aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--content/pbox/index.json5
-rw-r--r--content/sbox/box-fix.js245
-rw-r--r--content/sbox/index.json6
3 files changed, 256 insertions, 0 deletions
diff --git a/content/pbox/index.json b/content/pbox/index.json
new file mode 100644
index 0000000..0f47bab
--- /dev/null
+++ b/content/pbox/index.json
@@ -0,0 +1,5 @@
+{
+"type" : "page",
+"pattern" : "https://***.app.box.com/s/*",
+"payload" : ["script", "box-com-downloader"]
+}
diff --git a/content/sbox/box-fix.js b/content/sbox/box-fix.js
new file mode 100644
index 0000000..e8dd9c2
--- /dev/null
+++ b/content/sbox/box-fix.js
@@ -0,0 +1,245 @@
+/**
+ * Copyright 2022 Jacob K
+ * Copyright 2022 Wojtek Kosior <koszko@koszko.org>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * As additional permission under GNU GPL version 3 section 7, you
+ * may distribute forms of that code without the copy of the GNU
+ * GPL normally required by section 4, provided you include this
+ * license notice and, in case of non-source distribution, a URL
+ * through which recipients can access the Corresponding Source.
+ * If you modify file(s) with this exception, you may extend this
+ * exception to your version of the file(s), but you are not
+ * obligated to do so. If you do not wish to do so, delete this
+ * exception statement from your version.
+ *
+ * As a special exception to the GPL, any HTML file which merely
+ * makes function calls to this code, and for that purpose
+ * includes it by reference shall be deemed a separate work for
+ * copyright law purposes. If you modify this code, you may extend
+ * this exception to your version of the code, but you are not
+ * obligated to do so. If you do not wish to do so, delete this
+ * exception statement from your version.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * I, Wojtek Kosior, thereby promise not to sue for violation of this file's
+ * license. Although I request that you do not make use of this code in a
+ * proprietary program, I am not going to enforce this in court.
+ */
+
+// meta: match should be https://***.app.box.com/s/* (*** instead of * for the first section because otherwise plain app.box.com URLs won't work)
+// meta: some test cases (mostly found at https://old.reddit.com/search?q="box.com"&include_over_18=on&sort=new)
+ // https://uwmadison.app.box.com/s/ydht2incbdmw1lhpjg5t40adguc0fm14
+ // umadison's enrollment report
+ // pdf
+ // https://app.box.com/s/gc4ygloi4qtimeh98dq9mmydyuydawcn
+ // password-protected 7z file (nsfw)
+ // https://app.box.com/shared/static/su6xx6zx50cd68zdtbm3wfxhh9kwke8x.zip
+ // a soundtrack in a zip file
+ // This is a static download, so it works without this script.
+ // https://app.box.com/s/vysdh2u78yih3c8leetgq82il954a3g3
+ // some gambling add
+ // pptx
+ // https://app.box.com/s/nnlplkmjhimau404qohh9my10pwmo8es
+ // a list of books(?)
+ // txt
+ // https://ucla.app.box.com/s/mv32q624ojihohzh8d0mhhj0b3xluzbz
+ // "COVID-19 Pivot Plan Decision Matrix"
+ // cannot be downloaded (403 Forbidden): "This user is not allowed to use direct links. Please email "[support address, changes depending on where you are logged in]" for support"
+ // If you load the proprietary scripts on this page, you'll see that there is no download button
+ // TODO: find a public folder link (the private links I have seem to work)
+ // TODO: find a (preferably public) link with a folder inside a folder, as these may need to be handled differently
+
+/* Extract data from a script that sets multiple variables. */ // from here: https://api-demo.hachette-hydrilla.org/content/sgoogle_sheets_download/google_sheets_download.js
+
+let prefetchedData = null; // This variable isn't actually used.
+for (const script of document.scripts) {
+ const match = /Box.prefetchedData = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.prefetchedData = " in the script files and then grabs the json text after that.
