Skip to content

path: fix win32 normalize false-positive on reserved names#64266

Open
chatman-media wants to merge 1 commit into
nodejs:mainfrom
chatman-media:fix/win32-normalize-reserved-name-false-positive
Open

path: fix win32 normalize false-positive on reserved names#64266
chatman-media wants to merge 1 commit into
nodejs:mainfrom
chatman-media:fix/win32-normalize-reserved-name-false-positive

Conversation

@chatman-media

Copy link
Copy Markdown

path.win32.normalize() treats a bare reserved device name (CON, NUL, PRN, LPT1, ...) as a device path when it isn't followed by a colon, by slicing off path's last character and comparing that against the reserved-name list. So 'CONx'.slice(0, -1) is 'CON', which matches, and the file name gets wrongly rewritten to .\CONx. Same for NULs, LPT1x, etc. — any ordinary name that happens to be reservedName + 1 char gets this treatment even though it has nothing to do with the device.

#64159 fixed exactly this by requiring a colon before running the check at all, but that also killed the colon-less case Windows genuinely treats as reserved: a trailing single dot. Per Microsoft's own docs, "avoid these names followed immediately by an extension; NUL.txt and NUL.tar.gz are both equivalent to NUL," and there's already a test (COM9..\COM9.) baking that in. That's presumably what broke Windows CI and got it reverted in c4429c8 — I couldn't get at the Jenkins logs to confirm, but I hit the exact regression myself while re-testing the fix, so I'm fairly confident that's the mechanism.

This version narrows the no-colon check instead of dropping it: it only treats the name as reserved when the character being sliced off is specifically a ., so NUL./COM9. still match but CONx/NULs no longer do. Added both back to test-path-normalize.js, checked the CVE-2024-36139 tests and the full test-path-win32-normalize-device-names.js suite still pass (ran the latter directly since it's Windows-gated and I'm on macOS).

path.win32.normalize() checked names like CONx or NULs against the
Windows reserved device list (CON, NUL, PRN, LPT1, ...) by slicing off
the last character whenever the path had no colon, so any file name
that happened to be a reserved name plus one extra character got
wrongly treated as a device and prefixed with `.\`.

A previous attempt at this fix (b0a4f16, reverted in c4429c8)
guarded the check with `colonIndex !== -1`, but that also suppressed
the colon-less case Windows itself treats as reserved: a name followed
immediately by a single dot, e.g. NUL. and COM9. (per Microsoft's own
docs, "avoid these names followed immediately by an extension; NUL.txt
and NUL.tar.gz are both equivalent to NUL"), which is why it broke
Windows CI. This version keeps that dot case working while still
rejecting an arbitrary trailing character.

Signed-off-by: Alexander Kireev <ak.chatman.media@gmail.com>
@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/path

@nodejs-github-bot nodejs-github-bot added needs-ci PRs that need a full CI run. path Issues and PRs related to the path subsystem. labels Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-ci PRs that need a full CI run. path Issues and PRs related to the path subsystem.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants