From 0567d00d3f9bcaae87113f5c7d256493d5f2e71a Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Sat, 22 Jan 2022 11:21:10 +0100 Subject: add provisional fix for app.box.com --- content/pbox/index.json | 5 + content/sbox/box-fix.js | 245 ++++++++++++++++++++++++++++++++++++++++++++++++ content/sbox/index.json | 6 ++ 3 files changed, 256 insertions(+) create mode 100644 content/pbox/index.json create mode 100644 content/sbox/box-fix.js create mode 100644 content/sbox/index.json diff --git a/content/pbox/index.json b/content/pbox/index.json new file mode 100644 index 0000000..0f47bab --- /dev/null +++ b/content/pbox/index.json @@ -0,0 +1,5 @@ +{ +"type" : "page", +"pattern" : "https://***.app.box.com/s/*", +"payload" : ["script", "box-com-downloader"] +} diff --git a/content/sbox/box-fix.js b/content/sbox/box-fix.js new file mode 100644 index 0000000..e8dd9c2 --- /dev/null +++ b/content/sbox/box-fix.js @@ -0,0 +1,245 @@ +/** + * Copyright 2022 Jacob K + * Copyright 2022 Wojtek Kosior + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * As additional permission under GNU GPL version 3 section 7, you + * may distribute forms of that code without the copy of the GNU + * GPL normally required by section 4, provided you include this + * license notice and, in case of non-source distribution, a URL + * through which recipients can access the Corresponding Source. + * If you modify file(s) with this exception, you may extend this + * exception to your version of the file(s), but you are not + * obligated to do so. If you do not wish to do so, delete this + * exception statement from your version. + * + * As a special exception to the GPL, any HTML file which merely + * makes function calls to this code, and for that purpose + * includes it by reference shall be deemed a separate work for + * copyright law purposes. If you modify this code, you may extend + * this exception to your version of the code, but you are not + * obligated to do so. If you do not wish to do so, delete this + * exception statement from your version. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * I, Wojtek Kosior, thereby promise not to sue for violation of this file's + * license. Although I request that you do not make use of this code in a + * proprietary program, I am not going to enforce this in court. + */ + +// meta: match should be https://***.app.box.com/s/* (*** instead of * for the first section because otherwise plain app.box.com URLs won't work) +// meta: some test cases (mostly found at https://old.reddit.com/search?q="box.com"&include_over_18=on&sort=new) + // https://uwmadison.app.box.com/s/ydht2incbdmw1lhpjg5t40adguc0fm14 + // umadison's enrollment report + // pdf + // https://app.box.com/s/gc4ygloi4qtimeh98dq9mmydyuydawcn + // password-protected 7z file (nsfw) + // https://app.box.com/shared/static/su6xx6zx50cd68zdtbm3wfxhh9kwke8x.zip + // a soundtrack in a zip file + // This is a static download, so it works without this script. + // https://app.box.com/s/vysdh2u78yih3c8leetgq82il954a3g3 + // some gambling add + // pptx + // https://app.box.com/s/nnlplkmjhimau404qohh9my10pwmo8es + // a list of books(?) + // txt + // https://ucla.app.box.com/s/mv32q624ojihohzh8d0mhhj0b3xluzbz + // "COVID-19 Pivot Plan Decision Matrix" + // cannot be downloaded (403 Forbidden): "This user is not allowed to use direct links. Please email "[support address, changes depending on where you are logged in]" for support" + // If you load the proprietary scripts on this page, you'll see that there is no download button + // TODO: find a public folder link (the private links I have seem to work) + // TODO: find a (preferably public) link with a folder inside a folder, as these may need to be handled differently + +/* Extract data from a script that sets multiple variables. */ // from here: https://api-demo.hachette-hydrilla.org/content/sgoogle_sheets_download/google_sheets_download.js + +let prefetchedData = null; // This variable isn't actually used. +for (const script of document.scripts) { + const match = /Box.prefetchedData = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.prefetchedData = " in the script files and then grabs the json text after that. + if (!match) + continue; + prefetchedData = JSON.parse(match[1]); +} + +let config = null; +for (const script of document.scripts) { + const match = /Box.config = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.config = " in the script files and then grabs the json text after that. + if (!match) + continue; + config = JSON.parse(match[1]); +} + +let postStreamData = null; +for (const script of document.scripts) { + const match = /Box.postStreamData = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.postStreamData = " in the script files and then grabs the json text after that. + if (!match) + continue; + postStreamData = JSON.parse(match[1]); +} + +// empty the initial document body +[...document.body.childNodes].forEach(n => n.remove()); + +// create div container +const divContainer = document.createElement("div"); +document.body.append(divContainer); + +const loadingIcon = document.createElement("h1"); +loadingIcon.innerText = "loading..."; +loadingIcon.style.display = "none"; + +const error_msg = document.createElement("h1"); +error_msg.innerText = "error occured :("; +error_msg.style.display = "none"; + +divContainer.append(loadingIcon, error_msg); + +// get domain from URL +const domain = document.location.href.split("/")[2]; + +async function hack_file() { + loadingIcon.style.display = "initial"; + + const tokens_url = "/app-api/enduserapp/elements/tokens"; + const file_nr = postStreamData["/app-api/enduserapp/shared-item"].itemID; + const file_id = `file_${file_nr}`; + const shared_name = postStreamData["/app-api/enduserapp/shared-item"].sharedName; + + /* + * We need to perform a POST to obtain a token that will be used later to + * authenticate against