+ if (!match)
+ continue;
+ prefetchedData = JSON.parse(match[1]);
+}
+
+let config = null;
+for (const script of document.scripts) {
+ const match = /Box.config = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.config = " in the script files and then grabs the json text after that.
+ if (!match)
+ continue;
+ config = JSON.parse(match[1]);
+}
+
+let postStreamData = null;
+for (const script of document.scripts) {
+ const match = /Box.postStreamData = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.postStreamData = " in the script files and then grabs the json text after that.
+ if (!match)
+ continue;
+ postStreamData = JSON.parse(match[1]);
+}
+
+// empty the initial document body
+[...document.body.childNodes].forEach(n => n.remove());
+
+// create div container
+const divContainer = document.createElement("div");
+document.body.append(divContainer);
+
+const loadingIcon = document.createElement("h1");
+loadingIcon.innerText = "loading...";
+loadingIcon.style.display = "none";
+
+const error_msg = document.createElement("h1");
+error_msg.innerText = "error occured :(";
+error_msg.style.display = "none";
+
+divContainer.append(loadingIcon, error_msg);
+
+// get domain from URL
+const domain = document.location.href.split("/")[2];
+
+async function hack_file() {
+ loadingIcon.style.display = "initial";
+
+ const tokens_url = "/app-api/enduserapp/elements/tokens";
+ const file_nr = postStreamData["/app-api/enduserapp/shared-item"].itemID;
+ const file_id = `file_${file_nr}`;
+ const shared_name = postStreamData["/app-api/enduserapp/shared-item"].sharedName;
+
+ /*
+ * We need to perform a POST to obtain a token that will be used later to
+ * authenticate against Box's API endpoint.
+ */
+ const tokens_response = await fetch(tokens_url, {
+ method: "POST",
+ headers: {
+ "Accept": "application/json",
+ "Content-Type": "application/json",
+ "Request-Token": config.requestToken,
+ "X-Box-Client-Name": "enduserapp",
+ "X-Box-Client-Version": "20.712.2",
+ "X-Box-EndUser-API": `sharedName=${shared_name}`,
+ "X-Request-Token": config.requestToken
+ },
+ body: JSON.stringify({"fileIDs": [file_id]})
+ });
+ console.log("tokens_response", tokens_response);
+
+ const access_token = (await tokens_response.json())[file_id].read;
+ console.log("access_token", access_token);
+
+ const fields = [
+ "permissions", "shared_link", "sha1", "file_version", "name", "size",
+ "extension", "representations", "watermark_info",
+ "authenticated_download_url", "is_download_available"
+ ];
+
+ const file_info_url =
+ `https://api.box.com/2.0/files/${file_nr}?fields=${fields.join()}`;
+
+ /*
+ * We need to perform a GET to obtain file metadata. The fields we curently
+ * make use of are "authenticated_download_url" and "file_version", but in
+ * the request we also include names of other fields that the original Box
+ * client would include. The metadata is then dumped as JSON on the page, so
+ * the user, if curious, can look at it.
