fix(runtime): prevent crash from path substr operations

Author: adrian-niculescu

NativeScript/runtime/ModuleInternal.mm

@@ -6,10 +6,10 @@
 #include <utime.h>
 #include <string>
 #include "Caches.h"
+#include "DevFlags.h"
 #include "Helpers.h"
 #include "ModuleInternalCallbacks.h"  // for ResolveModuleCallback
 #include "NativeScriptException.h"
-#include "DevFlags.h"
 #include "Runtime.h"  // for GetAppConfigValue
 #include "RuntimeConfig.h"
 
@@ -177,7 +177,8 @@ bool IsESModule(const std::string& path) {
         Log(@"Error loading ES module: %s", path.c_str());
         Log(@"Exception: %s", ex.getMessage().c_str());
         Log(@"***** End stack trace - continuing execution *****");
-        Log(@"Debug mode - ES module loading failed, but telling iOS it succeeded to prevent app termination");
+        Log(@"Debug mode - ES module loading failed, but telling iOS it succeeded to prevent app "
+            @"termination");
         return true;  // avoid termination in debug
       } else {
         return false;
@@ -225,11 +226,10 @@ bool IsESModule(const std::string& path) {
           @"app termination");
 
       // Add a small delay to ensure error modal has time to render before we return
-      dispatch_after(
-          dispatch_time(DISPATCH_TIME_NOW, (int64_t)(0.3 * NSEC_PER_SEC)),
-          dispatch_get_main_queue(), ^{
-            Log(@"🛡️ Debug mode - Crash prevention complete, app should remain stable");
-          });
+      dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(0.3 * NSEC_PER_SEC)),
+                     dispatch_get_main_queue(), ^{
+                       Log(@"🛡️ Debug mode - Crash prevention complete, app should remain stable");
+                     });
 
       return true;  // LIE TO iOS - return success to prevent app termination
     } else {
@@ -302,7 +302,9 @@ bool IsESModule(const std::string& path) {
       if (*s) {
         moduleName.assign(*s, s.length());
         if (moduleName.rfind("http://", 0) == 0 || moduleName.rfind("https://", 0) == 0) {
-          std::string msg = std::string("NativeScript: require() of URL module is not supported: ") + moduleName + ". Use dynamic import() instead.";
+          std::string msg =
+              std::string("NativeScript: require() of URL module is not supported: ") + moduleName +
+              ". Use dynamic import() instead.";
           throw NativeScriptException(msg.c_str());
         }
       }
@@ -357,7 +359,6 @@ bool IsESModule(const std::string& path) {
       fullPath = [NSString stringWithUTF8String:moduleName.c_str()];
     }
 
-
     NSString* fileNameOnly = [fullPath lastPathComponent];
     NSString* pathOnly = [fullPath stringByDeletingLastPathComponent];
 
@@ -638,7 +639,15 @@ throw NativeScriptException(isolate,
       stringByDeletingLastPathComponent] UTF8String];
 
   // Shorten the parentDir for GetRequireFunction to avoid V8 parsing issues with long paths
-  std::string shortParentDir = "/app" + parentDir.substr(RuntimeConfig.ApplicationPath.length());
+  std::string shortParentDir;
+  if (parentDir.length() >= RuntimeConfig.ApplicationPath.length() &&
+      parentDir.compare(0, RuntimeConfig.ApplicationPath.length(), RuntimeConfig.ApplicationPath) ==
+          0) {
+    shortParentDir = "/app" + parentDir.substr(RuntimeConfig.ApplicationPath.length());
+  } else {
+    // Fallback: use the entire path if it doesn't start with ApplicationPath
+    shortParentDir = parentDir;
+  }
 
   Local<v8::Function> require = GetRequireFunction(isolate, shortParentDir);
   // Use full paths for __filename and __dirname to match module.id
@@ -713,7 +722,8 @@ throw NativeScriptException(isolate,
           canonicalPath.c_str());
       return Local<Value>();
     } else {
-      throw NativeScriptException(isolate, "Classic script compilation failed for " + canonicalPath);
+      throw NativeScriptException(isolate,
+                                  "Classic script compilation failed for " + canonicalPath);
     }
   }
 
