diff --git a/src/process_wrap.cc b/src/process_wrap.cc index 556dea18eca76f..14c9e99934e27b 100644 --- a/src/process_wrap.cc +++ b/src/process_wrap.cc @@ -200,8 +200,10 @@ class ProcessWrap : public HandleWrap { // batch files directly but is potentially insecure because arguments // are not escaped (and sometimes cannot be unambiguously escaped), // hence why they are rejected here. +#ifdef _WIN32 if (IsWindowsBatchFile(options.file)) err = UV_EINVAL; +#endif // options.args Local argv_v = diff --git a/src/spawn_sync.cc b/src/spawn_sync.cc index 5f20e9cc0881f9..6d8d5da686d446 100644 --- a/src/spawn_sync.cc +++ b/src/spawn_sync.cc @@ -769,8 +769,10 @@ Maybe SyncProcessRunner::ParseOptions(Local js_value) { // batch files directly but is potentially insecure because arguments // are not escaped (and sometimes cannot be unambiguously escaped), // hence why they are rejected here. +#ifdef _WIN32 if (IsWindowsBatchFile(uv_process_options_.file)) return Just(UV_EINVAL); +#endif Local js_args = js_options->Get(context, env()->args_string()).ToLocalChecked(); diff --git a/src/util-inl.h b/src/util-inl.h index 47d6a73c7927cf..e078c9a11b2fac 100644 --- a/src/util-inl.h +++ b/src/util-inl.h @@ -540,25 +540,21 @@ constexpr std::string_view FastStringKey::as_string_view() const { // Inline so the compiler can fully optimize it away on Unix platforms. bool IsWindowsBatchFile(const char* filename) { #ifdef _WIN32 - static constexpr bool kIsWindows = true; -#else - static constexpr bool kIsWindows = false; -#endif // _WIN32 - if (kIsWindows) { - std::string file_with_extension = filename; - // Regex to match the last extension part after the last dot, ignoring - // trailing spaces and dots - std::regex extension_regex(R"(\.([a-zA-Z0-9]+)\s*[\.\s]*$)"); - std::smatch match; - std::string extension; - - if (std::regex_search(file_with_extension, match, extension_regex)) { - extension = ToLower(match[1].str()); - } - - return !extension.empty() && (extension == "cmd" || extension == "bat"); + std::string file_with_extension = filename; + // Regex to match the last extension part after the last dot, ignoring + // trailing spaces and dots + std::regex extension_regex(R"(\.([a-zA-Z0-9]+)\s*[\.\s]*$)"); + std::smatch match; + std::string extension; + + if (std::regex_search(file_with_extension, match, extension_regex)) { + extension = ToLower(match[1].str()); } + + return !extension.empty() && (extension == "cmd" || extension == "bat"); +#else return false; +#endif // _WIN32 } } // namespace node