load XSLT from JAR, if no local file is found; fixes #27598

Keelhaul · Keelhaul · commit 92399f627f61 · 2026-02-16T16:37:03.000+01:00
diff --git a/goobi-viewer-connector/src/main/java/io/goobi/viewer/connector/oai/model/formats/MARCXMLFormat.java b/goobi-viewer-connector/src/main/java/io/goobi/viewer/connector/oai/model/formats/MARCXMLFormat.java
@@ -15,19 +15,34 @@
  */
 package io.goobi.viewer.connector.oai.model.formats;
 
-import java.io.FileInputStream;
+import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.Arrays;
 import java.util.List;
 
+import javax.xml.XMLConstants;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.URIResolver;
+import javax.xml.transform.stream.StreamSource;
+
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.solr.client.solrj.SolrServerException;
+import org.jdom2.Document;
 import org.jdom2.Element;
 import org.jdom2.Namespace;
-import org.jdom2.transform.XSLTransformException;
-import org.jdom2.transform.XSLTransformer;
+import org.jdom2.transform.JDOMResult;
+import org.jdom2.transform.JDOMSource;
 
 import io.goobi.viewer.connector.DataManager;
 import io.goobi.viewer.connector.oai.RequestHandler;
@@ -47,6 +62,8 @@ public class MARCXMLFormat extends METSFormat {
     static final Namespace NAMESPACE_MARC = Namespace.getNamespace("marc", "http://www.loc.gov/MARC21/slim");
     static final Namespace NAMESPACE_MODS = Namespace.getNamespace("mods", "http://www.loc.gov/mods/v3");
 
+    private static final String FILENAME_XSLT = "MODS2MARC21slim.xsl";
+
     /** {@inheritDoc} */
     @Override
     public Element createListRecords(RequestHandler handler, int firstVirtualRow, int firstRawRow, int numRows, String versionDiscriminatorField,
@@ -178,10 +195,42 @@ static Element convertModsToMarc(Element mods, Element header) {
         org.jdom2.Document marcDoc = new org.jdom2.Document();
         marcDoc.setRootElement(newmods);
 
-        String filename = DataManager.getInstance().getConfiguration().getMods2MarcXsl();
-        try (FileInputStream fis = new FileInputStream(filename)) {
-            XSLTransformer transformer = new XSLTransformer(fis);
-            org.jdom2.Document docTrans = transformer.transform(marcDoc);
+        ClassLoader cl = MARCXMLFormat.class.getClassLoader();
+        URL xsltUrl = null;
+        File localXsltFile = new File(DataManager.getInstance().getConfiguration().getMods2MarcXsl());
+        if (localXsltFile.exists()) {
+            // Check for local XSLT file
+            try {
+                xsltUrl = localXsltFile.toURI().toURL();
+                logger.debug("Using local XSLT: {}", localXsltFile.getAbsolutePath());
+            } catch (MalformedURLException e) {
+                throw new IllegalStateException("Invalid path for local override XSLT", e);
+            }
+        }
+        if (xsltUrl == null) {
+            // In-JAR XSLT fallback
+            xsltUrl = cl.getResource(FILENAME_XSLT);
+            if (xsltUrl == null) {
+                throw new IllegalStateException("Default XSLT not found: " + FILENAME_XSLT);
+            }
+        }
+
+        try (InputStream input = xsltUrl.openStream()) {
+            StreamSource xsltSource = new StreamSource(input);
+            xsltSource.setSystemId(xsltUrl.toExternalForm());
+
+            TransformerFactory factory = TransformerFactory.newInstance();
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+            factory.setURIResolver(createXsltUriResolver());
+
+            Transformer transformer = factory.newTransformer(xsltSource);
+
+            JDOMSource source = new JDOMSource(marcDoc);
+            JDOMResult result = new JDOMResult();
+            transformer.transform(source, result);
+            Document docTrans = result.getDocument();
             Element root = docTrans.getRootElement();
 
             Element eleRecord = new Element(XmlConstants.ELE_NAME_RECORD, NAMESPACE_XML);
@@ -201,9 +250,66 @@ static Element convertModsToMarc(Element mods, Element header) {
         } catch (FileNotFoundException e) {
             logger.error(e.getMessage());
             return new ErrorCode().getCannotDisseminateFormat();
-        } catch (IOException | XSLTransformException e) {
+        } catch (IOException | TransformerException e) {
             logger.error(e.getMessage(), e);
             return new ErrorCode().getCannotDisseminateFormat();
         }
     }
+
+    private static URIResolver createXsltUriResolver() {
+        return (href, base) -> {
+            // If base is null, just try classpath
+            if (base == null) {
+                InputStream is = MARCXMLFormat.class.getClassLoader().getResourceAsStream(href);
+                if (is == null) {
+                    throw new TransformerException("Classpath include not found: " + href);
+                }
+                StreamSource src = new StreamSource(is);
+                src.setSystemId(MARCXMLFormat.class.getClassLoader()
+                        .getResource(href)
+                        .toExternalForm());
+                return src;
+            }
+
+            try {
+                URI baseUri = new URI(base);
+                if ("file".equals(baseUri.getScheme())) {
+                    // filesystem include
+                    Path basePath = Paths.get(baseUri).getParent();
+                    Path resolved = basePath.resolve(href).normalize();
+
+                    Path allowedRoot = Paths.get(DataManager.getInstance()
+                            .getConfiguration()
+                            .getOaiFolder())
+                            .toAbsolutePath()
+                            .normalize();
+                    if (!resolved.startsWith(allowedRoot)) {
+                        throw new TransformerException("Access denied: " + href);
+                    }
+                    return new StreamSource(resolved.toFile());
+
+                }
+                // classpath include: resolve relative to base systemId
+                String basePathStr = baseUri.getPath();
+                if (basePathStr == null)
+                    basePathStr = "";
+                int lastSlash = basePathStr.lastIndexOf('/');
+                String parentDir = (lastSlash >= 0) ? basePathStr.substring(0, lastSlash + 1) : "";
+                String includedPath = parentDir + href;
+
+                InputStream is = MARCXMLFormat.class.getClassLoader().getResourceAsStream(includedPath);
+                if (is == null) {
+                    throw new TransformerException("Classpath include not found: " + includedPath);
+                }
+                StreamSource src = new StreamSource(is);
+                src.setSystemId(MARCXMLFormat.class.getClassLoader()
+                        .getResource(includedPath)
+                        .toExternalForm());
+                return src;
+
+            } catch (URISyntaxException e) {
+                throw new TransformerException("Invalid base URI: " + base, e);
+            }
+        };
+    }
 }
diff --git a/goobi-viewer-connector/src/main/resources/MODS2MARC21slim.xsl b/goobi-viewer-connector/src/main/resources/MODS2MARC21slim.xsl
@@ -8,7 +8,7 @@
 <!-- MODS v3 to MARC21Slim transformation  	ntra 2/20/04 -->
 
 	<!--xsl:include href="http://www.loc.gov/marcxml/xslt/MARC21slimUtils.xsl"/-->
-	<xsl:include href="file:///opt/digiverso/viewer/oai/MARC21slimUtils.xsl"/>
+	<xsl:include href="MARC21slimUtils.xsl"/>
 	
 	<xsl:output method="xml" indent="yes" encoding="UTF-8"/>
 