@@ -825,7 +835,8 @@ ScriptOrigin origin(isolate, urlString,
         tns::LogError(isolate, tc);
       }
       Log(@"***** End stack trace - continuing execution *****");
-      Log(@"Debug mode - Script compilation failed, returning gracefully: %s", canonicalPath.c_str());
+      Log(@"Debug mode - Script compilation failed, returning gracefully: %s",
+          canonicalPath.c_str());
       // Return empty script to prevent crashes
       return Local<Script>();
     } else {
@@ -852,7 +863,8 @@ ScriptOrigin origin(isolate, urlString,
 
   Local<v8::String> urlString;
   if (!v8::String::NewFromUtf8(isolate, url.c_str(), NewStringType::kNormal).ToLocal(&urlString)) {
-    throw NativeScriptException(isolate, "Failed to create URL string for ES module " + canonicalPath);
+    throw NativeScriptException(isolate,
+                                "Failed to create URL string for ES module " + canonicalPath);
   }
 
   ScriptOrigin origin(isolate, urlString, 0, 0, false, -1, Local<Value>(), false, false,
@@ -861,12 +873,15 @@ ScriptOrigin origin(isolate, urlString, 0, 0, false, -1, Local<Value>(), false,
   ScriptCompiler::Source source(sourceText, origin, cacheData);
 
   // 2) Compile with its own TryCatch
-  // Phase diagnostics helper (local lambda) – only active in debug builds when logScriptLoading is enabled
-  auto logPhase = [&](const char* phase, const char* status, const char* classification = "", const char* extra = "") {
+  // Phase diagnostics helper (local lambda) – only active in debug builds when logScriptLoading is
+  // enabled
+  auto logPhase = [&](const char* phase, const char* status, const char* classification = "",
+                      const char* extra = "") {
     if (RuntimeConfig.IsDebug && IsScriptLoadingLogEnabled()) {
       if (classification && classification[0] != '\0') {
         if (extra && extra[0] != '\0') {
-          Log(@"[esm][%s][%s][%s] %s %s", phase, status, classification, canonicalPath.c_str(), extra);
+          Log(@"[esm][%s][%s][%s] %s %s", phase, status, classification, canonicalPath.c_str(),
+              extra);
         } else {
           Log(@"[esm][%s][%s][%s] %s", phase, status, classification, canonicalPath.c_str());
         }
@@ -896,8 +911,11 @@ ScriptOrigin origin(isolate, urlString, 0, 0, false, -1, Local<Value>(), false,
           v8::String::Utf8Value w(isolate, msg->Get());
           if (*w) {
             std::string m(*w);
-            if (m.find("Unexpected token") != std::string::npos || m.find("SyntaxError") != std::string::npos) classification = "syntax";
-            else if (m.find("Cannot use import statement outside a module") != std::string::npos) classification = "not-a-module";
+            if (m.find("Unexpected token") != std::string::npos ||
+                m.find("SyntaxError") != std::string::npos)
+              classification = "syntax";
+            else if (m.find("Cannot use import statement outside a module") != std::string::npos)
+              classification = "not-a-module";
           }
         }
       }
@@ -915,7 +933,8 @@ ScriptOrigin origin(isolate, urlString, 0, 0, false, -1, Local<Value>(), false,
         // Return empty to prevent crashes
         return Local<Value>();
       } else {
-        throw NativeScriptException(isolate, tcCompile, "Cannot compile ES module " + canonicalPath);
+        throw NativeScriptException(isolate, tcCompile,
+                                    "Cannot compile ES module " + canonicalPath);
       }
     }
   }
@@ -956,8 +975,11 @@ ScriptOrigin origin(isolate, urlString, 0, 0, false, -1, Local<Value>(), false,
           v8::String::Utf8Value w(isolate, msg->Get());
           if (*w) {
             std::string m(*w);
-            if (m.find("Cannot find module") != std::string::npos || m.find("failed to resolve module specifier") != std::string::npos) classification = "resolve";
-            else if (m.find("does not provide an export named") != std::string::npos) classification = "link-export";
+            if (m.find("Cannot find module") != std::string::npos ||
+                m.find("failed to resolve module specifier") != std::string::npos)
+              classification = "resolve";
+            else if (m.find("does not provide an export named") != std::string::npos)
+              classification = "link-export";
           }
         }
       }
@@ -974,7 +996,8 @@ ScriptOrigin origin(isolate, urlString, 0, 0, false, -1, Local<Value>(), false,
         return Local<Value>();
       } else {
         if (tcLink.HasCaught()) {
-          throw NativeScriptException(isolate, tcLink, "Cannot instantiate module " + canonicalPath);
+          throw NativeScriptException(isolate, tcLink,
+                                      "Cannot instantiate module " + canonicalPath);
         } else {
           // V8 gave no exception object—throw plain text
           throw NativeScriptException(isolate, "Cannot instantiate module " + canonicalPath);
@@ -999,9 +1022,12 @@ ScriptOrigin origin(isolate, urlString, 0, 0, false, -1, Local<Value>(), false,
           v8::String::Utf8Value w(isolate, msg->Get());
           if (*w) {
             std::string m(*w);
-            if (m.find("is not defined") != std::string::npos) classification = "reference";
-            else if (m.find("TypeError") != std::string::npos) classification = "type";
-            else if (m.find("Cannot read properties") != std::string::npos) classification = "type-nullish";
+            if (m.find("is not defined") != std::string::npos)
+              classification = "reference";
+            else if (m.find("TypeError") != std::string::npos)
+              classification = "type";
+            else if (m.find("Cannot read properties") != std::string::npos)
+              classification = "type-nullish";
           }
         }
       }
@@ -1052,7 +1078,7 @@ ScriptOrigin origin(isolate, urlString, 0, 0, false, -1, Local<Value>(), false,
               std::string errorTitle = "Uncaught JavaScript Exception";
               std::string errorMessage = "Module evaluation promise rejected";
               std::string stackTrace = "";
-              
+
               // Try to get the promise result (the actual error)
               Local<Value> reason = promise->Result();
               if (!reason.IsEmpty()) {
@@ -1062,7 +1088,8 @@ ScriptOrigin origin(isolate, urlString, 0, 0, false, -1, Local<Value>(), false,
 
