I'm designing a game and have a somewhat unique problem.
To play the game, players each write a simple javascript program that continually makes a request of my backend for the game state and then decides what to do and posts their move (also to my backend).
I want to store the user scripts on my end though, so I've given them the option to upload their scripts with the standard HTML5 input type="file". Then I use FileReader to read in the raw binary, and associate that binary input as a "bot" for the user in Mongo. (My backend is written in Go)
Docs for FileReader:
https://developer.mozilla.org/en-US/docs/Web/API/FileReader
So far, I've found a resource for converting the binary back to ascii:
Converting Binary to text using javascript
I found a javascript interpreter that I can allegedly execute javascript from:
https://github.com/jterrace/js.js
In this situation, is there a better way to run the uploaded code, perhaps as an executable? Is a javascript sandbox solution like JSJS overkill?
It should always be a good idea to sandbox any user submitted code, regardless if it's executed on the client or server.
Related
There is an excellent tutorial on how to build a Ajax/PHP file upload including a progress handler provided at http://www.developphp.com/video/JavaScript/File-Upload-Progress-Bar-Meter-Tutorial-Ajax-PHP.
The receiver of the transmission (file_upload_parser.php) is implemented in php. However I need to replicate its functionality in Python, which turned out to be significantly more complicated than doing a simple translation.
The main problem seems to be to recreate php's global $_FILES-array (http://php.net/manual/de/reserved.variables.files.php) in Python, probably in the shape of a dictionary. I did not succeed using Pythons cgi.FieldStorage(), neither using the json module. Further, I had trouble keeping the connection established to listen for subsequent posts that might arrive (run_forever and the socket-approach suggested at Connect JS client with Python server turned out to not serve this purpose). There is plenty of documentation on how clients can write the file to the server using post. However I struggled to find information on how accomplish the read, that should occur on the receiving end of the transmission. At least not in a way that I could be implemented to yield the "file_upload_parser.php" functionality, which is key.
I want to develop a game in NodeJS but i'm not sure how much 'easily' hackable it is. For example if i write my game rules in PHP modifing them will need the hacker to actually get access to the server, instead if my rules where in javascript anyone could easily rewrite the rules as they want.
More over if the game would involve people discovering rules as they play how could i prevent those rules to be there for anyone just by looking at the code.
The actual code of your Node.js app will remain unexposed. Ideally, your client (whatever you're doing on the browser side of things, whether this is rendering html elements or using html5 canvas) will only handle I/O and update your server, while your server will take care of all logic.
You can still use javascript client side, but keep in mind that your fear is legitimate concerning client side javascript. This is why it is common practice to separate input/output code (which happens in javascript on the client) from game logic code that happens on the server. So the worst thing someone would be able to do is to send a message to your server saying they are pressing every key at once, and you can filter for things like this.
Developing in nodejs means javascript on server. Javascript code on server which your players will not be able to see unless you open-source your game. This code won't be exposed to your players.
I have JavaScript scripts in my application containing JavaScript and jQuery functions.
All user interaction with my application is dynamic and it's passing to the application through jQuery.
What I realized is, when I run my application, on the client side, the client can see my all source code by viewing page source (Ctrl + U).
How can I hide or do something so that user can't understand or read the source?
I want to do something like what Facebook does. By viewing Facebook source user can't reuse its source code or even understand it.
I googled and found that this process is called obfuscation, but this doesn't work for me.
I tried this:
http://www.javascriptobfuscator.com/default.aspx
and
http://dean.edwards.name/packer/
and
http://www.daftlogic.com/projects-online-javascript-obfuscator.htm
even i tried
http://www.jasob.com/
But it's of no use for me.
If someone really cares about your code he will take the workload of un-minifying (replacing random with useful variable/function names). Anything else such as "encrypting" or packing is just snake oil since it can be reverted extremely easy. So save yourself some work and rather spend it on making your application better.
So: The only thing you should do on a production system is minifying your JS code. This makes it smaller and thus faster to load - so it is an actually advantage. Besides that, it will make it less readable to people who are just curious for a quick look but don't want to spend time on it.
