buffer: fix `atob` input validation

This commit fixes a few inconsistencies between Node.js `atob`
implementation and the WHATWG spec.

Refs: https://infra.spec.whatwg.org/#forgiving-base64-decode
Fixes: https://github.com/nodejs/node/issues/42646
PR-URL: https://github.com/nodejs/node/pull/42662
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com>

1 files changed, 22 insertions, 3 deletions

diff --git a/lib/buffer.js b/lib/buffer.js
index 874b9b55959..cb29d93f35e 100644
--- a/lib/buffer.js
+++ b/lib/buffer.js
@@ -26,7 +26,7 @@ const {
   ArrayFrom,
   ArrayIsArray,
   ArrayPrototypeForEach,
-  ArrayPrototypeIncludes,
+  ArrayPrototypeIndexOf,
   MathFloor,
   MathMin,
   MathTrunc,
@@ -1265,12 +1265,31 @@ function atob(input) {
   if (arguments.length === 0) {
     throw new ERR_MISSING_ARGS('input');
   }
+
   input = `${input}`;
+  let nonAsciiWhitespaceCharCount = 0;
+
   for (let n = 0; n < input.length; n++) {
-    if (!ArrayPrototypeIncludes(kForgivingBase64AllowedChars,
-                                StringPrototypeCharCodeAt(input, n)))
+    const index = ArrayPrototypeIndexOf(
+      kForgivingBase64AllowedChars,
+      StringPrototypeCharCodeAt(input, n));
+
+    if (index > 4) {
+      // The first 5 elements of `kForgivingBase64AllowedChars` are
+      // ASCII whitespace char codes.
+      nonAsciiWhitespaceCharCount++;
+    } else if (index === -1) {
       throw lazyDOMException('Invalid character', 'InvalidCharacterError');
+    }
   }
+
+  // See #3 - https://infra.spec.whatwg.org/#forgiving-base64
+  if (nonAsciiWhitespaceCharCount % 4 === 1) {
+    throw lazyDOMException(
+      'The string to be decoded is not correctly encoded.',
+      'InvalidCharacterError');
+  }
+
   return Buffer.from(input, 'base64').toString('latin1');
 }