worker: restrict supported extensions

Only allow `.js` and `.mjs` extensions to provide future-proofing
for file type detection.

Refs: https://github.com/ayojs/ayo/pull/117
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Reviewed-By: Olivia Hugger <olivia@fastmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>

PR-URL: https://github.com/nodejs/node/pull/20876
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: John-David Dalton <john.david.dalton@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>

lib/internal/errors.js

@@ -849,4 +849,7 @@ E('ERR_WORKER_NEED_ABSOLUTE_PATH',
   TypeError);
 E('ERR_WORKER_UNSERIALIZABLE_ERROR',
   'Serializing an uncaught exception failed', Error);
+E('ERR_WORKER_UNSUPPORTED_EXTENSION',
+  'The worker script extension must be ".js" or ".mjs". Received "%s"',
+  TypeError);
 E('ERR_ZLIB_INITIALIZATION_FAILED', 'Initialization failed', Error);

lib/internal/worker.js

@@ -8,7 +8,8 @@ const util = require('util');
 const {
   ERR_INVALID_ARG_TYPE,
   ERR_WORKER_NEED_ABSOLUTE_PATH,
-  ERR_WORKER_UNSERIALIZABLE_ERROR
+  ERR_WORKER_UNSERIALIZABLE_ERROR,
+  ERR_WORKER_UNSUPPORTED_EXTENSION,
 } = require('internal/errors').codes;
 
 const { internalBinding } = require('internal/bootstrap/loaders');
@@ -136,9 +137,15 @@ class Worker extends EventEmitter {
       throw new ERR_INVALID_ARG_TYPE('filename', 'string', filename);
     }
 
-    if (!options.eval && !path.isAbsolute(filename)) {
+    if (!options.eval) {
+      if (!path.isAbsolute(filename)) {
         throw new ERR_WORKER_NEED_ABSOLUTE_PATH(filename);
       }
+      const ext = path.extname(filename);
+      if (ext !== '.js' && ext !== '.mjs') {
+        throw new ERR_WORKER_UNSUPPORTED_EXTENSION(ext);
+      }
+    }
 
     // Set up the C++ handle for the worker, as well as some internal wiring.
     this[kHandle] = new WorkerImpl();

test/parallel/test-worker-unsupported-path.js

@@ -0,0 +1,27 @@
+// Flags: --experimental-worker
+'use strict';
+
+const common = require('../common');
+const assert = require('assert');
+const { Worker } = require('worker');
+
+{
+  const expectedErr = common.expectsError({
+    code: 'ERR_WORKER_NEED_ABSOLUTE_PATH',
+    type: TypeError
+  }, 4);
+  assert.throws(() => { new Worker('a.js'); }, expectedErr);
+  assert.throws(() => { new Worker('b'); }, expectedErr);
+  assert.throws(() => { new Worker('c/d.js'); }, expectedErr);
+  assert.throws(() => { new Worker('a.mjs'); }, expectedErr);
+}
+
+{
+  const expectedErr = common.expectsError({
+    code: 'ERR_WORKER_UNSUPPORTED_EXTENSION',
+    type: TypeError
+  }, 3);
+  assert.throws(() => { new Worker('/b'); }, expectedErr);
+  assert.throws(() => { new Worker('/c.wasm'); }, expectedErr);
+  assert.throws(() => { new Worker('/d.txt'); }, expectedErr);
+}