Box's API endpoint. + */ + const tokens_response = await fetch(tokens_url, { + method: "POST", + headers: { + "Accept": "application/json", + "Content-Type": "application/json", + "Request-Token": config.requestToken, + "X-Box-Client-Name": "enduserapp", + "X-Box-Client-Version": "20.712.2", + "X-Box-EndUser-API": `sharedName=${shared_name}`, + "X-Request-Token": config.requestToken + }, + body: JSON.stringify({"fileIDs": [file_id]}) + }); + console.log("tokens_response", tokens_response); + + const access_token = (await tokens_response.json())[file_id].read; + console.log("access_token", access_token); + + const fields = [ + "permissions", "shared_link", "sha1", "file_version", "name", "size", + "extension", "representations", "watermark_info", + "authenticated_download_url", "is_download_available" + ]; + + const file_info_url = + `https://api.box.com/2.0/files/${file_nr}?fields=${fields.join()}`; + + /* + * We need to perform a GET to obtain file metadata. The fields we curently + * make use of are "authenticated_download_url" and "file_version", but in + * the request we also include names of other fields that the original Box + * client would include. The metadata is then dumped as JSON on the page, so + * the user, if curious, can look at it. + */ + const file_info_response = await fetch(file_info_url, { + headers: { + "Accept": "application/json", + "Authorization": `Bearer ${access_token}`, + "BoxApi": `shared_link=${document.URL}`, + "X-Box-Client-Name": "ContentPreview", + "X-Rep-Hints": "[3d][pdf][text][mp3][json][jpg?dimensions=1024x1024&paged=false][jpg?dimensions=2048x2048,png?dimensions=2048x2048][dash,mp4][filmstrip]" + }, + }); + console.log("file_info_response", file_info_response); + + const file_info = await file_info_response.json(); + console.log("file_info", file_info); + + const params = new URLSearchParams(); + params.set("preview", true); + params.set("version", file_info.file_version.id); + params.set("access_token", access_token); + params.set("shared_link", document.URL); + params.set("box_client_name", "box-content-preview"); + params.set("box_client_version", "2.82.0"); + params.set("encoding", "gzip"); + + /* We use file metadata from earlier requests to construct the link. */ + const download_url = + `${file_info.authenticated_download_url}?${params.toString()}`; + console.log("download_url", download_url); + + const downloadButton = document.createElement("a"); + downloadButton.innerText = "download"; + downloadButton.href = download_url; + downloadButton.setAttribute("style", "border-radius: 10px; padding: 20px; color: #333; background-color: lightgreen; text-decoration: none; box-shadow: -4px 8px 8px #888; display: inline-block;"); + + const file_info_header = document.createElement("h2"); + file_info_header.innerText = "File info"; + + divContainer.append(downloadButton, file_info_header, + JSON.stringify(file_info)); + + loadingIcon.style.display = "none"; +} + +function show_error() { + loadingIcon.style.display = "none"; + error_msg.style.display = "initial"; +} + +if (postStreamData["/app-api/enduserapp/shared-item"].itemType == "file") { + /* + * We call hack_file and in case it asynchronously throws an exception, we + * make an error message appear. + */ + hack_file().then(() => {}, show_error); +} else if (postStreamData["/app-api/enduserapp/shared-item"].itemType == "folder") { + const folderHeader = document.createElement("h1"); + folderHeader.innerText = postStreamData["/app-api/enduserapp/shared-folder"].currentFolderName; + divContainer.appendChild(folderHeader); + //console.log(postStreamData["/app-api/enduserapp/shared-folder"]); + postStreamData["/app-api/enduserapp/shared-folder"].items.forEach(function(element) { + console.log(element); + const folderButton = document.createElement("a"); + folderButton.setAttribute("style", "border-radius: 10px; padding: 20px; color: #333; background-color: lightgreen; text-decoration: none; box-shadow: -4px 8px 8px #888; display: inline-block;"); // from https://api-demo.hachette-hydrilla.org/content/sgoogle_sheets_download/google_sheets_download.js + if (element.type == "file") { + folderButton.innerText = "loading..."; + // craft request + var downloadLinkGet = new XMLHttpRequest(); + downloadLinkGet.open("POST", "https://"+domain+"/index.php?rm=box_download_shared_file&shared_name="+postStreamData["/app-api/enduserapp/shared-item"].sharedName+"&file_id="+element.typedID); + downloadLinkGet.setRequestHeader("User-Agent", "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0"); // Would this be set automatically otherwise? + downloadLinkGet.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"); + downloadLinkGet.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); // TODO: find a test case in another language + downloadLinkGet.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); + downloadLinkGet.setRequestHeader("Upgrade-Insecure-Requests", "1"); + downloadLinkGet.onreadystatechange = function() { + if (downloadLinkGet.readyState === 4) { + //console.log(downloadLinkGet.status); + // configure download button and add it + folderButton.setAttribute("href", downloadLinkGet.responseURL); + folderButton.innerText = element.name; // show the name of the file + } + }; + downloadLinkGet.send("request_token="+config.requestToken); + } else { + folderButton.innerText = "[folders inside folders not yet supported]"; + } + divContainer.appendChild(folderButton); + }) +} else { + console.log("Error: not implemented"); + // TODO: also display an error on the page +} diff --git a/content/sbox/index.json b/content/sbox/index.json new file mode 100644 index 0000000..cb12f1a --- /dev/null +++ b/content/sbox/index.json @@ -0,0 +1,6 @@ +{ +"type" : "script", +"name" : "box-com-downloader", +"sha256" : "1274d2a8416b79acca117d90a3473c7affbb7d19dedc9004fffeca2f82283512", +"location" : "box-fix.js" +} -- cgit v1.2.3