Hydrilla

{

"type" : "page",

"pattern" : "https://***.app.box.com/s/*",

"payload" : ["script", "box-com-downloader"]

}

/**

 * Copyright 2022 Jacob K

 * Copyright 2022 Wojtek Kosior <koszko@koszko.org>

 *

 * This program is free software: you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation, either version 3 of the License, or

 * (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * As additional permission under GNU GPL version 3 section 7, you

 * may distribute forms of that code without the copy of the GNU

 * GPL normally required by section 4, provided you include this

 * license notice and, in case of non-source distribution, a URL

 * through which recipients can access the Corresponding Source.

 * If you modify file(s) with this exception, you may extend this

 * exception to your version of the file(s), but you are not

 * obligated to do so. If you do not wish to do so, delete this

 * exception statement from your version.

 *

 * As a special exception to the GPL, any HTML file which merely

 * makes function calls to this code, and for that purpose

 * includes it by reference shall be deemed a separate work for

 * copyright law purposes. If you modify this code, you may extend

 * this exception to your version of the code, but you are not

 * obligated to do so. If you do not wish to do so, delete this

 * exception statement from your version.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program.  If not, see <https://www.gnu.org/licenses/>.

 *

 * I, Wojtek Kosior, thereby promise not to sue for violation of this file's

 * license. Although I request that you do not make use of this code in a

 * proprietary program, I am not going to enforce this in court.

 */

// meta: match should be https://***.app.box.com/s/* (*** instead of * for the first section because otherwise plain app.box.com URLs won't work)

// meta: some test cases (mostly found at https://old.reddit.com/search?q="box.com"&include_over_18=on&sort=new)

	// https://uwmadison.app.box.com/s/ydht2incbdmw1lhpjg5t40adguc0fm14

		// umadison's enrollment report

		// pdf

	// https://app.box.com/s/gc4ygloi4qtimeh98dq9mmydyuydawcn

		// password-protected 7z file (nsfw)

	// https://app.box.com/shared/static/su6xx6zx50cd68zdtbm3wfxhh9kwke8x.zip

		// a soundtrack in a zip file

		// This is a static download, so it works without this script.

	// https://app.box.com/s/vysdh2u78yih3c8leetgq82il954a3g3

		// some gambling add

		// pptx

	// https://app.box.com/s/nnlplkmjhimau404qohh9my10pwmo8es

		// a list of books(?)

		// txt

	// https://ucla.app.box.com/s/mv32q624ojihohzh8d0mhhj0b3xluzbz

		// "COVID-19 Pivot Plan Decision Matrix"

		// cannot be downloaded (403 Forbidden): "This user is not allowed to use direct links. Please email "[support address, changes depending on where you are logged in]" for support"

		// If you load the proprietary scripts on this page, you'll see that there is no download button

	// TODO: find a public folder link (the private links I have seem to work)

	// TODO: find a (preferably public) link with a folder inside a folder, as these may need to be handled differently

/* Extract data from a script that sets multiple variables. */ // from here: https://api-demo.hachette-hydrilla.org/content/sgoogle_sheets_download/google_sheets_download.js

let prefetchedData = null; // This variable isn't actually used.

for (const script of document.scripts) {

    const match = /Box.prefetchedData = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.prefetchedData = " in the script files and then grabs the json text after that.

    if (!match)

	continue;

    prefetchedData = JSON.parse(match[1]);

}

let config = null;

for (const script of document.scripts) {

    const match = /Box.config = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.config = " in the script files and then grabs the json text after that.

    if (!match)

	continue;

    config = JSON.parse(match[1]);

}

let postStreamData = null;

for (const script of document.scripts) {

    const match = /Box.postStreamData = ({([^;]|[^}];)+})/.exec(script.textContent); // looks for "Box.postStreamData = " in the script files and then grabs the json text after that.

    if (!match)

	continue;

    postStreamData = JSON.parse(match[1]);

}

// empty the initial document body

[...document.body.childNodes].forEach(n => n.remove());

// create div container

const divContainer = document.createElement("div");

document.body.append(divContainer);

const loadingIcon = document.createElement("h1");

loadingIcon.innerText = "loading...";

loadingIcon.style.display = "none";

const error_msg = document.createElement("h1");

error_msg.innerText = "error occured :(";

error_msg.style.display = "none";

divContainer.append(loadingIcon, error_msg);

// get domain from URL

const domain = document.location.href.split("/")[2];

async function hack_file() {

    loadingIcon.style.display = "initial";

    const tokens_url = "/app-api/enduserapp/elements/tokens";

    const file_nr = postStreamData["/app-api/enduserapp/shared-item"].itemID;

    const file_id = `file_${file_nr}`;

    const shared_name = postStreamData["/app-api/enduserapp/shared-item"].sharedName;

    /*

     * We need to perform a POST to obtain a token that will be used later to

     * authenticate against Box's API endpoint.

