Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
com.dropbox.core:dropbox-core-sdk
Advanced tools
A Java library to access Dropbox's HTTP-based Core API v2.
A Java library to access Dropbox's HTTP-based Core API v2. This SDK also supports the older Core API v1, but that support will be removed at some point.
License: MIT
Documentation: Javadocs
The current release of Dropbox SDK Java supports Java 8+.
If you're using Maven, then edit your project's "pom.xml" and add this to the <dependencies>
section:
<dependency>
<groupId>com.dropbox.core</groupId>
<artifactId>dropbox-core-sdk</artifactId>
<version>7.0.0</version>
</dependency>
If you are using Gradle, then edit your project's "build.gradle" and add this to the dependencies
section:
dependencies {
// ...
implementation 'com.dropbox.core:dropbox-core-sdk:7.0.0'
}
You can also download the Java SDK JAR and and its required dependencies directly from the latest release page. Note that the distribution artifacts on the releases pages do not contain optional dependencies.
A good way to start using the Java SDK is to follow this quick tutorial. Just make sure you have the Java SDK installed first!
To use the Dropbox API, you'll need to register a new app in the App Console. Select Dropbox API app and choose your app's permission. You'll need to use the app key created with this app to access API v2.
In order to make calls to the API, you'll need an instance of the Dropbox object. To instantiate, pass in the access token for the account you want to link. (Tip: You can generate an access token for your own account through the App Console).
import com.dropbox.core.DbxException;
import com.dropbox.core.DbxRequestConfig;
import com.dropbox.core.v2.DbxClientV2;
public class Main {
private static final String ACCESS_TOKEN = "<ACCESS TOKEN>";
public static void main(String args[]) throws DbxException {
// Create Dropbox client
DbxRequestConfig config = DbxRequestConfig.newBuilder("dropbox/java-tutorial").build();
DbxClientV2 client = new DbxClientV2(config, ACCESS_TOKEN);
}
}
Test it out to make sure you've linked the right account:
// Get current account info
FullAccount account = client.users().getCurrentAccount();
System.out.println(account.getName().getDisplayName());
You can use the Dropbox object you instantiated above to make API calls. Try out a request to list the contents of a folder.
// Get files and folder metadata from Dropbox root directory
ListFolderResult result = client.files().listFolder("");
while (true) {
for (Metadata metadata : result.getEntries()) {
System.out.println(metadata.getPathLower());
}
if (!result.getHasMore()) {
break;
}
result = client.files().listFolderContinue(result.getCursor());
}
Try uploading a file to your Dropbox.
// Upload "test.txt" to Dropbox
try (InputStream in = new FileInputStream("test.txt")) {
FileMetadata metadata = client.files().uploadBuilder("/test.txt")
.uploadAndFinish(in);
}
import com.dropbox.core.DbxException;
import com.dropbox.core.DbxRequestConfig;
import com.dropbox.core.v2.DbxClientV2;
import com.dropbox.core.v2.files.FileMetadata;
import com.dropbox.core.v2.files.ListFolderResult;
import com.dropbox.core.v2.files.Metadata;
import com.dropbox.core.v2.users.FullAccount;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.IOException;
public class Main {
private static final String ACCESS_TOKEN = "<ACCESS TOKEN>";
public static void main(String args[]) throws DbxException, IOException {
// Create Dropbox client
DbxRequestConfig config = DbxRequestConfig.newBuilder("dropbox/java-tutorial").build();
DbxClientV2 client = new DbxClientV2(config, ACCESS_TOKEN);
// Get current account info
FullAccount account = client.users().getCurrentAccount();
System.out.println(account.getName().getDisplayName());
// Get files and folder metadata from Dropbox root directory
ListFolderResult result = client.files().listFolder("");
while (true) {
for (Metadata metadata : result.getEntries()) {
System.out.println(metadata.getPathLower());
}
if (!result.getHasMore()) {
break;
}
result = client.files().listFolderContinue(result.getCursor());
}
// Upload "test.txt" to Dropbox
try (InputStream in = new FileInputStream("test.txt")) {
FileMetadata metadata = client.files().uploadBuilder("/test.txt")
.uploadAndFinish(in);
}
}
}
Some more complete examples can be found here:
To try out running these examples, please follow the instructions below.
