1

Check legitimacy of google link through API. I have input text area in my visualforce page where user enters google drive docs, sheet or any google drive file URL. And I want to check that URL is real google drive file URL or not.

Also I have searched for this requirement and I have found 2 APIs but that APIs only checks that the URL enter is safe for browsing or not.

Safe browsing API link : https://developers.google.com/safe-browsing/v4/get-started

Also I have tried this code by hardcoding the url part but We want to check by using API only.

var copyandpastelinkvar = document.getElementById("{!$Component.linkid}").value; //Getting input text area value
var resultlink = copyandpastelinkvar.startsWith("https://docs.google.com/");
if(resultlink){
       document.getElementById("{!$Component.hdnField}").value = copyandpastelinkvar;
       document.getElementById("{!$Component.targetName}").value = copyandpastelinkvar;
       document.getElementById("{!$Component.hdnField2}").value = true;
       return false;
} else {
       document.getElementById("{!$Component.hdnField2}").value = false;    //Link is not gdrive link
       document.write('Link is not google drive link');
       return true;
}

So please help me out for this

Thanks & regards

Darshana
  • 71
  • 8
  • I think you should read the defination of what this API does. If your drive file was on the Safe Browsing lists then all of google drive would be on the safe browsing list. – Linda Lawton - DaImTo Dec 11 '20 at 09:41
  • They have given below information in overview of Safe browsing API :- "The Safe Browsing APIs (v4) let your client applications check URLs against Google's constantly updated lists of unsafe web resources. Examples of unsafe web resources are social engineering sites (phishing and deceptive sites) and sites that host malware or unwanted software. **Any URL found on a Safe Browsing list is considered unsafe** " Means the safe browsing list contains unsafe URL's only. And I have to check whether that URL is google drive file URL or not? – Darshana Dec 11 '20 at 11:16

1 Answers1

1

You could take two approaches and bypass the need to check the URL, if you are using Google Docs exclusively, then you can take out the relevant information from the link and build a link you know is safe.

Use the document ID with Drive API

If you have access to the file you can check it against the Drive API.

For example with a regex like:

/(https:\/\/docs\.google\.com\/)(.+)(\/d\/)(.{44})/

Returning the fourth capture group (.{44}) would give you the document ID. You could then check that against the Drive API, and if you get a 200 response from that, then you would know that the ID is valid. If you get any other response, then you could reject it as invalid.

Then you can replace the given link with one constructed by your script. The way you could construct the link is like this:

let input = <THE LINK GIVEN>
let re = /(^https:\/\/docs\.google\.com\/)(.+)(\/d\/)(.{44})/
let matches = input.match(re)
let service = matches[2]
let id = matches[4]
let url = "https://docs.google.com/" + service + "/d/" + id

For example with a simple HTTP request:

curl \
  'https://www.googleapis.com/drive/v3/files/[DOCUMENT_ID]?supportsAllDrives=true&fields=id&key=[YOUR_API_KEY]' \
  --header 'Authorization: Bearer [YOUR_ACCESS_TOKEN]' \
  --header 'Accept: application/json' \
  --compressed

Visit the link from a script

Using server side scripts, you can try to visit the constructed link to see what status code it returns.

Returning the second capture group from the above regex would give you the service (spreadsheets, documents, etc), the fourth capture group would give you the ID.

You could then build the URL with the legitimate format and use an Apps Script project or other server side code to check if the URL returns a 200 (OK) a 403 (Access forbidden) or 404 (Not Found). If it returns the 404 its because the ID doesn't exist, and so it likely to not be legitimate. 403 could mean that it just doesn't have access.

Unfortunately you can't run it from client side JavaScript because of the CORS policy. Any fetch or XMLHttpRequest will fail when trying to call these links.

With some server side code like Apps Script it could be something like:

function checkLegitimacy(input){
  try {
    let re = /(^https:\/\/docs\.google\.com\/)(.+)(\/d\/)(.{44})/
    let matches = input.match(re)
    let service = matches[2]
    let id = matches[4]
    let url = "https://docs.google.com/" + service + "/d/" + id

    let response = UrlFetchApp.fetch(url, {'muteHttpExceptions': true})
    if (response.getResponseCode() != 200 && response.getResponseCode() != 403){
      throw "Doesn't exist"
    } else {
      Logger.log("Link OK")
    }
  } catch(e){Logger.log("Invalid Link")}
}

function main(){
  checkLegitimacy("https://docs.google.com/spreadsheets/d/<REAL_ID>")
  // Returns "Link OK"
  checkLegitimacy("https://docs.google.com/spreadsheets/d/<FAKE_ID>")
  // Returns "Invalid Link"
  checkLegitimacy("https://badsite.com/spreadsheets/d/<REAL_ID>")
  // Returns "Invalid Link"
}

References

iansedano
  • 6,169
  • 2
  • 12
  • 24
  • Thanks for your response @iansedano.But I don't have access token of user. Users simply copy paste the link of file from there account in the text area. – Darshana Dec 12 '20 at 05:51
  • If you have access to the file you can use your own access token, just like how you'd call the safe browsing API – iansedano Dec 12 '20 at 08:01
  • Actually we don't have access of file. We only have the link of the file. So can you please suggest me any way to find the link is google drive file link or not. – Darshana Dec 17 '20 at 06:29
  • If there is no access to the file, why do you need to check its legitimacy? – iansedano Dec 17 '20 at 08:18
  • We want to store that link in the record field. And before saving, I want to check if that link is not fake or other than Google drive file link. – Darshana Dec 17 '20 at 09:32
  • Again though, why do you need to store it if you don't even have access to it? – iansedano Dec 17 '20 at 09:43
  • @Darshana I have updated the question with another posibility. – iansedano Dec 17 '20 at 10:54
  • Thank you for your update. Will try this And get back to you soon. – Darshana Dec 17 '20 at 11:50