jsobfu 0.1.0

data/samples/basic.rb

@@ -0,0 +1,26 @@
+# change this to if you copy it from the repo:
+# require 'jsobfu'
+
+require_relative '../lib/jsobfu'
+
+source = %Q|
+  // some sample javascript code, to demonstrate usage:
+  this._send_websocket_request = function(address, callback) {
+    // create the websocket and remember when we started
+    try {
+      var socket = new WebSocket('ws://'+address);
+    } catch (sec_exception) {
+      if (callback) callback('error', sec_exception);
+      return;
+    }
+    var try_payload = function(){
+      TcpProbe.send("AAAAAAAAAAAAAAAAAAAAAAAAAA"+
+                    "AAAAAAAAAAAAAAAAAAAAAAAAAA"+
+                    "AAAAAAAAAAAAAAAAAAAAAAAAAA");
+    }
+    // wait a sec, then start the checks
+    setTimeout(this.check_socket, 200);
+  };
+|
+
+puts JSObfu.new(source).obfuscate

data/spec/integration_spec.rb

@@ -0,0 +1,35 @@
+require 'spec_helper'
+require 'execjs'
+
+# add environment variable flag for long integration tests
+unless ENV['INTEGRATION'] == 'false'
+
+describe 'Integrations' do
+  Dir.glob(Pathname.new(__FILE__).dirname.join('integration/**.js').to_s).each do |path|
+    js = File.read(path)
+
+    if js =~ /\/\/@wip/
+      puts "Skipping @wip test #{File.basename path}\n"
+      next
+    end
+
+    num = 10
+
+    if js =~ /\/\/@times (\d+)/
+      num = $1.to_i
+    end
+
+    # ensure there is a global object to reference.
+    js = "window=this; #{js}"
+
+    num.times do
+      it "#{File.basename(path)} should evaluate to the same value before and after obfuscation" do
+        ob_js = JSObfu.new(js).obfuscate.to_s
+        expect(ob_js).to evaluate_to js
+      end
+    end
+
+  end
+end
+
+end

data/spec/jsobfu/hoister_spec.rb

@@ -0,0 +1,68 @@
+require 'spec_helper'
+
+describe JSObfu::Hoister do
+  let(:code)        { '' }
+  let(:ast)         { RKelly::Parser.new.parse(code) }
+  subject(:hoister) { described_class.new }
+
+  describe "#scope" do
+
+    context 'when given Javascript code that declares var i' do
+      let(:code) { "var i = 3;" }
+
+      it 'has only the key "i" in its scope' do
+        hoister.accept(ast)
+        expect(hoister.scope.keys).to eq %w(i)
+      end
+    end
+
+    context 'when given Javascript code that declares var i, and an anonymous inner function that declares var j' do
+      let(:code) { "var i = 3; (function() { var j = 3; return j; })();" }
+
+      it 'has only the key "i" in its scope' do
+        hoister.accept(ast)
+        expect(hoister.scope.keys).to eq %w(i)
+      end
+    end
+
+    context 'when given Javascript code that declares var i, and an inner function named j' do
+      let(:code) { "var i = 3; function j() { return 0x55; }" }
+
+      it 'has the key "i" and "j" in its scope' do
+        hoister.accept(ast)
+        expect(hoister.scope.keys).to match_array %w(i j)
+      end
+
+      it 'has the key "j" in its #functions' do
+        hoister.accept(ast)
+        expect(hoister.functions).to match_array %w(j)
+      end
+    end
+
+    context 'when given Javascript code that refers to i, then later declares var i' do
+      let(:code) { "window.x = window.x || i; var i = 10;" }
+
+      it 'has the key "i" in its scope' do
+        hoister.accept(ast)
+        expect(hoister.scope.keys).to eq %w(i)
+      end
+    end
+  end
+
+  describe "#scope_declaration" do
+    context 'when scope has the keys "a", "b", and "c"' do
+      before { allow(hoister).to receive(:scope).and_return({a:1,b:2,c:3}) }
+
+      it 'returns the string "var a,b,c"' do
+        expect(hoister.scope_declaration(shuffle: false)).to eq "var a,b,c;"
+      end
+    end
+
+    context 'when the scope is empty' do
+      before { allow(hoister).to receive(:scope).and_return({}) }
+      it 'returns ""' do
+        expect(hoister.scope_declaration(shuffle: false)).to eq ""
+      end
+    end
+  end
+end

