worker: restrict supported extensions

Only allow `.js` and `.mjs` extensions to provide future-proofing for file type detection. Refs: ayojs/ayo#117 Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Olivia Hugger <olivia@fastmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> PR-URL: #20876 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Shingo Inoue <leko.noor@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com> Reviewed-By: John-David Dalton <john.david.dalton@gmail.com> Reviewed-By: Gus Caplan <me@gus.host>
nodejs · Jun 13, 2018 · c97fb91 · c97fb91
1 parent 93ce63c
commit c97fb91
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 3 deletions.
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
@@ -856,4 +856,7 @@ E('ERR_WORKER_NEED_ABSOLUTE_PATH',
   TypeError);
 E('ERR_WORKER_UNSERIALIZABLE_ERROR',
   'Serializing an uncaught exception failed', Error);
+E('ERR_WORKER_UNSUPPORTED_EXTENSION',
+  'The worker script extension must be ".js" or ".mjs". Received "%s"',
+  TypeError);
 E('ERR_ZLIB_INITIALIZATION_FAILED', 'Initialization failed', Error);
diff --git a/lib/internal/worker.js b/lib/internal/worker.js
@@ -8,7 +8,8 @@ const util = require('util');
 const {
   ERR_INVALID_ARG_TYPE,
   ERR_WORKER_NEED_ABSOLUTE_PATH,
-  ERR_WORKER_UNSERIALIZABLE_ERROR
+  ERR_WORKER_UNSERIALIZABLE_ERROR,
+  ERR_WORKER_UNSUPPORTED_EXTENSION,
 } = require('internal/errors').codes;
 
 const { internalBinding } = require('internal/bootstrap/loaders');
@@ -136,8 +137,14 @@ class Worker extends EventEmitter {
       throw new ERR_INVALID_ARG_TYPE('filename', 'string', filename);
     }
 
-    if (!options.eval && !path.isAbsolute(filename)) {
-      throw new ERR_WORKER_NEED_ABSOLUTE_PATH(filename);
+    if (!options.eval) {
+      if (!path.isAbsolute(filename)) {
+        throw new ERR_WORKER_NEED_ABSOLUTE_PATH(filename);
+      }
+      const ext = path.extname(filename);
+      if (ext !== '.js' && ext !== '.mjs') {
+        throw new ERR_WORKER_UNSUPPORTED_EXTENSION(ext);
+      }
     }
 
     // Set up the C++ handle for the worker, as well as some internal wiring.

diff --git a/test/parallel/test-worker-unsupported-path.js b/test/parallel/test-worker-unsupported-path.js
@@ -0,0 +1,27 @@
+// Flags: --experimental-worker
+'use strict';
+
+const common = require('../common');
+const assert = require('assert');
+const { Worker } = require('worker');
+
+{
+  const expectedErr = common.expectsError({
+    code: 'ERR_WORKER_NEED_ABSOLUTE_PATH',
+    type: TypeError
+  }, 4);
+  assert.throws(() => { new Worker('a.js'); }, expectedErr);
+  assert.throws(() => { new Worker('b'); }, expectedErr);
+  assert.throws(() => { new Worker('c/d.js'); }, expectedErr);
+  assert.throws(() => { new Worker('a.mjs'); }, expectedErr);
+}
+
+{
+  const expectedErr = common.expectsError({
+    code: 'ERR_WORKER_UNSUPPORTED_EXTENSION',
+    type: TypeError
+  }, 3);
+  assert.throws(() => { new Worker('/b'); }, expectedErr);
+  assert.throws(() => { new Worker('/c.wasm'); }, expectedErr);
+  assert.throws(() => { new Worker('/d.txt'); }, expectedErr);
+}