The facebook JS files for example are just minified by the way - most likely just for bandwidth/performance reasons.
The easiest way to minify your JavaScript is using Google's web service for it: http://closure-compiler.appspot.com/home
Note that it has an 1MB limit so if your JS is that huge, you might need to download the Java-based minifier to run it locally.
Everything ThiefMaster says is true. It's also worth noting that your apps should be designed with the assumption users can see and manipulate everything on the client. If you're worried about obfuscation because you think it will prevent users from seeing sensitive data or manipulating information such as prices, then you need to redesign your application so that secure logic resides on the server.
As I need to minify my javascript source code, I'm looking for a javascript program whose minify itself any javascript code.
Why a javascript minifier ?
Because, i'm writing some randomized javascript code from the web server to the client.
I should use "node.js" on the web server to execute a javascript program which generates a javascript code and minifying it on the fly and send it to the client.
This javascript program is a : encryption and decryption program. The javascript code result for the client should contains a javascript function which decrypt each portion of a json or hexadecimal version of an encrypted data. The function executes some plus, minus and multiplications of integers. Sometimes, I can generate a condition (if,then and else) to compute two different operations.
This function is used to decrypt two or more parameters inputs.
That's the randomized function : each time the client requests some private data, the web server generates two different javascript functions : one for encryption and one another for decryption. The decryption function is sent to the client. The encryption function is used by the web server to encrypt and send private data to the client. It's make a sense for obfuscation : each time the process is running, each time the sending function is totally different.
And, to convince the encryption/decryption is very secured, I add for the client, a tabular values conversion of two or more parameters ; but, the tabular values are generated, in fact, by a function written for the web server only and contains some numeric constants, which are NEVER send to the client. Thus, any one whose want to decrypt must have the constants value.
I'm explained that process because :
you are taken some things about obfuscation in javascript source code; but, obfuscation in javascript is not yet implemented by web server and browsers...maybe, it could happen...but, what kind of solutions is useful with the help of "SSL-ize" all transmission over the internet.
It's possible to crypt and decrypt with encryption/decryption functions which can be readable. And, without the cost of SSL certificates. Even, "a man in the middle" would decrypt the encrypted data ; for that, he just has to execute the javascript function. Ok..but imagine that the javascript decryption function is also encypted...then, the "man in the middle" has to execute the decryption function and then decrypt again the decrypted content which are javascript function to decrypt the encrypted data.
And, imagine if the web server asks a question to the client and the unique answer is handled by the client's result computation (whose not sent through Internet) ... it's impossible to "the man in the middle" to have the answer.
Check out my idea; i'm waiting for comments from any one.
the same problem haunting me a month ago is still haunting me now. i know ive asked several questions regarding this on this site and i am truly sorry for that. your suggestions have all been excellent but the answer is still elusive. i now realize that this is a direct result of me not being able to phrase my question properly and for that i am sorry.
to give you guys a generalized view of things, here i go: the situation is like this, i have 2 server side scripts that i want to run.
a python program/script that continuously spouts some numbers
based on the output from that python script, a javascript script will perform some action on a webpage (e.g., change background color, display alert message, change some text)
ive studied the replies to my previous posts and have found that what i want to accomplish is more or less accomplished by json. it is my understanding that json transforms 'program-specific' variables into a format that is more 'standard or general or global'.
two different programs therefore now have the means to 'talk' with each other because they are now speaking the same 'language'.
the problem is then this, how do i actually facilitate their communication? what is the 'cellphone' between these server side scripts? do they even need one?
thank you!
If I understand what you're asking, the "cellphone" is TCP/IP. The javascript is not server-side; it runs on the client side, and alters what the client's browser displays based on json data that it downloads from the server -- data that in this case is generated by Python.
This question provides a relevant example, though it's a bit technical: JSON datetime between Python and JavaScript
Here's a very basic tutorial that explains how to create a dynamic webpage using python and javascript. It doesn't appear to use json, but it should familiarize you with the fundamentals. Once you understand what's there, using json to transport more complicated data should be fairly straightforward.
http://kooneiform.wordpress.com/2010/02/28/python-and-ajax-for-beginners-with-webpy-and-jquery/
I assume you mean: Python is on the web server, and Javascript is running in the client's web browser.