                   auto messageKey = tns::ToV8String(isolate, "message");
                   Local<Value> messageVal;
-                  if (errorObj->Get(context, messageKey).ToLocal(&messageVal) && messageVal->IsString()) {
+                  if (errorObj->Get(context, messageKey).ToLocal(&messageVal) &&
+                      messageVal->IsString()) {
                     v8::String::Utf8Value messageUtf8(isolate, messageVal);
                     if (*messageUtf8) errorMessage = std::string(*messageUtf8);
                   }
@@ -1113,7 +1140,8 @@ ScriptOrigin origin(isolate, urlString, 0, 0, false, -1, Local<Value>(), false,
 
               if (IsScriptLoadingLogEnabled()) {
                 // Emit a concise summary of the rejection for diagnostics
-                std::string stackPreview = stackTrace.size() > 240 ? stackTrace.substr(0, 240) + "…" : stackTrace;
+                std::string stackPreview =
+                    stackTrace.size() > 240 ? stackTrace.substr(0, 240) + "…" : stackTrace;
                 Log(@"[esm][evaluate][promise-rejected:detail] path=%s message=%s stack=%s",
                     canonicalPath.c_str(), errorMessage.c_str(), stackPreview.c_str());
               }
@@ -1566,7 +1594,14 @@ throw NativeScriptException(
 }
 
 std::string ModuleInternal::GetCacheFileName(const std::string& path) {
-  std::string key = path.substr(RuntimeConfig.ApplicationPath.size() + 1);
+  std::string key;
+  if (path.length() > RuntimeConfig.ApplicationPath.size() &&
+      path.compare(0, RuntimeConfig.ApplicationPath.size(), RuntimeConfig.ApplicationPath) == 0) {
+    key = path.substr(RuntimeConfig.ApplicationPath.size() + 1);
+  } else {
+    // Fallback: use the entire path if it doesn't start with ApplicationPath
+    key = path;
+  }
   std::replace(key.begin(), key.end(), '/', '-');
 
   NSArray* paths = NSSearchPathForDirectoriesInDomains(NSCachesDirectory, NSUserDomainMask, YES);