base64.decode: builtin version is buggy in JSC/WebKit #42
Description
Note: this is actually an JSC bug, but relying on builtin impl without ensuring that impl is correct makes this lib unreliable too
Test:
import { describe, test } from 'node:test'
import { base64 } from '@scure/base'
const INVALID = [
'====', // excessive padding
'aQ=', // incomplete padding
'aQ===', // excessive padding
'aaaa====', // excessive padding
'a', // invalid group of length 1
'a===', // invalid group of length 1, padded
'a==', // invalid group of length 1 + incomplete padding
'aaaaa', // invalid group of length 1 after group of length 4
'aa==', // non-strict, should be aQ==
]
describe('base64', () => {
for (const input of INVALID) {
test(`invalid input: ${input}`, (t) => {
t.assert.throws(() => base64.decode(input))
})
}
})It works on Node.js (can be even run with just node jsc-fail.js), V8 and SpiderMonkey, but fails on JSC and WebKit:
JSC fails to follow the spec: https://tc39.es/proposal-arraybuffer-base64/spec/#sec-frombase64, 10.3, step 10.b.i
A solution to that would be to enforce proper padding checks before relying on .fromBase64.
Moreover, there are no tests that would have failed on this in this repo, existing tests actually pass when run on JSC, i.e. npx @exodus/test --engine jsc:bundle passes in this repo (except for test/slow-dos.test.js depending on process.hrtime.bigint and slow)