Node.js 防止函数检查(toString) [英] Node.js prevent function inspection (toString)

问题描述

在浏览器中运行javascript时，无需尝试隐藏函数代码，因为它是在源代码中下载和查看的.

When javascript is run in the browser there is no need to try and hide function code because it is downloaded and viewable in source.

在服务器上运行时，情况发生了变化.在某些用例(例如 api)中，您希望为用户提供要调用的函数，而不允许他们查看正在运行的代码.

When run on the server the situation changes. There are use cases such as api where you want to provide users with functions to call without allowing them to view the code that which is run.

在我们的特定情况下，我们希望在 node.js 中执行用户提交的 javascript.我们可以对 node.js api 进行沙箱处理，但是我们希望将我们自己的 api 添加到该沙箱中，而用户无法通过 toString 函数查看运行的代码.

On our specific case we want to execute user submitted javascript inside node. We are able to sandbox node.js api however we would like to add our own api to this sandbox without users being able to toString the function to view the code which is run.

有没有人有阻止用户输出函数代码的模式或知道的方法?

Does anyone have a pattern or know of a way of preventing users from outputting a functions code?

更新:

这是基于下面接受的答案的完整解决方案(我相信).请注意，虽然这是使用客户端代码进行演示的.您不会不使用这个客户端，因为有人可以通过简单地阅读下载的代码来查看您隐藏函数的内容(尽管如果您使用了 minify，它可能会提供一些基本的慢来检查代码).

Here is a full solution (i believe) based on the accepted answer below. Please note that although this is demonstrated using client side code. You would not use this client side as someone can see the contents of your hidden function by simply reading the downloaded code (although it may provide some basic slow down to inspect the code if you have used a minify).

这适用于服务器端使用，您希望允许用户在沙箱环境中运行 api 代码，但不允许他们查看 api 的功能.此代码中的沙箱仅用于演示这一点.它不是一个实际的沙箱实现.

This is meant for server side use where you want to allow users to run api code within a sandbox env but not allow them to view what the api's do. The sandbox in this code is only to demonstrate the point. It is not an actual sandbox implementation.

// function which hides another function by returning an anonymous
// function which calls  the hidden function (ie. places the hidden
// function in a closure to enable access when the wraped function is passed to the sandbox) 
function wrapFunc(funcToHide) {
  var shownFunc = function() {
    funcToHide();
  };
  return shownFunc;
}

// function whose contents you want to hide
function secretFunc() {
  alert('hello');            
}

// api object (will be passed to the sandbox to enable access to
// the hidden function)
var apiFunc = wrapFunc(secretFunc);
var api = {};
api.apiFunc = apiFunc;

// sandbox (not an actual sandbox implementation - just for demo)
(function(api) {
  console.log(api);
  alert(api.apiFunc.toString());
  api.apiFunc();
})(api);

推荐答案

如果将回调包装在一个函数中，则可以在该范围内使用另一个实际上隐藏在回调范围之外的函数，因此:

If you wrap a callback in a function, you can use another function in that scope which is actually hidden from the callback scope, thus:

function hideCall(funcToHide) {
    var hiddenFunc = funcToHide;
    var shownFunc = function() {
        hiddenFunc();
    };
    return shownFunc;
}

然后就这样运行

var shtumCallBack = hideCall(secretSquirrelFunc);
userCode.tryUnwindingThis(shtumCallBack);

userCode 作用域将无法访问 secretSquirrelFunc，除非调用它，因为它需要的作用域是不可用的 hideCall 函数的作用域.

The userCode scope will not be able to access secretSquirrelFunc except to call it, because the scope it would need is that of the hideCall function which is not available.

这篇关于Node.js 防止函数检查(toString)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！