buffer: fix `atob` input validation

Fixes: https://github.com/nodejs/node/issues/42530

PR-URL: https://github.com/nodejs/node/pull/42539
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Mestery <mestery@protonmail.com>
Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com>

1 files changed, 23 insertions, 3 deletions

diff --git a/lib/buffer.js b/lib/buffer.js
index 8e29ac1822a..773d56572aa 100644
--- a/lib/buffer.js
+++ b/lib/buffer.js
@@ -23,8 +23,10 @@
 
 const {
   Array,
+  ArrayFrom,
   ArrayIsArray,
   ArrayPrototypeForEach,
+  ArrayPrototypeIncludes,
   MathFloor,
   MathMin,
   MathTrunc,
@@ -1230,8 +1232,25 @@ function btoa(input) {
   return buf.toString('base64');
 }
 
-const kBase64Digits =
-  'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
+// Refs: https://infra.spec.whatwg.org/#forgiving-base64-decode
+const kForgivingBase64AllowedChars = [
+  // ASCII whitespace
+  // Refs: https://infra.spec.whatwg.org/#ascii-whitespace
+  0x09, 0x0A, 0x0C, 0x0D, 0x20,
+
+  // Uppercase letters
+  ...ArrayFrom({ length: 26 }, (_, i) => StringPrototypeCharCodeAt('A') + i),
+
+  // Lowercase letters
+  ...ArrayFrom({ length: 26 }, (_, i) => StringPrototypeCharCodeAt('a') + i),
+
+  // Decimal digits
+  ...ArrayFrom({ length: 10 }, (_, i) => StringPrototypeCharCodeAt('0') + i),
+
+  0x2B, // +
+  0x2F, // /
+  0x3D, // =
+];
 
 function atob(input) {
   // The implementation here has not been performance optimized in any way and
@@ -1242,7 +1261,8 @@ function atob(input) {
   }
   input = `${input}`;
   for (let n = 0; n < input.length; n++) {
-    if (!kBase64Digits.includes(input[n]))
+    if (!ArrayPrototypeIncludes(kForgivingBase64AllowedChars,
+                                StringPrototypeCharCodeAt(input, n)))
       throw lazyDOMException('Invalid character', 'InvalidCharacterError');
   }
   return Buffer.from(input, 'base64').toString('latin1');