+ */
+ const file_info_response = await fetch(file_info_url, {
+ headers: {
+ "Accept": "application/json",
+ "Authorization": `Bearer ${access_token}`,
+ "BoxApi": `shared_link=${document.URL}`,
+ "X-Box-Client-Name": "ContentPreview",
+ "X-Rep-Hints": "[3d][pdf][text][mp3][json][jpg?dimensions=1024x1024&paged=false][jpg?dimensions=2048x2048,png?dimensions=2048x2048][dash,mp4][filmstrip]"
+ },
+ });
+ console.log("file_info_response", file_info_response);
+
+ const file_info = await file_info_response.json();
+ console.log("file_info", file_info);
+
+ const params = new URLSearchParams();
+ params.set("preview", true);
+ params.set("version", file_info.file_version.id);
+ params.set("access_token", access_token);
+ params.set("shared_link", document.URL);
+ params.set("box_client_name", "box-content-preview");
+ params.set("box_client_version", "2.82.0");
+ params.set("encoding", "gzip");
+
+ /* We use file metadata from earlier requests to construct the link. */
+ const download_url =
+ `${file_info.authenticated_download_url}?${params.toString()}`;
+ console.log("download_url", download_url);
+
+ const downloadButton = document.createElement("a");
+ downloadButton.innerText = "download";
+ downloadButton.href = download_url;
+ downloadButton.setAttribute("style", "border-radius: 10px; padding: 20px; color: #333; background-color: lightgreen; text-decoration: none; box-shadow: -4px 8px 8px #888; display: inline-block;");
+
+ const file_info_header = document.createElement("h2");
+ file_info_header.innerText = "File info";
+
+ divContainer.append(downloadButton, file_info_header,
+ JSON.stringify(file_info));
+
+ loadingIcon.style.display = "none";
+}
+
+function show_error() {
+ loadingIcon.style.display = "none";
+ error_msg.style.display = "initial";
+}
+
+if (postStreamData["/app-api/enduserapp/shared-item"].itemType == "file") {
+ /*
+ * We call hack_file and in case it asynchronously throws an exception, we
+ * make an error message appear.
+ */
+ hack_file().then(() => {}, show_error);
+} else if (postStreamData["/app-api/enduserapp/shared-item"].itemType == "folder") {
+ const folderHeader = document.createElement("h1");
+ folderHeader.innerText = postStreamData["/app-api/enduserapp/shared-folder"].currentFolderName;
+ divContainer.appendChild(folderHeader);
+ //console.log(postStreamData["/app-api/enduserapp/shared-folder"]);
+ postStreamData["/app-api/enduserapp/shared-folder"].items.forEach(function(element) {
+ console.log(element);
+ const folderButton = document.createElement("a");
+ folderButton.setAttribute("style", "border-radius: 10px; padding: 20px; color: #333; background-color: lightgreen; text-decoration: none; box-shadow: -4px 8px 8px #888; display: inline-block;"); // from https://api-demo.hachette-hydrilla.org/content/sgoogle_sheets_download/google_sheets_download.js
+ if (element.type == "file") {
+ folderButton.innerText = "loading...";
+ // craft request
+ var downloadLinkGet = new XMLHttpRequest();
+ downloadLinkGet.open("POST", "https://"+domain+"/index.php?rm=box_download_shared_file&shared_name="+postStreamData["/app-api/enduserapp/shared-item"].sharedName+"&file_id="+element.typedID);
+ downloadLinkGet.setRequestHeader("User-Agent", "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0"); // Would this be set automatically otherwise?
+ downloadLinkGet.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8");
+ downloadLinkGet.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); // TODO: find a test case in another language
+ downloadLinkGet.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+ downloadLinkGet.setRequestHeader("Upgrade-Insecure-Requests", "1");
+ downloadLinkGet.onreadystatechange = function() {
+ if (downloadLinkGet.readyState === 4) {
+ //console.log(downloadLinkGet.status);
+ // configure download button and add it
+ folderButton.setAttribute("href", downloadLinkGet.responseURL);
+ folderButton.innerText = element.name; // show the name of the file
+ }
+ };
+ downloadLinkGet.send("request_token="+config.requestToken);
+ } else {
+ folderButton.innerText = "[folders inside folders not yet supported]";
+ }
+ divContainer.appendChild(folderButton);
+ })
+} else {
+ console.log("Error: not implemented");
+ // TODO: also display an error on the page
+}
diff --git a/content/sbox/index.json b/content/sbox/index.json
new file mode 100644
index 0000000..cb12f1a
--- /dev/null
+++ b/content/sbox/index.json
@@ -0,0 +1,6 @@
+{
+"type" : "script",
+"name" : "box-com-downloader",
+"sha256" : "1274d2a8416b79acca117d90a3473c7affbb7d19dedc9004fffeca2f82283512",
+"location" : "box-fix.js"
+}