[JENKINS-75321] Clarify the message displayed when loading the content of build history widget

(cherry picked from commit 5d65d11)

Author: Vlatombe

cli/src/main/java/hudson/cli/CLI.java

@@ -318,31 +318,20 @@ public static int _main(String[] _args) throws Exception {
         throw new AssertionError();
     }
 
-    private static File validateAndSanitizePath(String userInput) {
-        // Define a base directory for validation
-        String baseDir = "/safe/base/directory";
-        Path basePath = Paths.get(baseDir).toAbsolutePath().normalize();
-        Path userPath = Paths.get(userInput).toAbsolutePath().normalize();
-
-        // Check if the user path is within the base directory
-        if (!userPath.startsWith(basePath)) {
-            throw new IllegalArgumentException("Invalid file path");
-        }
-
-        // Sanitize the path (e.g., remove dangerous characters)
-        String sanitizedPath = userPath.toString().replaceAll("[^a-zA-Z0-9./_-]", "");
-        return new File(sanitizedPath);
-    }
-
-    @SuppressFBWarnings("PATH_TRAVERSAL_IN")
+    @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "User provided value for running the program.")
     private static String readAuthFromFile(String auth) throws IOException {
-        Path path = validateAndSanitizePath(auth.substring(1)).toPath();
+        Path path;
+        try {
+            path = Paths.get(auth.substring(1));
+        } catch (InvalidPathException e) {
+            throw new IOException(e);
+        }
         return Files.readString(path, Charset.defaultCharset());
     }
 
-    @SuppressFBWarnings("PATH_TRAVERSAL_IN")
+    @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "User provided value for running the program.")
     private static File getFileFromArguments(List<String> args) {
-        return validateAndSanitizePath(args.get(1));
+        return new File(args.get(1));
     }
 
     private static int webSocketConnection(String url, List<String> args, CLIConnectionFactory factory) throws Exception {
@@ -354,17 +343,20 @@ public void onOpen(Session session, EndpointConfig config) {}
 
         class Authenticator extends ClientEndpointConfig.Configurator {
             HandshakeResponse hr;
+
             @Override
             public void beforeRequest(Map<String, List<String>> headers) {
                 if (factory.authorization != null) {
                     headers.put("Authorization", List.of(factory.authorization));
                 }
             }
+
             @Override
             public void afterResponse(HandshakeResponse hr) {
                 this.hr = hr;
             }
         }
+
         var authenticator = new Authenticator();
 
         ClientManager client = ClientManager.createClient(JdkClientContainer.class.getName()); // ~ ContainerProvider.getWebSocketContainer()

core/src/main/java/hudson/DescriptorExtensionList.java

@@ -26,6 +26,7 @@
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.model.Describable;
 import hudson.model.Descriptor;
 import hudson.model.Descriptor.FormException;
@@ -274,6 +275,7 @@ protected Descriptor adapt(ExtensionComponent<Descriptor> item) {
     /**
      * Exposed just for the test harness. Clear legacy instances.
      */
+    @SuppressFBWarnings(value = "HSM_HIDING_METHOD", justification = "TODO needs triage")
     public static void clearLegacyInstances() {
         legacyDescriptors.clear();
     }

core/src/main/java/hudson/console/ModelHyperlinkNote.java

@@ -1,6 +1,7 @@
 package hudson.console;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Extension;
 import hudson.model.Computer;
 import hudson.model.Item;
@@ -66,6 +67,7 @@ public static String encodeTo(Label label) {
         return encodeTo("/" + label.getUrl(), label.getName());
     }
 
+    @SuppressFBWarnings(value = "HSM_HIDING_METHOD", justification = "TODO needs triage")
     public static String encodeTo(String url, String text) {
         return HyperlinkNote.encodeTo(url, text, ModelHyperlinkNote::new);
     }

core/src/main/java/hudson/model/AutoCompletionCandidates.java

@@ -109,7 +109,6 @@ public static <T extends Item> AutoCompletionCandidates ofJobNames(final Class<T
      *      The nearby contextual {@link ItemGroup} to resolve relative job names from.
      * @since 1.553
      */
-    @SuppressFBWarnings(value = "SBSC_USE_STRINGBUFFER_CONCATENATION", justification = "no big deal")
     public static  <T extends Item> AutoCompletionCandidates ofJobNames(final Class<T> type, final String value, ItemGroup container) {
         final AutoCompletionCandidates candidates = new AutoCompletionCandidates();
         class Visitor extends ItemVisitor {

core/src/main/java/hudson/model/FileParameterValue.java

@@ -164,7 +164,7 @@ public org.apache.commons.fileupload.FileItem getFile() {
     @Override
     public BuildWrapper createBuildWrapper(AbstractBuild<?, ?> build) {
         return new BuildWrapper() {
-            @SuppressFBWarnings(value = {"FILE_UPLOAD_FILENAME", "NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE"}, justification = "TODO needs triage")
+            @SuppressFBWarnings(value = "NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE", justification = "TODO needs triage")
             @Override
             public Environment setUp(AbstractBuild build, Launcher launcher, BuildListener listener) throws IOException, InterruptedException {
                 if (location != null && !location.isEmpty() && file.getName() != null && !file.getName().isEmpty()) {

core/src/main/resources/hudson/widgets/HistoryWidget/index.jelly

@@ -49,7 +49,10 @@ THE SOFTWARE.
                     clazz="${page.runs.isEmpty() and page.queueItems.isEmpty() ? 'jenkins-hidden' : ''}"/>
 
       <div class="app-builds-container">
-        <div id="no-builds" class="app-builds-container__placeholder">
+        <div id="loading-builds" class="app-builds-container__placeholder">
+          <l:spinner text="${%Loading builds...}"/>
+        </div>
+        <div id="no-builds" style="display:none" class="app-builds-container__placeholder">
           ${%No builds}
         </div>
 

src/main/js/pages/project/builds-card.js

@@ -9,6 +9,7 @@ const ajaxUrl = buildHistoryPage.getAttribute("page-ajax");
 const card = document.querySelector("#jenkins-builds");
 const contents = card.querySelector("#jenkins-build-history");
 const container = card.querySelector(".app-builds-container");
+const loadingBuilds = card.querySelector("#loading-builds");
 const noBuilds = card.querySelector("#no-builds");
 
 // Pagination controls
@@ -58,6 +59,7 @@ function load(options = {}) {
         if (responseText.trim() === "") {
           contents.innerHTML = "";
           noBuilds.style.display = "block";
+          loadingBuilds.style.display = "none";
           updateCardControls({
             pageHasUp: false,
             pageHasDown: false,
@@ -69,7 +71,7 @@ function load(options = {}) {
 
         // Show the refreshed builds list
         contents.innerHTML = responseText;
-        noBuilds.style.display = "none";
+        loadingBuilds.style.display = "none";
         behaviorShim.applySubtree(contents);
 
         // Show the card controls
@@ -146,6 +148,7 @@ document.addEventListener("DOMContentLoaded", function () {
     debouncedLoad();
   });
 
+  container.classList.add("app-builds-container--loading");
   load();
 
   window.addEventListener("focus", function () {