Using UglifyJs on the whole Node project?

丶灬走出姿态 提交于 2019-12-03 05:16:01
josh3736

I've done something very similar to this in a project I worked on. You have two options:

  1. Leave the files in their directory structure.

    This is by far the easier option, but provides a much lower level of obfuscation since someone interested enough in your code basically has a copy of the logical organization of files.

    An attacker can simply pretty-print all the files and rename the obfuscated variable names in each file until they have an understanding of what is going on.

    To do this, use fs.readdir and fs.stat to recursively go through folders, read in every .js file and output the mangled code.

  2. Compile everything into a single JS file.

    This is much more difficult for you to implement, but does make life harder on an attacker since they no longer have the benefit of your project's organization.

    Your main problem is reconciling your require calls with files that no longer exist (since everything is now in the same file).

    I did this by using Uglify to perform static analysis of my source code by analyzing the AST for calls to require. I then loaded the source code of the required file and repeated.

    Once all code was loaded, I replaced the require calls with calls to a custom function, wrapped each file's source code in a function that emulates how node's module system works, and then mangled everything and compiled it into a single file.

    My custom require function does most of what node's require does except that rather than searching the disk for a module, it searches the wrapper functions.

Unfortunately, I can't really share any code for #2 since it was part of a proprietary project, but the gist is:

  • Parse the source text into an AST using UglifyJS.parse.
  • Use the TreeWalker to visit every node of the AST and check if

    node instanceof UglifyJS.AST_Call && node.start.value == 'require'
    

As I have just completed a huge pure Nodejs project in 80+ files I had the same problem as OP. I needed at least a minimal protection for my hard work, but it seems this very basic need had not been covered by the NPMjs OS community. Add salt to injury the JXCore package encryption system was cracked last week in a few hours so back to obfuscation...

So I created the complete solution, that handles file merging, uglifying. You have the option of leaving out specified files/folders as well from merging. These files are then copied to the new output location of the merged file and references to them are rewritten auto.

NPMjs link of node-uglifier

Github repo of of node-uglifier

PS: I would be glad if people would contribute to make it even better. This is a war between thieves and hard working coders like yourself. Lets join our forces, increase the pain of reverse engineering!

I had the same need - for which I created node-optimize and grunt-node-optimize.

https://www.npmjs.com/package/grunt-node-optimize

This isn't supported natively by uglifyjs2.

Consider using webpack to package up your entire app into a single minified .js file, excluding node_modules: http://jlongster.com/Backend-Apps-with-Webpack--Part-I

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!