Save your Dropbox API key to a JSON file called, say, "test.app":
{
"key": "Your Dropbox API app key",
"secret": "Your Dropbox API app secret"
}
App key and secret can be found in you app page in App Console.
git clone https://github.com/dropbox/dropbox-sdk-java.git
cd dropbox-sdk-java
./update-submodules # also do this after every "git checkout"
./gradlew build # requires `python` command to use Python 3.9, pip dropbox
The output will be in "build/".
./gradlew build
cd examples/ && ./gradlew classes
cd examples/ && ./gradlew :<example-name>:classes
This example runs through the OAuth 2 authorization flow.
cd examples
./run authorize test.app test.auth
This produces a file named "test.auth" that has the access token. This file can be passed in to the other examples.
A simple example that fetches and displays information about the account associated with the access token.
cd examples
./run account-info test.auth
(You must first generate "test.auth" using the "authorize" example above.)
An example of how to watch for changes in a Dropbox directory.
cd examples
./run longpoll test.auth "/path/to/watch"
(You must first generate "test.auth" using the "authorize" example above.)
Uploads a file to Dropbox. The example includes regular and chunked file uploads.
cd examples
./run upload-file test.auth local-path/file.txt /dropbox-path/file.txt
(You must first generate "test.auth" using the "authorize" example above.)
A tiny web app that runs through the OAuth 2 authorization flow and then uses Dropbox API calls to let the user browse their Dropbox files.
Prerequisite: In the Dropbox API app configuration console, you need to add "http://localhost:5000/dropbox-auth-finish" to the list of allowed redirect URIs.
cd examples
./run web-file-browser 5000 test.app web-file-browser.db
authorize
example above to get a "test.auth" file../gradlew -Pcom.dropbox.test.authInfoFile=<path-to-test.auth> integrationTest
To run individual tests, use the --tests
gradle test filter:
./gradlew -Pcom.dropbox.test.authInfoFile=<path-to-test.auth> integrationTest --tests '*.DbxClientV1IT.testAccountInfo'
Edit your project's "build.gradle" and add the following to the dependencies section:
dependencies {
// ...
implementation 'com.dropbox.core:dropbox-core-sdk:7.0.0'
implementation 'com.dropbox.core:dropbox-android-sdk:7.0.0'
}
If you leverage jettifier and see the following errors then please add android.jetifier.ignorelist = jackson-core,fastdoubleparser
to your gradle.properties
file.
Failed to transform jackson-core-2.15.0.jar (com.fasterxml.jackson.core:jackson-core:2.15.0) to match attributes {artifactType=android-classes-jar, org.gradle.category=library, org.gradle.dependency.bundling=external, org.gradle.libraryelements=jar, org.gradle.status=release, org.gradle.usage=java-api}.
The Android code in this SDK is written in Kotlin (as of 5.4.x) and Kotlin is now a runtime dependency. If you do not already have Kotlin in your project, you will need to add implementation("org.jetbrains.kotlin:kotlin-stdlib:1.6.21")
to your dependencies block in order to avoid a runtime exception.
If the official Dropbox App is installed, it will attempt to use it to do authorization. If it is not, a web authentication flow is launched in-browser.
Use the methods in the Auth
to start an authentication sessions.
Please look at the examples/android
sample app for usage as well.
The following below is required configuration when using the SDK on Android.
Add these following pieces to your AndroidManifest.xml
to use Dropbox for Authentication in Android.
AuthActivity
to the manifestUse your Dropbox APP Key in place of dropboxKey
below. You need to add the AuthActivity
entry, and it's associated intent-filter
.
