Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure distribution of NodeJS applications

What: Can NodeJS apps be distributed as binary? ie. you compile the .js app via V8 into its native binary, and distribute the binary to clients? (if you had total access to the NodeJS server)... or is minifying the code all you can do?

Why: We build serverside applications in NodeJS for clients, that have often to be hosted on the client's servers. Distributing source code means clients can easily steal our solution and stop paying licensing fees. This opens up the possibility of easy reverse-engineering or reuse of our apps without our awareness.

like image 311
Robin Rodricks Avatar asked Feb 23 '12 12:02

Robin Rodricks


People also ask

Are Nodejs apps secure?

js is susceptible to every type of web app exposure. Although the basis of Node. js is secure, third-party packages may need more security standards to safeguard your web app. The study says that 14% of the NPM (Node Package Manager) ecosystem is impacted and 54% of the NPM ecosystem is about to be impacted indirectly.

Is Nodejs less secure?

Node. js security, like all other frameworks or programming languages, is prone to all kinds of web application vulnerabilities. The core of Node. js is secure, but third-party packages may require additional security measures to protect your web applications.


2 Answers

Yes you can create a binary format. V8 allows you to pre-compile JavaScript. Note that this might have a bunch of weird side-effects on assumptions made by node core.

Distributing source code means clients can easily steal our solution and stop paying licensing fees.

Just because you distribute the binary doesn't protect you againsts theft. They can still steal the binary code or disassemble it. This is protection through obscurity which is no protection at all.

It's better to give them a thin client app that talks to your server and keep your server code secure by not giving it away.

like image 171
Raynos Avatar answered Sep 22 '22 02:09

Raynos


Yes it is possible, use this branch(based on 0.8.18) and any js code you put in 'deps/v8/src/extra-snapshot.js' will be ahead-of-time compiled to machine code and embedded in v8 as part of the normal builtin object initialization. You will need to build nodejs for each platform you intend to deploy your product.

The snapshotted code runs very early in the v8 initialization and you cannot access builtin objects in the 'module body'. What you can do is put all your code inside a global initialization function to be called later. Ex:

// 'this' points to the same as the object referenced by  // 'global' in normal nodejs code. // at this point it has nothing defined in it, so in order to use // global objects a reference to it is needed. var global = this; global.initialize = function() {   // You have to define all global objects you use in your code here;   var Array = global.Array;   var RegExp = global.RegExp;   var Date = global.Date;   // See ECMAScript v5 standard global objects for more   // Also define nodejs global objects:   var console = global.console;   var process = global.process;   // Your code goes embedded here }; 

Also, this assumes your entire code is defined in a single file, so if your project uses nodejs module system(require) you need to write a script that will combine all your files in one and wrap each file in a closure that will trick your code into thinking it is a normal nodejs module. Probably each module closure would expose a require function, and this function would have to decide when to delegate to the standard 'global.require' or return exports from your other embedded modules. See how javascript module systems are implemented for ideas(requirejs is a good example).

This will make your code harder to debug since you wont see stack traces for native code.

UPDATE:

Even using v8 snapshots the code gets embedded in the node.js binary because v8 prefers lazy compilation. See this for more information.

like image 20
Thiago Padilha Avatar answered Sep 22 '22 02:09

Thiago Padilha