Because browsers are all different (IE6 is terrible, Chrome is great), there are a huge number of ways people found to "hack" this "cellphone" into place. These techniques are called AJAX and COMET techniques. There is no one "cellphone", but a whole bunch of them! Hopefully, you can find a library to select the right technique for the browser, and you just have to worry about the messages.
Comet is harder to do, but lets the server "push" messages to the client.
Ajax can be easier - you just periodically "pull" messages from the server.
Start with Ajax, then look at comet if you really need it. Just start by have the client (javascript) make a "GET" request, to see if the number has changed.
I don't know Javascript or json, but...
if you've ever seen an Unix-like operating system, you know about pipes. Like program1 | program2 | program3 ... Why don't you just connect Python and Javascript programs with pipes? The first one writes to stdout, and the next one reads from stdin.
This probably isn't the answer that you are looking for, and without links to your previous posts, I don't have much to go on, but nonetheless...
javascript is client side. I can interpret your question 2 different ways...
Your python script is running on your computer, and you want a script to actually alter your current browser window.
Not too sure, but writing a browser plugin may be the answer here.
Your python script is running on the server, and as a result of the script running, you want the display of your site to be changed for viewing persons.
In this case, you will could use ajax polling (or similar) on your site. Have your site be polling the server with ajax, call a server method that checks the output of the script (maybe written to a file?), and see if it has changed.
When 2 process need to communicate, they need to decide of a common/shared way to express things and a protocol to exchange those things.
In your case, since one of the processes is a browser, the protocol of choice is http. So the browser needs to do an http request or regular http request to your python process.
This python process Will need in Some way or another to be exposed via http.
There are several ways to build a web server in python. You should read this article : http://fragments.turtlemeat.com/pythonwebserver.php as a jumpstart.
Once you have this, your browser Will be able to issue HTTP GET requests to your server and your server can reply with a string.
This string can be whatever you like. Nevertheless if your answer contains structured data it can be a good start to use the XML notation or the json notation.
Json (stands for Javascript object notation) is very easy to use in javascript and this is why many people advised you to choose this notation.
I hope this will help you
Jérome wagner
If this were possible to do prior to posting a form, it may save me having to upload the file to my server...
To do that you would have to load the file's binary information into JavaScript. Which is not possible.
But here's an implementation of SHA1 in JavaScript.
Actually you can read the contents of a client-side file now, as long as it's chosen in a file upload field and you are using Firefox. See the input.files array. You can then indeed hash it, although it might be rather slow.
See How would I get a Hash value of a users file with Javascript or Flash? for an example and a compact SHA-1 implementation.
It is possible to use SHA1, though performance isn't going to be the best...
For anything over a few hundred KB's you will have to run some benchmarks and determine if indeed its a viable solution.
See this link for a good implementation (passpack and quite a few OS projects use it)
Edit:
As other have already replied, actually getting the file contents may be a whole different matter - so unless you use something like Google Gears or Adobe AIR it should be virtually impossible.
One can read their local file using the HTML5 File interface: https://developer.mozilla.org/en-US/docs/Web/API/File
And then you can use a library for like Crypto.js https://code.google.com/p/crypto-js/ to finish the hash over the read text.
No, you can't access a file from a local computer using JavaScript .
You're going to have to upload it first to the server, then checking the checksum of the file.
Not natively, no, and this is a bad idea anyway. Every byte in the file will have to be loaded into memory by Javascript, and you'd need a way to get it there.
If you must do this and you've got a way to put the file's binary information into your script, then there's plenty of third-party scripts you can use. Here's one, for example.
You could do this with a Java applet. I've never used any of them, but there are quite a few Java upload applets out there. The hash algorithm itself is available with Java and can be accessed through java.security.MessageDigest. If the client doesn't have the Java plug-in available you could just fail back to a regular upload and hash on the server.
A side note: depending upon why you're hashing the file you'll probably want to re-hash it on the server after the upload rather than trust the client.