     */

    const tokens_response = await fetch(tokens_url, {

	method: "POST",

	headers: {

	    "Accept":               "application/json",

	    "Content-Type":         "application/json",

	    "Request-Token":        config.requestToken,

	    "X-Box-Client-Name":    "enduserapp",

	    "X-Box-Client-Version": "20.712.2",

	    "X-Box-EndUser-API":    `sharedName=${shared_name}`,

	    "X-Request-Token":      config.requestToken

	},

	body: JSON.stringify({"fileIDs": [file_id]})

    });

    console.log("tokens_response", tokens_response);

    const access_token = (await tokens_response.json())[file_id].read;

    console.log("access_token", access_token);

    const fields = [

	"permissions", "shared_link", "sha1", "file_version", "name", "size",

	"extension", "representations", "watermark_info",

	"authenticated_download_url", "is_download_available"

    ];

    const file_info_url =

	  `https://api.box.com/2.0/files/${file_nr}?fields=${fields.join()}`;

    /*

     * We need to perform a GET to obtain file metadata. The fields we curently

     * make use of are "authenticated_download_url" and "file_version", but in

     * the request we also include names of other fields that the original Box

     * client would include. The metadata is then dumped as JSON on the page, so

     * the user, if curious, can look at it.

     */

    const file_info_response = await fetch(file_info_url, {

	headers: {

	    "Accept":            "application/json",

	    "Authorization":     `Bearer ${access_token}`,

	    "BoxApi":            `shared_link=${document.URL}`,

	    "X-Box-Client-Name": "ContentPreview",

	    "X-Rep-Hints":       "[3d][pdf][text][mp3][json][jpg?dimensions=1024x1024&paged=false][jpg?dimensions=2048x2048,png?dimensions=2048x2048][dash,mp4][filmstrip]"

	},

    });

    console.log("file_info_response", file_info_response);

    const file_info = await file_info_response.json();

    console.log("file_info", file_info);

    const params = new URLSearchParams();

    params.set("preview",            true);

    params.set("version",            file_info.file_version.id);

    params.set("access_token",       access_token);

    params.set("shared_link",        document.URL);

    params.set("box_client_name",    "box-content-preview");

    params.set("box_client_version", "2.82.0");

    params.set("encoding",           "gzip");

    /* We use file metadata from earlier requests to construct the link. */

    const download_url =

	  `${file_info.authenticated_download_url}?${params.toString()}`;

    console.log("download_url", download_url);

    const downloadButton = document.createElement("a");

    downloadButton.innerText = "download";

    downloadButton.href = download_url;

    downloadButton.setAttribute("style", "border-radius: 10px; padding: 20px; color: #333; background-color: lightgreen; text-decoration: none; box-shadow: -4px 8px 8px #888; display: inline-block;");

    const file_info_header = document.createElement("h2");

    file_info_header.innerText = "File info";

    divContainer.append(downloadButton, file_info_header,

			JSON.stringify(file_info));

    loadingIcon.style.display = "none";

}

function show_error() {

    loadingIcon.style.display = "none";

    error_msg.style.display = "initial";

}

if (postStreamData["/app-api/enduserapp/shared-item"].itemType == "file") {

    /*

     * We call hack_file and in case it asynchronously throws an exception, we

     * make an error message appear.

     */

    hack_file().then(() => {}, show_error);

} else if (postStreamData["/app-api/enduserapp/shared-item"].itemType == "folder") {

	const folderHeader = document.createElement("h1");

	folderHeader.innerText = postStreamData["/app-api/enduserapp/shared-folder"].currentFolderName;

	divContainer.appendChild(folderHeader);

	//console.log(postStreamData["/app-api/enduserapp/shared-folder"]);

	postStreamData["/app-api/enduserapp/shared-folder"].items.forEach(function(element) {

		console.log(element);

		const folderButton = document.createElement("a");

		folderButton.setAttribute("style", "border-radius: 10px; padding: 20px; color: #333; background-color: lightgreen; text-decoration: none; box-shadow: -4px 8px 8px #888; display: inline-block;"); // from https://api-demo.hachette-hydrilla.org/content/sgoogle_sheets_download/google_sheets_download.js

		if (element.type == "file") {

			folderButton.innerText = "loading...";

			// craft request

			var downloadLinkGet = new XMLHttpRequest();

			downloadLinkGet.open("POST", "https://"+domain+"/index.php?rm=box_download_shared_file&shared_name="+postStreamData["/app-api/enduserapp/shared-item"].sharedName+"&file_id="+element.typedID);

			downloadLinkGet.setRequestHeader("User-Agent", "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0"); // Would this be set automatically otherwise?

			downloadLinkGet.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8");

			downloadLinkGet.setRequestHeader("Accept-Language",  "en-US,en;q=0.5"); // TODO: find a test case in another language

			downloadLinkGet.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

			downloadLinkGet.setRequestHeader("Upgrade-Insecure-Requests", "1");

			downloadLinkGet.onreadystatechange = function() {

				if (downloadLinkGet.readyState === 4) {

					//console.log(downloadLinkGet.status);

					// configure download button and add it

					folderButton.setAttribute("href", downloadLinkGet.responseURL);

					folderButton.innerText = element.name; // show the name of the file

				}

			};

			downloadLinkGet.send("request_token="+config.requestToken);

		} else {

			folderButton.innerText = "[folders inside folders not yet supported]";

		}

		divContainer.appendChild(folderButton);

	})

} else {

	console.log("Error: not implemented");

	// TODO: also display an error on the page

}

{

"type" : "script",

"name" : "box-com-downloader",

"sha256" : "1274d2a8416b79acca117d90a3473c7affbb7d19dedc9004fffeca2f82283512",

"location" : "box-fix.js"

}