anti
f2b3393669
Replaces LICENSE (GPLv3 -> AGPLv3) and prepends `SPDX-License-Identifier: AGPL-3.0-or-later` to every source file across decnet/, decnet_web/, tests/, scripts/, and tools/. Rationale: closes the GPLv3 ASP loophole so any party operating a modified DECNET as a network service must offer their modified source. Personal copyright (Samuel Paschuan) + inbound=outbound contributions make a future unilateral relicense infeasible. - LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt) - COPYRIGHT: project copyright notice - tools/add_spdx_headers.py: idempotent header injector (shebang- and PEP 263-aware) Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh). No behavior change; comments only.
179 lines
7.0 KiB
Python
179 lines
7.0 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""Per-mint JS obfuscator wrapper.
|
|
|
|
Thin Python wrapper around the ``javascript-obfuscator`` Node package.
|
|
Used by the fingerprint generators / instrumenters to produce a unique,
|
|
hard-to-statically-analyse JS blob per canary mint.
|
|
|
|
Two design choices flow from the canary contract in :mod:`base`:
|
|
|
|
* **Determinism.** Generators must return byte-identical artifacts for
|
|
the same ``(callback_token, http_base, dns_zone, persona)``. We
|
|
derive a numeric seed from the callback token and pass it to the
|
|
obfuscator's own ``seed`` option, and we derive the polymorphic
|
|
config bits from the same hash so a re-mint reproduces exactly.
|
|
* **Per-mint uniqueness.** Two different callback tokens produce
|
|
structurally different output: different identifier names, different
|
|
string-array rotation, optionally different transforms enabled.
|
|
|
|
The Node helper at ``_obfuscate_helper.js`` is invoked via subprocess.
|
|
We pass code+options as JSON on stdin and read the obfuscated result
|
|
from stdout. Stderr surfaces obfuscator failures.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
import hashlib
|
|
import hmac
|
|
import json
|
|
import os
|
|
import subprocess # nosec B404 — Node helper exec is the whole point
|
|
from pathlib import Path
|
|
from typing import Any
|
|
|
|
_HELPER = Path(__file__).parent / "_obfuscate_helper.js"
|
|
_PAYLOAD = Path(__file__).parent / "fingerprint_payload.js"
|
|
|
|
# Node binary path. Honor DECNET_NODE_BIN so deployments can pin a
|
|
# specific runtime; default to PATH lookup.
|
|
_NODE_BIN = os.environ.get("DECNET_NODE_BIN", "node")
|
|
|
|
# Hard timeout for the obfuscator subprocess. Real runs on the
|
|
# fingerprint payload sit well under 5s on a dev box.
|
|
_TIMEOUT_S = 30
|
|
|
|
|
|
class ObfuscatorError(RuntimeError):
|
|
"""Raised when the Node helper fails or returns empty output."""
|
|
|
|
|
|
class FingerprintSecretMissing(RuntimeError):
|
|
"""Raised when ``DECNET_CANARY_FINGERPRINT_SECRET`` is unset.
|
|
|
|
Fingerprint canaries embed a per-mint nonce derived from this
|
|
server-side secret; without it the worker cannot validate incoming
|
|
fingerprint beacons, so we fail loud at mint time rather than ship
|
|
a defeatable canary.
|
|
"""
|
|
|
|
|
|
_FINGERPRINT_SECRET_ENV = "DECNET_CANARY_FINGERPRINT_SECRET" # nosec B105 — this is an env var name, not a hardcoded password
|
|
|
|
|
|
def nonce_for(callback_token: str, mint_uuid: str) -> str:
|
|
"""Compute the per-mint fingerprint nonce.
|
|
|
|
HMAC-SHA256 keyed on the server-side master secret, message is
|
|
``callback_token + "|" + mint_uuid``. Truncated to 16 hex chars
|
|
(~64 bits of entropy) — enough to defeat slug-only forgery while
|
|
fitting comfortably into a query string.
|
|
"""
|
|
secret = os.environ.get(_FINGERPRINT_SECRET_ENV, "")
|
|
if not secret:
|
|
raise FingerprintSecretMissing(
|
|
f"{_FINGERPRINT_SECRET_ENV} is unset; fingerprint canaries cannot mint"
|
|
)
|
|
msg = f"{callback_token}|{mint_uuid}".encode("utf-8")
|
|
return hmac.new(secret.encode("utf-8"), msg, hashlib.sha256).hexdigest()[:16]
|
|
|
|
|
|
def _seed_from_token(callback_token: str) -> int:
|
|
"""Derive a 31-bit numeric seed from the callback token.
|
|
|
|
``javascript-obfuscator`` expects ``seed: number`` (int32-ish);
|
|
using a SHA-256-derived prefix gives us a uniform distribution
|
|
across the 31-bit positive range.
|
|
"""
|
|
h = hashlib.sha256(callback_token.encode("utf-8")).digest()
|
|
return int.from_bytes(h[:4], "big") & 0x7FFFFFFF
|
|
|
|
|
|
def _config_from_seed(seed: int) -> dict[str, Any]:
|
|
"""Build a deterministic, per-mint obfuscator config.
|
|
|
|
The hash bits drive *which* transforms apply — two mints get
|
|
structurally different outputs, not just different identifier names.
|
|
Defaults stay aggressive enough that reverse engineering is real
|
|
work; we never disable string-array or rename, only vary the dial.
|
|
"""
|
|
bits = seed
|
|
encodings = ("base64", "rc4")
|
|
string_array_encoding = [encodings[bits & 1]]
|
|
control_flow_threshold = 0.5 + ((bits >> 1) & 0xFF) / 512.0 # 0.5 .. ~1.0
|
|
dead_code_threshold = 0.2 + ((bits >> 9) & 0xFF) / 512.0 # 0.2 .. ~0.7
|
|
transform_object_keys = bool((bits >> 17) & 1)
|
|
numbers_to_expressions = bool((bits >> 18) & 1)
|
|
simplify = bool((bits >> 19) & 1)
|
|
return {
|
|
"compact": True,
|
|
"seed": seed,
|
|
"controlFlowFlattening": True,
|
|
"controlFlowFlatteningThreshold": round(control_flow_threshold, 3),
|
|
"deadCodeInjection": True,
|
|
"deadCodeInjectionThreshold": round(dead_code_threshold, 3),
|
|
"stringArray": True,
|
|
"stringArrayEncoding": string_array_encoding,
|
|
"stringArrayThreshold": 1,
|
|
"stringArrayRotate": True,
|
|
"stringArrayShuffle": True,
|
|
"splitStrings": True,
|
|
"splitStringsChunkLength": 4 + (bits & 7),
|
|
"transformObjectKeys": transform_object_keys,
|
|
"numbersToExpressions": numbers_to_expressions,
|
|
"simplify": simplify,
|
|
"selfDefending": False, # breaks SVG embed; not worth the cost
|
|
"renameGlobals": False,
|
|
"identifierNamesGenerator": "mangled-shuffled",
|
|
}
|
|
|
|
|
|
def obfuscate(code: str, *, callback_token: str) -> str:
|
|
"""Obfuscate *code* deterministically per *callback_token*.
|
|
|
|
Raises :class:`ObfuscatorError` if Node fails or returns empty.
|
|
"""
|
|
seed = _seed_from_token(callback_token)
|
|
options = _config_from_seed(seed)
|
|
payload = json.dumps({"code": code, "options": options})
|
|
try:
|
|
proc = subprocess.run( # nosec B603 — argv-form, no shell, fixed helper path; payload is JSON on stdin, not in argv
|
|
[_NODE_BIN, str(_HELPER)],
|
|
input=payload, capture_output=True, text=True,
|
|
timeout=_TIMEOUT_S, check=False,
|
|
)
|
|
except FileNotFoundError as e:
|
|
raise ObfuscatorError(f"node binary not found: {_NODE_BIN!r}") from e
|
|
except subprocess.TimeoutExpired as e:
|
|
raise ObfuscatorError("javascript-obfuscator timed out") from e
|
|
if proc.returncode != 0:
|
|
raise ObfuscatorError(
|
|
f"javascript-obfuscator failed rc={proc.returncode} "
|
|
f"stderr={proc.stderr.strip()[:400]}"
|
|
)
|
|
out = proc.stdout
|
|
if not out.strip():
|
|
raise ObfuscatorError("javascript-obfuscator returned empty output")
|
|
return out
|
|
|
|
|
|
def render_fingerprint_js(
|
|
*, callback_token: str, http_base: str, mint_uuid: str, nonce: str,
|
|
) -> str:
|
|
"""Build the obfuscated fingerprint JS for a single mint.
|
|
|
|
Substitutes ``{{BEACON_URL}}``, ``{{MINT_UUID}}``, and
|
|
``{{MINT_NONCE}}`` in the payload template, then runs it through
|
|
:func:`obfuscate` with a seed derived from the callback token.
|
|
The nonce is appended as ``&k=`` on every beacon URL the JS emits;
|
|
the worker rejects fingerprint payloads whose ``?k=`` doesn't match
|
|
the row's :attr:`CanaryToken.fingerprint_nonce`.
|
|
"""
|
|
template = _PAYLOAD.read_text(encoding="utf-8")
|
|
beacon = f"{http_base.rstrip('/')}/c/{callback_token}"
|
|
src = (
|
|
template
|
|
.replace("{{BEACON_URL}}", beacon)
|
|
.replace("{{MINT_UUID}}", mint_uuid)
|
|
.replace("{{MINT_NONCE}}", nonce)
|
|
)
|
|
return obfuscate(src, callback_token=callback_token)
|