Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

node.js code protection

Tags:

node.js

I was checking to see if it is possible to distribute a node.js application closed source. Not the client-side Javascript files but the server-side files as a commercial product. I suppose code obfuscation/uglification will not provide real privacy. Maybe something like packaging/compiling the source code into binary could help. Is this possible?

like image 765
qualon Avatar asked Nov 07 '11 17:11

qualon


People also ask

Is Node js a security risk?

js security risks. Many packages open new ports, thus increasing the attack surface. Roughly 76% of Node shops use vulnerable packages, some of which are extremely severe; and open source projects regularly grow stale, neglecting to fix security flaws. Inevitably, using npm packages will expose you to security risks.


2 Answers

I did some searching around the NodeJS and v8 code.

First on NodeJS repository I found where the source code is first loaded executing on src/node.cc, line 1128:

Local<Value> ExecuteString(Handle<String> source, Handle<Value> filename)

Which first compiles the string, (and later executes), using:

Local<v8::Script> script = v8::Script::Compile(source, filename);

Taking a look at the v8 source code at deps/v8/include/v8.h, line 639, the Compile function returns:

Compiled script object, bound to the context that was active
  when this function was called.  When run it will always use this
  context.

I am not sure what the script being bound to the context implies, but I would argue that it is not just a binary object that you can save and transfer to another machine without having to transfer the whole context.

EDIT: Taking a deeper look at v8.h, there is also a ScriptData class, that pre-compiles a script to make the compilation faster, and that can be used with the Script class, but the Script class still requires the original source when loading the script. (Maybe for when printing errors, it knows where the error origin.)

In summary, I do not think it is possible without much work.

like image 199
Nican Avatar answered Sep 30 '22 15:09

Nican


V8 is known to compile JavaScript internally and execute it. EncloseJS uses this feature to make a compiled executable out of node.js project. EncloseJS is a compiler for node/io.js - it gives you same privacy as classic compiler.

like image 42
Igor Klopov Avatar answered Sep 30 '22 15:09

Igor Klopov