Thursday, March 28, 2024

Accessing Private Functions in JavaScript: Nested Functions

In the Accessing Private Functions in JavaScript article, we explored a means of gaining access to an object or method’s inner helper functions in order to be able to test them using a framework such as Jasmine. In today’s follow up, we’re going to learn how to fetch nested functions using an iterative solution.

Revisiting the Exposed Instance Creation Code

The technique employed in the Accessing Private Functions in JavaScript article involved converting a function into an object constructor by placing the new keyword in front of the call. The function itself is also modified by injecting code for identifying and exposing private functions:

var funcString = "new ("
               + objectAsString.substring(0, objectAsString.length - 1)
               + ";this._privates = {};"
               + "this._initPrivates = function(pf) {"
               + "  for (var i = 0, ii = pf.length; i < ii; i++)"
               + "  {"
               + "    var fn = pf[i].replace(/(function\s+)/, '').replace('(', '');"
               + "    try { "
               + "      this._privates[fn] = eval(fn);"
               + "    } catch (e) {"
               + "      if (e.name == 'ReferenceError') { continue; }"
               + "      else { throw e; }"
               + "    }"
               + "  }"
               + "}"
               + "nn})()";
 

Evaluating the modified function code would then yield something akin to the following:

new (
function test1() {
      alert('test1');
      var obj = { 
        test3: 'test3',
      bla:   234
      };
       
      function nestedFc() {
        alert('I am nested!');
      }
    
;
this._privates = {};
this._initPrivates = function(pf) {
  //pf contains a list of function signatures
  for (var i = 0, ii = pf.length; i < ii; i++) {
    var fn = pf[i].replace(/(functions+)/, '').replace('(', '');
    try { 
      this._privates[fn] = eval(fn);
    } catch (e) {
      if (e.name == 'ReferenceError') { continue; }
      else { throw e; }
    }
  }
}
})()

The _initPrivates() method could then be called on the newly-created instance to return inner functions.

Two Kinds of Function Declaration

There are typically two ways of declaring a function. These include the forms:

function aFunction() {

}

AND

var aFunction = function() {

}

Other, less common ways to create functions include using the Function() method, as well as using factory methods that return a function. For now, we’re going to consider the latter two to be out of scope, and focus on the first function a Function() {} style. The reason is that the regular expressions required for var type declarations is different.

 

When an Error Is Not Really an Error

In some cases, attempting to evaluate the function name would result in an error. This could occur if the function was not a real function at all, but part of a comment, such as in the case of old code. More likely, the function is simply out of scope of the parent one because it is nested within a child function. In fact, one such function was included in the original test code: the aTest() function contains its own nested function called – appropriately enough – nestedFunction. Calling it from the Person function doesn’t succeed as only aTest() has access to it:

var Person = function() { 
    //defaults
    var _age  =  0,
        _name = 'John Doe';
     
    var socialSecurity = '444 555 666';
    var bloodType      = 'O negative'
    //this is a global variable
    hatSize            = 'medium';
    var noValue;
     
    var aTest = function() {
      var nestedVar = 'nestedVar';
      var nestedFunction = function() {
        return 'nestedFunction';
      };
   //...
};     

The Iterative Solution

Since we already have all the code we need to ferret out inner functions, it stands to reason that we can exploit it to delve into each function in turn. All that’s required is to include a variable to track the previous function name (lastFn), and a call to the Reflection.createExposedInstance() method, passing in the previous nested function. createExposedInstance() returns an instantiated instance of the function which includes the _initPrivates() method, as well as the _privates function holder. The latter can be iterated over to retrieve the nested functions:

var funcString = "new (n"
               + objectAsString.substring(0, objectAsString.length - 1) + 'n'
               + ";n"
               + "this._privates = {};n"
               + "this._initPrivates = function(pf) {n"
               + "  for (var i = 0, ii = pf.length; i < ii; i++) {n"
               + "    var lastFn, fn = pf[i].replace(/(function\s+)/, '').replace('(', '');n"
               + "    try { n"
               + "      lastFn = this._privates[fn] = eval(fn);n"
               + "    } catch (e) {n"
               + "      if (  e.name == 'ReferenceError'n" 
               + "         || e.name == 'TypeError') {n"
               + "      var nestedFunctions = Reflection.createExposedInstance(lastFn);n"
               + "      for (fn in nestedFunctions._privates) { this._privates[fn] = nestedFunctions._privates[fn]; }n" //continue;n"
               + "    }n"
               + "    }n"
               + "      else { throw e; }n"
               + "    }n"
               + "  }n"
               + "}n"
               + "})()";

Note that the TypeError has been included in the if test because scope problems don’t always come up consistently as ReferenceErrors, depending on the browser used. For instance, Internet Explorer 8 reports them as TypeErrors instead.

With the above modifications, the Reflection.createExposedInstance() method now contains the following nested functions:

[test1, nestedFc, anothernNestedFc, test2, test3, aFunction]

As such, calling the nestedFc or anotherNestedFn functions is now simply a matter of going through the _privates() collection:

alert(rob._privates['nestedFc']());  //displays "nestedFc"

Here is the demo code in its entirety:

Untitled

Conclusion

To remove even more false positives, we should remove comments from the source code before running the RegEx. However, as we'll see in an upcoming article, that's a little easier said than done. We'll examine what's involved in making that work along with capturing var type function declarations at that point.

Rob Gravelle
Rob Gravelle
Rob Gravelle resides in Ottawa, Canada, and has been an IT guru for over 20 years. In that time, Rob has built systems for intelligence-related organizations such as Canada Border Services and various commercial businesses. In his spare time, Rob has become an accomplished music artist with several CDs and digital releases to his credit.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Popular Articles

Featured