src: handle permissive extension on cmd check

PR-URL: nodejs-private/node-private#596
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2024-36138

Author: RafaelGSS

src/util-inl.h

@@ -27,6 +27,7 @@
 #include <cmath>
 #include <cstring>
 #include <locale>
+#include <regex>  // NOLINT(build/c++11)
 #include "node_revert.h"
 #include "util.h"
 
@@ -543,9 +544,20 @@ bool IsWindowsBatchFile(const char* filename) {
 #else
   static constexpr bool kIsWindows = false;
 #endif  // _WIN32
-  if (kIsWindows)
-    if (const char* p = strrchr(filename, '.'))
-      return StringEqualNoCase(p, ".bat") || StringEqualNoCase(p, ".cmd");
+  if (kIsWindows) {
+    std::string file_with_extension = filename;
+    // Regex to match the last extension part after the last dot, ignoring
+    // trailing spaces and dots
+    std::regex extension_regex(R"(\.([a-zA-Z0-9]+)\s*[\.\s]*$)");
+    std::smatch match;
+    std::string extension;
+
+    if (std::regex_search(file_with_extension, match, extension_regex)) {
+      extension = ToLower(match[1].str());
+    }
+
+    return !extension.empty() && (extension == "cmd" || extension == "bat");
+  }
   return false;
 }
 

test/parallel/test-child-process-spawn-windows-batch-file.js

@@ -23,8 +23,8 @@ const expectedCode = isWindows ? 'EINVAL' : 'ENOENT';
 const expectedStatus = isWindows ? 1 : 127;
 
 const suffixes =
-    'BAT bAT BaT baT BAt bAt Bat bat CMD cMD CmD cmD CMd cMd Cmd cmd'
-    .split(' ');
+    'BAT|bAT|BaT|baT|BAt|bAt|Bat|bat|CMD|cMD|CmD|cmD|CMd|cMd|Cmd|cmd|cmd |cmd .|cmd ....'
+    .split('|');
 
 function testExec(filename) {
   return new Promise((resolve) => {