Node.js防止功能检查(toString) [英] Node.js prevent function inspection (toString)

问题描述

在浏览器中运行javascript时，无需尝试隐藏功能代码，因为它已下载并可以在源代码中查看.

When javascript is run in the browser there is no need to try and hide function code because it is downloaded and viewable in source.

在服务器上运行时，情况发生了变化.在诸如api之类的用例中，您想为用户提供要调用的函数，而又不允许他们查看正在运行的代码.

When run on the server the situation changes. There are use cases such as api where you want to provide users with functions to call without allowing them to view the code that which is run.

在我们的特定情况下，我们想在节点内部执行用户提交的javascript.我们可以对node.js api进行沙箱处理，但是我们希望将自己的api添加到此沙箱中，而用户则无法toString函数来查看正在运行的代码.

On our specific case we want to execute user submitted javascript inside node. We are able to sandbox node.js api however we would like to add our own api to this sandbox without users being able to toString the function to view the code which is run.

任何人都有防止用户输出功能代码的模式或方法吗?

Does anyone have a pattern or know of a way of preventing users from outputting a functions code?

更新:

根据以下公认的答案，这是一个完整的解决方案(我认为).请注意，尽管已使用客户端代码进行了演示.您将不使用此客户端，因为有人可以通过简单地阅读下载的代码来查看隐藏功能的内容(尽管如果您使用minify，它可能会稍微慢一些来检查代码)

Here is a full solution (i believe) based on the accepted answer below. Please note that although this is demonstrated using client side code. You would not use this client side as someone can see the contents of your hidden function by simply reading the downloaded code (although it may provide some basic slow down to inspect the code if you have used a minify).

这是供服务器端使用的，您要允许用户在沙盒环境中运行api代码，但不允许他们查看api的功能.此代码中的沙箱仅用于说明这一点.这不是实际的沙箱实现.

This is meant for server side use where you want to allow users to run api code within a sandbox env but not allow them to view what the api's do. The sandbox in this code is only to demonstrate the point. It is not an actual sandbox implementation.

// function which hides another function by returning an anonymous
// function which calls  the hidden function (ie. places the hidden
// function in a closure to enable access when the wraped function is passed to the sandbox) 
function wrapFunc(funcToHide) {
  var shownFunc = function() {
    funcToHide();
  };
  return shownFunc;
}

// function whose contents you want to hide
function secretFunc() {
  alert('hello');            
}

// api object (will be passed to the sandbox to enable access to
// the hidden function)
var apiFunc = wrapFunc(secretFunc);
var api = {};
api.apiFunc = apiFunc;

// sandbox (not an actual sandbox implementation - just for demo)
(function(api) {
  console.log(api);
  alert(api.apiFunc.toString());
  api.apiFunc();
})(api);

推荐答案

如果将回调包装到函数中，则可以在该作用域中使用实际上隐藏在回调作用域中的另一个函数，因此:

If you wrap a callback in a function, you can use another function in that scope which is actually hidden from the callback scope, thus:

function hideCall(funcToHide) {
    var hiddenFunc = funcToHide;
    var shownFunc = function() {
        hiddenFunc();
    };
    return shownFunc;
}

然后奔跑

var shtumCallBack = hideCall(secretSquirrelFunc);
userCode.tryUnwindingThis(shtumCallBack);

userCode范围将无法访问secretSquirrelFunc，除非调用它，因为它需要的范围是hideCall函数的范围，该范围不可用.

The userCode scope will not be able to access secretSquirrelFunc except to call it, because the scope it would need is that of the hideCall function which is not available.

这篇关于Node.js防止功能检查(toString)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！