atob() must always fail on invalid input (issue #940)

rbri · rbri · commit b5b54bf72a8d · 2025-03-04T19:37:03.000+01:00
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
@@ -8,6 +8,9 @@
 
     <body>
         <release version="4.11.0" date="March xx, 2025" description="Bugfixes">
+            <action type="fix" dev="rbri" due-to="Christoph Burgmer" issue="#940">
+                atob() must always fail on invalid input.
+            </action>
             <action type="fix" dev="rbri">
                 The script async attribute is ignored if the src attribute is absent.
             </action>
diff --git a/src/main/java/org/htmlunit/javascript/host/WindowOrWorkerGlobalScopeMixin.java b/src/main/java/org/htmlunit/javascript/host/WindowOrWorkerGlobalScopeMixin.java
@@ -67,7 +67,15 @@ public static String atob(final String encodedData, final HtmlUnitScriptable scr
             }
         }
         final byte[] bytes = encodedData.getBytes(StandardCharsets.ISO_8859_1);
-        return new String(Base64.getDecoder().decode(bytes), StandardCharsets.ISO_8859_1);
+        try {
+            return new String(Base64.getDecoder().decode(bytes), StandardCharsets.ISO_8859_1);
+        }
+        catch (final IllegalArgumentException e) {
+            throw JavaScriptEngine.asJavaScriptException(
+                    scriptable,
+                    "Failed to execute atob(): " + e.getMessage(),
+                    org.htmlunit.javascript.host.dom.DOMException.INVALID_CHARACTER_ERR);
+        }
     }
 
     /**
diff --git a/src/test/java/org/htmlunit/javascript/host/Window2Test.java b/src/test/java/org/htmlunit/javascript/host/Window2Test.java
@@ -49,6 +49,7 @@
  * @author Frank Danek
  * @author Carsten Steul
  * @author Colin Alworth
+ * @author Christoph Burgmer
  */
 @RunWith(BrowserRunner.class)
 public class Window2Test extends WebDriverTestCase {
@@ -66,7 +67,7 @@ public void thisIsWindow() throws Exception {
             + "  log(this);\n"
             + "  try {\n"
             + "    log(abc);\n"
-            + "  } catch(e) {logEx(e)}\n"
+            + "  } catch(e) { logEx(e) }\n"
             + "  log(this.abc);\n"
             + "  log(this.def);\n"
             + "  this.abc = 'hello';\n"
@@ -185,15 +186,15 @@ public void atob() throws Exception {
      * @throws Exception if the test fails
      */
     @Test
-    @Alerts({"InvalidCharacterError/DOMException"})
+    @Alerts("InvalidCharacterError/DOMException")
     public void atobMalformedInput() throws Exception {
         final String html
             = "<html><head></head><body>\n"
             + "<script>\n"
             + LOG_TITLE_FUNCTION
             + "  try {\n"
             + "    window.atob('b');\n"
-            + "  } catch(e) {logEx(e)}\n"
+            + "  } catch(e) { logEx(e) }\n"
             + "</script>\n"
             + "</body></html>";
         loadPageVerifyTitle2(html);
@@ -211,10 +212,10 @@ public void atobUnicode() throws Exception {
             + LOG_TITLE_FUNCTION
             + "  try {\n"
             + "    window.btoa('I \\u2661 Unicode!');\n"
-            + "  } catch(e) {logEx(e)}\n"
+            + "  } catch(e) { logEx(e) }\n"
             + "  try {\n"
             + "    window.atob('I \\u2661 Unicode!');\n"
-            + "  } catch(e) {logEx(e)}\n"
+            + "  } catch(e) { logEx(e) }\n"
             + "</script>\n"
             + "</body></html>";
         loadPageVerifyTitle2(html);
@@ -1150,13 +1151,13 @@ public void eval() throws Exception {
             + "  x.a = 'Success';\n"
             + "  try {\n"
             + "    log(window['eval']('x.a'));\n"
-            + "  } catch(e) {logEx(e)}\n"
+            + "  } catch(e) { logEx(e) }\n"
             + "  try {\n"
             + "    log(window.eval('x.a'));\n"
-            + "  } catch(e) {logEx(e)}\n"
+            + "  } catch(e) { logEx(e) }\n"
             + "  try {\n"
             + "    log(eval('x.a'));\n"
-            + "  } catch(e) {logEx(e)}\n"
+            + "  } catch(e) { logEx(e) }\n"
             + "}\n"
             + "</script>\n"
             + "</body></html>";
@@ -2369,7 +2370,7 @@ public void constructorError() throws Exception {
             + "      var divs = document.querySelectorAll('div');\n"
             + "      var a = Array.from.call(window, divs);\n"
             + "      log(a.length);\n"
-            + "    } catch(e) {logEx(e)}\n"
+            + "    } catch(e) { logEx(e) }\n"
             + "  }\n"
             + "</script>\n"
             + "</head>\n"
@@ -2433,7 +2434,7 @@ public void test__proto__() throws Exception {
             + "      for (var p = this.__proto__; p != null; p = p.__proto__) {\n"
             + "        log(p);\n"
             + "      }\n"
-            + "    } catch(e) {logEx(e)}\n"
+            + "    } catch(e) { logEx(e) }\n"
             + "  }\n"
             + "</script>\n"
             + "</head>\n"

Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,15 @@ public static String atob(final String encodedData, final HtmlUnitScriptable scr`
`67`	`67`	`}`
`68`	`68`	`}`
`69`	`69`	`final byte[] bytes = encodedData.getBytes(StandardCharsets.ISO_8859_1);`
`70`		`- return new String(Base64.getDecoder().decode(bytes), StandardCharsets.ISO_8859_1);`
	`70`	`+ try {`
	`71`	`+ return new String(Base64.getDecoder().decode(bytes), StandardCharsets.ISO_8859_1);`
	`72`	`+ }`
	`73`	`+ catch (final IllegalArgumentException e) {`
	`74`	`+ throw JavaScriptEngine.asJavaScriptException(`
	`75`	`+ scriptable,`
	`76`	`+ "Failed to execute atob(): " + e.getMessage(),`
	`77`	`+ org.htmlunit.javascript.host.dom.DOMException.INVALID_CHARACTER_ERR);`
	`78`	`+ }`
`71`	`79`	`}`
`72`	`80`
`73`	`81`	`/**`