<manifest>
...
<application>
<activity
android:name="com.dropbox.core.android.AuthActivity"
android:exported="true"
android:configChanges="orientation|keyboard"
android:launchMode="singleTask">
<intent-filter>
<data android:scheme="db-${dropboxKey}" />
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.BROWSABLE" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
<!-- Additional intent-filter required as a workaround for Apps using targetSdk=33 until the fix in the Dropbox app is available to all users. -->
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</activity>
</application>
...
</manifest>
Your activity starting the authorization flow should also configured with android:launchMode="singleTask"
. Also, if that activity is configured with android:taskAffinity
, then the AuthActivity
should also configured with the same task affinity, such that authorization result can be passed back to your activity.
🚨There is a known issue regarding apps with targetSdk=33
regarding app-to-app authentication when the Dropbox App is installed 🚨
A fix is being worked on and will be released in an upcoming version of the Dropbox Mobile App.
package
to queries
Additionally, you need to allow queries
from the Dropbox official app for verification during the app-to-app authentication flow.
<manifest>
...
<queries>
<package android:name="com.dropbox.android" />
</queries>
...
</manifest>
OkHttp3Requestor
in DbxRequestConfig
, I get errors like 'class file for okhttp3.OkHttpClient not found'The dependency of OKHttp/OKHttp3 is optional. You should add them, only if you explicitly want to use it as the http requestor.
Example in Gradle:
dependencies {
// ...
api 'com.squareup.okhttp3:okhttp:4.0.0'
}
The JAR's manifest has the following line:
Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=11))"
Most OSGi containers should provide this capability. Unfortunately, some OSGi containers don't do this correctly and will reject the bundle JAR in the OSGi subsystem context.
As a workaround, you can build your own version of the JAR that omits the "osgi.ee" capability by running:
./gradlew clean
./gradlew -Posgi.bnd.noee=true :core:jar
(This is equivalent to passing the "-noee" option to the OSGi "bnd" tool.)
Another workaround is to tell your OSGi container to provide that requirement: StackOverflow answer.
The only ProGuard rules necessary are for the SDK's required and optional dependencies. If you encounter ProGuard warnings, consider adding the following "-dontwarn" directives to your ProGuard configuration file:
-dontwarn okio.**
-dontwarn okhttp3.**
-dontwarn com.squareup.okhttp.**
-dontwarn com.google.apphosting.**
-dontwarn com.google.appengine.**
-dontwarn com.google.protos.cloud.sql.**
-dontwarn com.google.cloud.sql.**
-dontwarn javax.activation.**
-dontwarn javax.mail.**
-dontwarn javax.servlet.**
-dontwarn org.apache.**
As of version 7.0.0, the SDK no longer provides certificate pinning by default. We provide hooks for you to run each of your requests with
your own SSLSocketFactory
or CertificatePinner
. To provide this to your calls, you can use any of the requestors provided.
Note: If you were previously using SSLConfig
, this is no longer available. You can view the source in git history
but we no longer provide any default certificate pinning or any other configuration.
StandardHttpRequestor
StandardHttpRequestor.Config customConfig = StandardHttpRequestor.Config.DEFAULT_INSTANCE.copy()
.withSslSocketFactory(mySslSocketFactory)
.build();
StandardHttpRequestor requestor = new StandardHttpRequestor(customConfig);
OkHttp3Requestor
See: CertificatePinner
okhttp3.OkHttpClient httpClient = OkHttp3Requestor.defaultOkHttpClientBuilder()
.certificatePinner(myCertificatePinner)
.build();
OkHttpRequestor
See: CertificatePinner
OkHttpClient httpClient = OkHttpRequestor.defaultOkHttpClient().clone()
.setCertificatePinner(myCertificatePinner)
.build();
FAQs
A Java library to access Dropbox's HTTP-based Core API v2.
We found that com.dropbox.core:dropbox-core-sdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.