From 6caa9a92738ccef932006c9e74d83169dc9c34ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Blin?=
 <sebastien.blin@savoirfairelinux.com>
Date: Tue, 4 Jul 2023 08:11:14 -0400
Subject: [PATCH] tomcatlauncher: do not use root path as context

This allow anybody to get access to some unwanted files. Use a
subdirectory (/app) to only serve necessary files.

GitLab: #104
Change-Id: I6bd13c882632c00b096f7d7f62fc1bb5a94dbea9
---
 .../net/jami/jams/server/core/TomcatLauncher.java    | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/jams-server/src/main/java/net/jami/jams/server/core/TomcatLauncher.java b/jams-server/src/main/java/net/jami/jams/server/core/TomcatLauncher.java
index 8c848ca6..9b52529a 100644
--- a/jams-server/src/main/java/net/jami/jams/server/core/TomcatLauncher.java
+++ b/jams-server/src/main/java/net/jami/jams/server/core/TomcatLauncher.java
@@ -38,6 +38,7 @@ import org.apache.tomcat.util.descriptor.web.ErrorPage;
 import java.io.File;
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.nio.file.Path;
 
 import static net.jami.jams.server.Server.certificateAuthority;
 
@@ -92,9 +93,16 @@ public class TomcatLauncher {
     public void startServer() {
         String jarName = System.getProperty("user.dir") + File.separator + "jams-server.jar";
         log.info("JAR Resource File = " + jarName);
-        context = (StandardContext) tomcat.addWebapp("", new File(System.getProperty("user.dir")).getAbsolutePath());
+        String contextPath = new File(System.getProperty("user.dir")).getAbsolutePath() + File.separator + "app";
+        try {
+            Path path = Paths.get(contextPath);
+            Files.createDirectories(path);
+        } catch (Exception e) {
+            log.error("Could not create context directory", e);
+        }
+        context = (StandardContext) tomcat.addWebapp("", contextPath);
         context.getJarScanner().setJarScanFilter((jarScanType, s) -> false);
-        log.info("Serving application from: " + new File(System.getProperty("user.dir")).getAbsolutePath());
+        log.info("Serving application from: " + contextPath);
         WebResourceRoot resources = new StandardRoot(context);
         if (jarName.contains(".jar")) {
             resources.addPreResources(
-- 
GitLab