern used in other tests in this file (e.g., line 1144, 1177, 1210).

Suggested change

	CaptureEnvironmentBuilder envStep = new CaptureEnvironmentBuilder();
	p.getBuildersList().add(envStep);
	FreeStyleBuild b = p.scheduleBuild2(0, new Cause.UserIdCause()).get();
	rule.assertBuildStatusSuccess(b);
	assertEquals("1", envStep.getEnvVars().get("COPYARTIFACT_BUILD_NUMBER_SOURCE_JOB"));
	// Test filtering by VERSION=9 should find build #2
	p = createProject(other.getName(), "VERSION=9", "*.txt", "", true, false, false, true);
	p.getBuildersList().add(envStep);
	b = p.scheduleBuild2(0, new Cause.UserIdCause()).get();
	rule.assertBuildStatusSuccess(b);
	assertEquals("2", envStep.getEnvVars().get("COPYARTIFACT_BUILD_NUMBER_SOURCE_JOB"));
	// Test filtering by VERSION=8.* (regex) should find build #3 (VERSION=8.0.0)
	p = createProject(other.getName(), "VERSION=8.*", "*.txt", "", true, false, false, true);
	p.getBuildersList().add(envStep);
	b = p.scheduleBuild2(0, new Cause.UserIdCause()).get();
	rule.assertBuildStatusSuccess(b);
	assertEquals("3", envStep.getEnvVars().get("COPYARTIFACT_BUILD_NUMBER_SOURCE_JOB"));
	CaptureEnvironmentBuilder envStep1 = new CaptureEnvironmentBuilder();
	p.getBuildersList().add(envStep1);
	FreeStyleBuild b = p.scheduleBuild2(0, new Cause.UserIdCause()).get();
	rule.assertBuildStatusSuccess(b);
	assertEquals("1", envStep1.getEnvVars().get("COPYARTIFACT_BUILD_NUMBER_SOURCE_JOB"));
	// Test filtering by VERSION=9 should find build #2
	p = createProject(other.getName(), "VERSION=9", "*.txt", "", true, false, false, true);
	CaptureEnvironmentBuilder envStep2 = new CaptureEnvironmentBuilder();
	p.getBuildersList().add(envStep2);
	b = p.scheduleBuild2(0, new Cause.UserIdCause()).get();
	rule.assertBuildStatusSuccess(b);
	assertEquals("2", envStep2.getEnvVars().get("COPYARTIFACT_BUILD_NUMBER_SOURCE_JOB"));
	// Test filtering by VERSION=8.* (regex) should find build #3 (VERSION=8.0.0)
	p = createProject(other.getName(), "VERSION=8.*", "*.txt", "", true, false, false, true);
	CaptureEnvironmentBuilder envStep3 = new CaptureEnvironmentBuilder();
	p.getBuildersList().add(envStep3);
	b = p.scheduleBuild2(0, new Cause.UserIdCause()).get();
	rule.assertBuildStatusSuccess(b);
	assertEquals("3", envStep3.getEnvVars().get("COPYARTIFACT_BUILD_NUMBER_SOURCE_JOB"));

[Copilot]

The regex pattern detection does not protect against ReDoS (Regular Expression Denial of Service) attacks. A malicious user could provide a pathological regex pattern (e.g., "(a+)+b" with input "aaaa...aaac") that causes catastrophic backtracking, potentially freezing the Jenkins instance.

Consider adding a timeout mechanism for regex matching or validating patterns for known dangerous constructs before compilation.

[Copilot]

The matchType variable is calculated twice unnecessarily: once when there's a mismatch (line 183) and again when there's a match (line 188). This duplicates the regex pattern check.

Consider calculating matchType once before the conditional check and reusing it in both log statements.

