From 7b9adff0be92f13d72c67152bc3385f2b9bbfc9e Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Tue, 1 Aug 2023 22:05:51 +0200 Subject: [PATCH] src: do not pass user input to format string MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR-URL: https://github.com/nodejs/node/pull/48973 Reviewed-By: Darshan Sen Reviewed-By: Tobias Nießen Reviewed-By: Yagiz Nizipli Reviewed-By: Luigi Pinca --- src/node_file.cc | 7 ++++--- test/es-module/test-cjs-legacyMainResolve.js | 8 ++++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/src/node_file.cc b/src/node_file.cc index 60f7c5513057d7..e8091a3e78afde 100644 --- a/src/node_file.cc +++ b/src/node_file.cc @@ -3079,10 +3079,11 @@ void BindingData::LegacyMainResolve(const FunctionCallbackInfo& args) { return; } - std::string err_module_message = - "Cannot find package '" + module_path + "' imported from " + module_base; env->isolate()->ThrowException( - ERR_MODULE_NOT_FOUND(env->isolate(), err_module_message.c_str())); + ERR_MODULE_NOT_FOUND(env->isolate(), + "Cannot find package '%s' imported from %s", + module_path, + module_base)); } void BindingData::MemoryInfo(MemoryTracker* tracker) const { diff --git a/test/es-module/test-cjs-legacyMainResolve.js b/test/es-module/test-cjs-legacyMainResolve.js index b121bd66adb324..1dc7d8faafe6eb 100644 --- a/test/es-module/test-cjs-legacyMainResolve.js +++ b/test/es-module/test-cjs-legacyMainResolve.js @@ -133,6 +133,14 @@ describe('legacyMainResolve', () => { ); }); + it('should not crash when cannot resolve to a file that contains special chars', () => { + const packageJsonUrl = pathToFileURL('/c/file%20with%20percents/package.json'); + assert.throws( + () => legacyMainResolve(packageJsonUrl, { main: null }, packageJsonUrl), + { code: 'ERR_MODULE_NOT_FOUND' }, + ); + }); + it('should throw when cannot resolve to a file (base not defined)', () => { const packageJsonUrl = pathToFileURL( path.resolve(