data/spec/jsobfu/scope_spec.rb

@@ -0,0 +1,201 @@
+require 'spec_helper'
+
+describe JSObfu::Scope do
+
+  subject(:scope) do
+    described_class.new
+  end
+
+  describe '#random_var_name' do
+    # the number of iterations while testing randomness
+    let(:n) { 20 }
+
+    subject(:random_var_name) { scope.random_var_name }
+
+    it { should be_a String }
+    it { should_not be_empty }
+
+    it 'is composed of _, $, alphanumeric chars' do
+      n.times { expect(scope.random_var_name).to match(/\A[a-zA-Z0-9$_]+\Z/) }
+    end
+
+    it 'does not start with a number' do
+      n.times { expect(scope.random_var_name).not_to match(/\A[0-9]/) }
+    end
+
+    context 'when a reserved word is generated' do
+      let(:reserved)  { described_class::RESERVED_KEYWORDS.first }
+      let(:random)    { 'abcdef' }
+      let(:generated) { [reserved, reserved, reserved, random] }
+
+      before do
+        allow(scope).to receive(:random_string) { generated.shift }
+      end
+
+      it { should eq random }
+    end
+
+    context 'when a non-unique random var is generated' do
+      let(:preexisting) { 'preexist' }
+      let(:random)      { 'abcdef' }
+      let(:generated)   { [preexisting, preexisting, preexisting, random] }
+
+      before do
+        allow(scope).to receive(:random_string) { generated.shift }
+        scope[preexisting] = 1
+      end
+
+      it { should eq random }
+    end
+  end
+
+  describe 'stack behavior' do
+    context 'add a var to the Scope, then call #pop!' do
+      let(:var_name) { 'a' }
+      it 'no longer contains that var' do
+        scope[var_name] = 1
+        scope.pop!
+        expect(scope).not_to have_key(var_name)
+      end
+    end
+
+    context 'add a var to the Scope, then call #push!' do
+      let(:var_name) { 'a' }
+      it 'still contains that var' do
+        scope[var_name] = 1
+        scope.push!
+        expect(scope).to have_key(var_name)
+      end
+    end
+
+    context 'add a var to the Scope, call #push!, then call #pop!' do
+      let(:var_name) { 'a' }
+      it 'still contains that var' do
+        scope[var_name] = 1
+        scope.push!
+        scope.pop!
+        expect(scope).to have_key(var_name)
+      end
+    end
+
+    context 'call #push!, add a var to the Scope, call #push!, then call #pop!' do
+      let(:var_name) { 'a' }
+      it 'still contains that var' do
+        scope.push!
+        scope[var_name] = 1
+        scope.push!
+        scope.pop!
+        expect(scope).to have_key(var_name)
+      end
+    end
+
+    context 'call #push!, add a var to the Scope, call #pop!, then call #push!' do
+      let(:var_name) { 'a' }
+      it 'no longer contains that var' do
+        scope.push!
+        scope[var_name] = 1
