search

phavekes / unmangleOutlookSafelinks

Thunderbird plugin to unmangle Outlook Protection Safelinks
GNU General Public License v3.0
14 stars 10 forks source link

Also support ProofPoint URLs? #16

Open nwhitehorn opened 4 years ago

nwhitehorn commented 4 years ago

Any chance you could add unmangling of ProofPoint URLs as well? There's a reference implementation of the demangling (in Python) at https://help.proofpoint.com/Threat_Insight_Dashboard/Concepts/How_do_I_decode_a_rewritten_URL%3F

nwhitehorn commented 4 years ago

Here's a JavaScript stub I hacked up this afternoon that successfully de-mangles every ProofPoint URL I could find. Apologies for quality, but I'll see about integrating it and send a pull request if it works.

let detect_pattern = new RegExp('https://urldefense(?:\.proofpoint)?\.com/(v[0-9])/')
let v1_pattern = new RegExp('https://urldefense(?:\.proofpoint)?\.com/v1/url\\?u=(.*)&k=.*')
let v2_pattern = new RegExp('https://urldefense(?:\.proofpoint)?\.com/v2/url\\?u=(.*)&[dc]=.*')
let v3_pattern = new RegExp('https://urldefense(?:\.proofpoint)?\.com/v3/__(.+)__;([^\!]*).*')
let v3_token_pattern = new RegExp('\\*(\\*.)?', 'g')
let length_codes = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_'

function unmangleProofpointLink (a) {
    proofpoint = a.match(detect_pattern);
    if (!proofpoint)
        return a;

    var v = proofpoint[1];
    if (v == 'v1') {
       return decodeURIComponent(a.match(v1_pattern)[1]);
    } else if (v == 'v2') {
       var url = a.match(v2_pattern)[1];
       url = url.replace(/-/g, '%');
       url = url.replace(/_/g, '/');
       return decodeURIComponent(url);
    } else if (v == 'v3') {
       var url = a.match(v3_pattern);
       var encbytes = atob(url[2].replace(/_/g, '/').replace(/-/g, '+') + '==');
       var encbytes_off = 0;

       function insert_encbytes(chunk) {
           var len = 1;
           if (chunk.length > 1)  
               len = length_codes.search(chunk[2]) + 2;
           out = encbytes.substring(encbytes_off, encbytes_off + len);
           encbytes_off += len;
           return out;
       }
       url = url[1].replace(v3_token_pattern, insert_encbytes)
       return url;
    }
}
phavekes commented 3 years ago

Thank you for this suggestion. Could you forward me some emails containing these links, so I can test this?

nemobis commented 3 years ago

Thank you for this suggestion. Could you forward me some emails containing these links, so I can test this?

There are a few thousand examples at https://markmail.org/search/?q=urldefense