Harden showcase apps and convert READMEs to Markdown

apps/rest-showcase/README.md

@@ -0,0 +1,18 @@
+# Rest Showcase
+
+> **WARNING:** This application is a demonstration/development tool only. It is **NOT** intended for production
+> deployment. Deploying this application on a publicly accessible server may pose security risks.
+
+Rest Showcase is a simple example of a REST app built with the REST plugin.
+
+For more on getting started with Struts, see:
+
+- https://struts.apache.org/getting-started/
+
+## I18N
+
+Please note that this project was created with the assumption that it will be run in an environment where the default
+locale is set to English. This means that the default messages defined in `package.properties` are in English.
+
+If the default locale for your server is different, then rename `package.properties` to `package_en.properties` and
+create a new `package.properties` with proper values for your default locale.

apps/showcase/README.md

@@ -0,0 +1,19 @@
+# Showcase
+
+> **WARNING:** This application is a demonstration/development tool only. It is **NOT** intended for production
+> deployment. It contains features such as source code viewing that intentionally expose internal application details.
+> Deploying this application on a publicly accessible server may pose security risks.
+
+Showcase is a collection of examples with code that you might adopt and adapt in your own applications.
+
+For more on getting started with Struts, see:
+
+- https://struts.apache.org/getting-started/
+
+## I18N
+
+Please note that this project was created with the assumption that it will be run in an environment where the default
+locale is set to English. This means that the default messages defined in `package.properties` are in English.
+
+If the default locale for your server is different, then rename `package.properties` to `package_en.properties` and
+create a new `package.properties` with proper values for your default locale.

apps/showcase/src/main/java/org/apache/struts2/showcase/source/ViewSourceAction.java

@@ -30,7 +30,9 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
-import java.net.URL;
+import java.net.URI;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -90,7 +92,11 @@ public String execute() throws IOException {
         if (config != null && config.startsWith("file:/")) {
             int pos = config.lastIndexOf(':');
             configLine = Integer.parseInt(config.substring(pos + 1));
-            configLines = read(new URL(config.substring(0, pos)).openStream(), configLine);
+            String fileUrl = config.substring(0, pos);
+            Path configPath = resolveAllowedConfigPath(fileUrl);
+            if (configPath != null) {
+                configLines = read(Files.newInputStream(configPath), configLine);
+            }
         }
         return SUCCESS;
     }
@@ -227,6 +233,29 @@ private List<String> read(InputStream in, int targetLineNumber) {
         return snippet;
     }
 
+    /**
+     * Resolves the given file URL to a real path if it points to an XML file within the webapp's
+     * deployment directory, preventing arbitrary file reads via crafted config parameters.
+     *
+     * @return the resolved path if allowed, or null if the path is outside the webapp or not an XML file
+     */
+    private Path resolveAllowedConfigPath(String fileUrl) {
+        try {
+            Path filePath = Path.of(new URI(fileUrl)).toRealPath();
+            String realBasePath = servletContext.getRealPath("/");
+            if (realBasePath == null) {
+                return null;
+            }
+            Path basePath = Path.of(realBasePath).toRealPath();
+            if (filePath.startsWith(basePath) && filePath.toString().endsWith(".xml")) {
+                return filePath;
+            }
+            return null;
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
     @Override
     public void withServletContext(ServletContext arg0) {
         this.servletContext = arg0;