+        scope.pop!
+        scope.push!
+        expect(scope).not_to have_key(var_name)
+      end
+    end
+
+    context 'call #push!, add var1, call #push!, add var2, then call #pop!' do
+      let(:var1) { 'a' }
+      let(:var2) { 'b' }
+
+      before do
+        scope.push!
+        scope[var1] = 1
+        scope.push!
+        scope[var2] = 1
+        scope.pop!
+      end
+
+      it 'still contains var1' do
+        expect(scope).to have_key(var1)
+      end
+
+      it 'no longer contains var2' do
+        expect(scope).not_to have_key(var2)
+      end
+    end
+  end
+
+  describe '#rename_var' do
+    context 'when called more than once on the same var' do
+      let(:var) { 'a' }
+      let(:n) { 10 }
+      let(:first_rename) { scope.rename_var(var) }
+
+      it 'returns the same result' do
+        n.times { expect(scope.rename_var(var)).to eq first_rename }
+      end
+    end
+
+    context 'when called on different vars' do
+      let(:var1) { 'a' }
+      let(:var2) { 'b' }
+      let(:n) { 50 }
+
+      it 'returns a different result' do
+        n.times do
+          scope = described_class.new
+          expect(scope.rename_var(var1)).not_to eq scope.rename_var(var2)
+        end
+      end
+    end
+
+    context '#push!; #rename_var(a); #pop!; #rename_var(a)' do
+      let(:var) { 'a' }
+      let(:n)   { 50 }
+
+      it 're-maps the vars to (usually) different random strings' do
+        scope.push!
+        first_var = scope.rename_var(var)
+        scope.pop!
+        n.times do
+          new_var = scope.rename_var(var)
+          if new_var == first_var # this is allowed to happen occasionally since shadowing is OK.
+            next
+          else
+            expect(new_var).not_to eq first_var
+          end
+        end
+      end
+    end
+
+    context '#push!; #push!; #rename_var(a); #pop!; #rename_var(a)' do
+      let(:var) { 'a' }
+      let(:n)   { 50 }
+
+      it 're-maps the vars to (usually) different random strings' do
+        scope.push!
+        scope.push!
+        first_var = scope.rename_var(var)
+        scope.pop!
+        n.times do
+          new_var = scope.rename_var(var)
+          if new_var == first_var # this is allowed to happen occasionally since shadowing is OK.
+            next
+          else
+            expect(new_var).not_to eq first_var
+          end
+        end
+      end
+    end
+
+    context '#rename_var(a); push!; #push!; #rename_var(a);' do
+      let(:var) { 'a' }
+      let(:n)   { 50 }
+
+      it 're-maps the vars to the same random string' do
+        first_var = scope.rename_var(var)
+        scope.push!
+        scope.push!
+        expect(scope.rename_var(var)).to eq first_var
+      end
+    end
+  end
+
+end

