worker: restrict supported extensions

Only allow `.js` and `.mjs` extensions to provide future-proofing
for file type detection.

Refs: ayojs/ayo#117
Reviewed-By: Stephen Belanger <[email protected]>
Reviewed-By: Olivia Hugger <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>

PR-URL: #20876
Reviewed-By: Gireesh Punathil <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Shingo Inoue <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
Reviewed-By: John-David Dalton <[email protected]>
Reviewed-By: Gus Caplan <[email protected]>

Author: TimothyGu

lib/internal/errors.js

@@ -856,4 +856,7 @@ E('ERR_WORKER_NEED_ABSOLUTE_PATH',
   TypeError);
 E('ERR_WORKER_UNSERIALIZABLE_ERROR',
   'Serializing an uncaught exception failed', Error);
+E('ERR_WORKER_UNSUPPORTED_EXTENSION',
+  'The worker script extension must be ".js" or ".mjs". Received "%s"',
+  TypeError);
 E('ERR_ZLIB_INITIALIZATION_FAILED', 'Initialization failed', Error);

lib/internal/worker.js

@@ -8,7 +8,8 @@ const util = require('util');
 const {
   ERR_INVALID_ARG_TYPE,
   ERR_WORKER_NEED_ABSOLUTE_PATH,
-  ERR_WORKER_UNSERIALIZABLE_ERROR
+  ERR_WORKER_UNSERIALIZABLE_ERROR,
+  ERR_WORKER_UNSUPPORTED_EXTENSION,
 } = require('internal/errors').codes;
 
 const { internalBinding } = require('internal/bootstrap/loaders');
@@ -136,8 +137,14 @@ class Worker extends EventEmitter {
       throw new ERR_INVALID_ARG_TYPE('filename', 'string', filename);
     }
 
-    if (!options.eval && !path.isAbsolute(filename)) {
-      throw new ERR_WORKER_NEED_ABSOLUTE_PATH(filename);
+    if (!options.eval) {
+      if (!path.isAbsolute(filename)) {
+        throw new ERR_WORKER_NEED_ABSOLUTE_PATH(filename);
+      }
+      const ext = path.extname(filename);
+      if (ext !== '.js' && ext !== '.mjs') {
+        throw new ERR_WORKER_UNSUPPORTED_EXTENSION(ext);
+      }
     }
 
     // Set up the C++ handle for the worker, as well as some internal wiring.

test/parallel/test-worker-unsupported-path.js

@@ -0,0 +1,27 @@
+// Flags: --experimental-worker
+'use strict';
+
+const common = require('../common');
+const assert = require('assert');
+const { Worker } = require('worker');
+
+{
+  const expectedErr = common.expectsError({
+    code: 'ERR_WORKER_NEED_ABSOLUTE_PATH',
+    type: TypeError
+  }, 4);
+  assert.throws(() => { new Worker('a.js'); }, expectedErr);
+  assert.throws(() => { new Worker('b'); }, expectedErr);
+  assert.throws(() => { new Worker('c/d.js'); }, expectedErr);
+  assert.throws(() => { new Worker('a.mjs'); }, expectedErr);
+}
+
+{
+  const expectedErr = common.expectsError({
+    code: 'ERR_WORKER_UNSUPPORTED_EXTENSION',
+    type: TypeError
+  }, 3);
+  assert.throws(() => { new Worker('/b'); }, expectedErr);
+  assert.throws(() => { new Worker('/c.wasm'); }, expectedErr);
+  assert.throws(() => { new Worker('/d.txt'); }, expectedErr);
+}