Suggested change

	if (!matchesParameterValue(expectedValue, actualValue)) {
	String matchType = REGEX_PATTERN.matcher(expectedValue).find() ? "regex" : "exact";
	LOGGER.log(Level.FINE, "ParametersBuildFilter.isSelectable: Build #{0} parameter mismatch ({4}) - {1}: expected ''{2}'', got ''{3}''",
	new Object[]{run.getNumber(), spv.getName(), expectedValue, actualValue, matchType});
	return false;
	}
	String matchType = REGEX_PATTERN.matcher(expectedValue).find() ? "regex" : "exact";
	String matchType = REGEX_PATTERN.matcher(expectedValue).find() ? "regex" : "exact";
	if (!matchesParameterValue(expectedValue, actualValue)) {
	LOGGER.log(Level.FINE, "ParametersBuildFilter.isSelectable: Build #{0} parameter mismatch ({4}) - {1}: expected ''{2}'', got ''{3}''",
	new Object[]{run.getNumber(), spv.getName(), expectedValue, actualValue, matchType});
	return false;
	}

[Copilot]

The test name "testFilterByParametersWithRestrictedAccess" is misleading. The test doesn't actually test restricted access scenarios or permission restrictions as described in the PR description and test comments. It simply tests regex matching functionality without setting up any permission restrictions or simulating getEnvironment() failures.

To properly test the restricted access scenario mentioned in the PR description, the test should simulate conditions where getEnvironment() throws an exception, forcing the fallback to ParametersAction.

[Copilot]

The REGEX_PATTERN used to detect regex special characters includes the backslash character (\\), which means any string containing a backslash will be treated as a regex. This could cause unexpected behavior for Windows paths (e.g., "C:\Program Files") or escaped strings that users intend to match literally.

This heuristic may not be appropriate for all use cases. Consider documenting this behavior clearly or providing an explicit way for users to opt-in to regex matching (e.g., a separate parameter or a specific prefix/suffix pattern).

Suggested change

	private static final Pattern REGEX_PATTERN = Pattern.compile("[.*+?^$()\\[\\]{}|\\\\]");
	private static final Pattern REGEX_PATTERN = Pattern.compile("[.*+?^$()\\[\\]{}|]");

[Copilot]

The Pattern is compiled on every invocation of matchesParameterValue. For better performance, consider caching compiled patterns, especially since the same expectedValue may be checked against multiple builds. This could be significant when iterating through many builds.

Consider using a cache (e.g., a Map or Guava's LoadingCache with a size limit) to store compiled patterns keyed by the expectedValue string.

[Copilot]

The log message includes an unused placeholder {3} (set to null). The message format uses 5 placeholders ({0} through {4}), but only 4 values are provided in the Object array, with the 4th value being null. This appears to be a copy-paste error from the mismatch log message above.

Either remove the unused placeholder from the format string or provide the actual value if it's needed.

Suggested change

	LOGGER.log(Level.FINE, "ParametersBuildFilter.isSelectable: Build #{0} parameter match ({4}) - {1}=''{2}''",
	new Object[]{run.getNumber(), spv.getName(), actualValue, null, matchType});
	LOGGER.log(Level.FINE, "ParametersBuildFilter.isSelectable: Build #{0} parameter match ({3}) - {1}=''{2}''",
	new Object[]{run.getNumber(), spv.getName(), actualValue, matchType});

[Copilot]

The refactoring removed the special handling for non-AbstractBuild runs (like WorkflowRun). Previously, the code checked if the run was not an AbstractBuild and manually extracted parameters from ParametersAction because Run.getEnvironment() doesn't include build parameters, only AbstractBuild.getEnvironment() does.

Now, this manual parameter extraction only happens in the fallback path when getEnvironment() fails. This means for WorkflowRun builds where getEnvironment() succeeds but doesn't include parameters, the parameter matching will fail incorrectly.

The fix should ensure that for non-AbstractBuild runs, parameters are always extracted from ParametersAction, regardless of whether getEnvironment() succeeds or fails.

[F11GAR0]

i prefer review from humans, not from beep blop bloop machine

[MarkEWaite]

i prefer review from humans, not from beep blop bloop machine

That is your choice, but your choice has consequences.

I prefer to have pull request submitters respond to reviews from tools before I spend human time reviewing a pull request. Those tools currently include

• Checkstyle
• Code coverage
• Copy / paste detector
• PMD
• Spotbugs
• Automated tests on Java 25
• Automated tests on Java 21

It also includes the review from GitHub Copilot.

Since I'm the only active reviewer of pull requests on this plugin and I have many areas that are much more interesting than this plugin, I'm unlikely to review this pull request for at least a month or two, even if you respond to the comments from GitHub Copilot. Your decision to not respond to the comments from GitHub Copilot increases the likelihood that I won't review this pull request.

Since you're not interested in responding to machine generated reviews and I'm not planning to review this pull request for several months, should we close this pull request?