data/spec/jsobfu/utils_spec.rb

@@ -0,0 +1,156 @@
+require 'spec_helper'
+
+describe JSObfu::Utils do
+  # the number of iterations while testing randomness
+  let(:n) { 50 }
+
+  describe '#rand_text_alphanumeric' do
+    let(:len) { 15 }
+
+    # generates a new random string on every call
+    def output; JSObfu::Utils.rand_text_alphanumeric(len); end
+
+    it 'returns strings of length 15' do
+      expect(n.times.map { output }.join.length).to be(n*len)
+    end
+
+    it 'returns strings in alpha charset' do
+      expect(n.times.map { output }.join).to be_in_charset(described_class::ALPHANUMERIC_CHARSET)
+    end
+  end
+
+  describe '#rand_text_alpha' do
+    let(:len) { 15 }
+    
+    # generates a new random string on every call
+    def output; JSObfu::Utils.rand_text_alpha(len); end
+
+    it 'returns strings of length 15' do
+      expect(n.times.map { output }.join.length).to be(n*len)
+    end
+
+    it 'returns strings in alpha charset' do
+      expect(n.times.map { output }.join).to be_in_charset(described_class::ALPHA_CHARSET)
+    end
+  end
+
+  describe '#rand_text' do    
+    let(:len) { 5 }
+    let(:charset) { described_class::ALPHA_CHARSET }
+
+    # generates a new random string on every call
+    def output; described_class.rand_text(charset, len); end
+
+    it 'returns strings of length 15' do
+      expect(n.times.map { output }.join.length).to be(n*len)
+    end
+
+    it 'returns strings in the specified charset' do
+      expect(n.times.map { output }.join).to be_in_charset(charset)
+    end
+  end
+
+  describe '#to_hex' do
+    let(:str) { '' }
+    let(:delimiter) { "\\x" }
+    subject(:hex_encoding) { described_class.to_hex(str, delimiter) }
+
+    context 'when given the string "ABC"' do
+      let(:str) { 'ABC' }
+      it { should eq "\\x41\\x42\\x43" }
+
+      context 'when the delimiter is "\\u00"' do
+        let(:delimiter) { "\\u00" }
+        it { should eq "\\u0041\\u0042\\u0043" }
+      end
+    end
+
+    context 'when given an empty string' do
+      let(:str) { '' }
+      it { should eq '' }
+    end
+  end
+
+  describe '#random_var_encoding' do
+    let(:var_name) { 'ABCD' }
+    let(:initial_value) { 123 }
+    let(:preamble) { "var #{var_name} = #{initial_value}"}
+
+    def encoded_var; described_class.random_var_encoding(var_name); end
+
+    context 'when called multiple times on the same var' do
+      it 'should evaluate to the same initial value' do
+        10.times do
+          js = "(function(){ #{preamble}; return #{encoded_var}; })()"
+          expect(ExecJS.eval(js)).to eq initial_value
+        end
+      end
+    end
+  end
+
+  describe '#safe_split' do
+    let(:js_string) { "\\x66\\x67"*600 }
+    let(:quote)     { '"' }
+    let(:opts)      { { :quote => quote } }
+    let(:parts) { 50.times.map { described_class.safe_split(js_string.dup, opts) } }
+
+    describe 'quoting' do
+      context 'when given a double-quote' do
+        let(:quote) { '"' }
+        it 'surrounds all the split strings with the same quote' do
+          expect(parts.flatten.all? { |part| part.start_with?(quote) }).to be true
+        end
+      end
+
+      context 'when given a single-quote' do
+        let(:quote) { "'" }
+        it 'surrounds all the split strings with the same quote' do
+          expect(parts.flatten.all? { |part| part.start_with?(quote) }).to be true
+        end
+      end
+    end
+
+    describe 'splitting' do
+      context 'when given a hex-escaped series of bytes' do
+        let(:js_string) { "\\x66\\x67"*600 }
+
+        it 'never splits in the middle of a hex escape' do
+          expect(parts.flatten.all? { |part| part.start_with?('"\\') }).to be true
+        end
+      end
+
+      context 'when given a unicode-escaped series of bytes' do
+        let(:js_string) { "\\u0066\\u0067"*600 }
+
+        it 'never splits in the middle of a unicode escape' do
+          expect(parts.flatten.all? { |part| part.start_with?('"\\') }).to be true
+        end
+      end
+    end
+  end
+
+
+  # surround the string in quotes
+  def quote(str, q='"'); "#{q}#{str}#{q}" end
+
+  describe '#transform_string' do
+    context 'when given a string of length > MAX_STRING_CHUNK' do
+      let(:js_string) { quote "ABC"*described_class::MAX_STRING_CHUNK }
+
+      it 'calls itself recursively' do
+        expect(described_class).to receive(:transform_string).at_least(2).times.and_call_original
+        described_class.transform_string js_string, JSObfu::Scope.new
+      end
+    end
+
+    context 'when given a string of length < MAX_STRING_CHUNK' do
+      let(:js_string) { quote "A"*(described_class::MAX_STRING_CHUNK/2).to_i }
+
+      it 'does not call itself recursively' do
+        expect(described_class).to receive(:transform_string).once.and_call_original
+        described_class.transform_string js_string, JSObfu::Scope.new
+      end
+    end
+  end
+
+end