Secure distribution of NodeJS applications

2019-01-06 09:14发布

问题:

What: Can NodeJS apps be distributed as binary? ie. you compile the .js app via V8 into its native binary, and distribute the binary to clients? (if you had total access to the NodeJS server)... or is minifying the code all you can do?

Why: We build serverside applications in NodeJS for clients, that have often to be hosted on the client's servers. Distributing source code means clients can easily steal our solution and stop paying licensing fees. This opens up the possibility of easy reverse-engineering or reuse of our apps without our awareness.

回答1:

Yes you can create a binary format. V8 allows you to pre-compile JavaScript. Note that this might have a bunch of weird side-effects on assumptions made by node core.

Distributing source code means clients can easily steal our solution and stop paying licensing fees.

Just because you distribute the binary doesn't protect you againsts theft. They can still steal the binary code or disassemble it. This is protection through obscurity which is no protection at all.

It's better to give them a thin client app that talks to your server and keep your server code secure by not giving it away.



回答2:

Yes it is possible, use this branch(based on 0.8.18) and any js code you put in 'deps/v8/src/extra-snapshot.js' will be ahead-of-time compiled to machine code and embedded in v8 as part of the normal builtin object initialization. You will need to build nodejs for each platform you intend to deploy your product.

The snapshotted code runs very early in the v8 initialization and you cannot access builtin objects in the 'module body'. What you can do is put all your code inside a global initialization function to be called later. Ex:

// 'this' points to the same as the object referenced by 
// 'global' in normal nodejs code.
// at this point it has nothing defined in it, so in order to use
// global objects a reference to it is needed.
var global = this;
global.initialize = function() {
  // You have to define all global objects you use in your code here;
  var Array = global.Array;
  var RegExp = global.RegExp;
  var Date = global.Date;
  // See ECMAScript v5 standard global objects for more
  // Also define nodejs global objects:
  var console = global.console;
  var process = global.process;
  // Your code goes embedded here
};

Also, this assumes your entire code is defined in a single file, so if your project uses nodejs module system(require) you need to write a script that will combine all your files in one and wrap each file in a closure that will trick your code into thinking it is a normal nodejs module. Probably each module closure would expose a require function, and this function would have to decide when to delegate to the standard 'global.require' or return exports from your other embedded modules. See how javascript module systems are implemented for ideas(requirejs is a good example).

This will make your code harder to debug since you wont see stack traces for native code.

UPDATE:

Even using v8 snapshots the code gets embedded in the node.js binary because v8 prefers lazy compilation. See this for more information.



回答3:

EncloseJS.

You get a fully functional binary without sources.

JavaScript code is transformed into native code at compile-time using V8 internal compiler. Hence, your sources are not required to execute the binary, and they are not packaged.

Perfectly optimized native code can be generated only at run-time based on the client's machine. Without that info EncloseJS can generate only "unoptimized" code. It runs about 2x slower than NodeJS.

Also, node.js runtime code is put inside the executable (along with your code) to support node API for your application at run-time.

Use cases:

  • Make a commercial version of your application without sources.
  • Make a demo/evaluation/trial version of your app without sources.
  • Make some kind of self-extracting archive or installer.
  • Make a closed source GUI application using node-thrust.
  • No need to install node and npm to deploy the compiled application.
  • No need to download hundreds of files via npm install to deploy your application. Deploy it as a single independent file.
  • Put your assets inside the executable to make it even more portable. Test your app against new node version without installing it.


回答4:

I'm currently investigating the same thing and am looking at nexe which claims to be able to "create a single executable out of your node.js apps".

Can't tell you if it's any good just yet, but thought it'd be worth to share already.



回答5:

V8 generates native machine code internally and executes it. Look here: https://github.com/v8/v8-git-mirror/blob/master/src/compiler.cc#L1178 . This feature is used in EncloseJS. EncloseJS parses the sources of your node.js project, bundles dependencies, and makes an executable binary. The sources are not included in the binary - only compiled machine code.