In software development, obfuscation is the deliberate act of creating source or machine code that is difficult for humans to understand. Like obfuscation in natural language, it may use needlessly roundabout expressions to compose statements.
Why obfuscate code?
When we deploy our code using Docker on a client environment they can attach or exec into the code base and retrieve the source code. This needs to be hidden/encrypted.
Most of the web-apps are in JavaScript and will obfuscate the main server code so that there is no access to the source code.
How to obfuscate code?
1) There is an npm package for obfuscating the javascript code. The name of the package is JavaScript obfuscator.
2) Obfuscating can be done on a folder directly, meaning all the javascript files in the folder will be obfuscated.
Example: javascript-obfuscator [folder name]
3) Although this works perfectly in obfuscating the files, the files are not replaced.
A copy of the file with the obfuscated code is made
It will be named [filename]-obfuscated.js
4) The original file needs to be replaced with the file containing the obfuscated code and the original file needs to be deleted.
5) Also, keep in mind that later on, the obfuscated file’s filename will need to be replaced to the original filename as other files may be referencing them.
Also, check out How to Build a Monitoring System Using Riemann | Part 1
The Working of the Actual Script
The next step is to write a shell script for the same.
1) Obfuscate the code for the current folder by-
javascript-obfuscator
2) Since all the files which are obfuscated will have obfuscated in the filename, we can find the obfuscated files which are of .js extension and rename it by removing the .js extension from filename.
find -name “*obfuscated*” -exec rename ‘s/obfuscated.js/obfuscated/’ {} “;”
3) Now, we will have to delete all the files with .js extension from the folder which has plain source file. We can do this by-
find . -name “*.js” -type f -delete
4) Since all the plain Js file have been deleted, we can change the obfuscated folder to have the name of the original file where all references might be made-
find -name “*obfuscated*” -exec rename -v ‘s/obfuscated/.js/’ {} “;”
5) The extra character “-” can be removed by using,
find -name “*js*” -exec rename -v ‘s/-//’ {} “;”
Illustration of code obsfuscation with an example
1) Consider you have a folder named server and it has two files named a.js and b.js.
2) After running the command ‘javascript-obfuscator .’ on server folder the files will be a.js,b.js,a-obfuscated.js and b-obfuscated.js.
3) After running-
find -name “*obfuscated*” -exec rename ‘s/obfuscated.js/obfuscated/’ {} “;”
The server folder will have a.js, b.js , a-obfuscated and b-obfuscated, (the command will remove .js extension from obfuscated files).
4) To delete all the files with .js extension use,
find . -name “*.js” -type f -delete
Now the server folder will have a-obfuscated and b-obfuscated.
5) After running-
find -name “*obfuscated*” -exec rename -v ‘s/obfuscated/.js/’ {} “;”
6) The server folder will have a-.js and b-.js, (The command renames all obfuscated files to normal file name with .js extension).
find -name “*js*” -exec rename -v ‘s/-//’ {} “;”
This particular command will delete the extra “-” from filename and the server folder will have a.js and b.js.
Conclusion
The beauty of this will be javascript-obfuscated code cannot be decrypted or achieved by reverse engineered.
It will produce different obfuscated code to the same file when done and it will be very hard to break if not almost impossible.
Check out our other how-to articles like DevOps Using Jenkins, Docker, and Kubernetes, where you will learn how to create a CI/CD pipeline for applications built to run on Dockers.