src: do not pass user input to format string

PR-URL: #48973
Reviewed-By: Darshan Sen <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>

Author: aduh95

src/node_file.cc

@@ -3042,10 +3042,11 @@ void BindingData::LegacyMainResolve(const FunctionCallbackInfo<Value>& args) {
     return;
   }
 
-  std::string err_module_message =
-      "Cannot find package '" + module_path + "' imported from " + module_base;
   env->isolate()->ThrowException(
-      ERR_MODULE_NOT_FOUND(env->isolate(), err_module_message.c_str()));
+      ERR_MODULE_NOT_FOUND(env->isolate(),
+                           "Cannot find package '%s' imported from %s",
+                           module_path,
+                           module_base));
 }
 
 void BindingData::MemoryInfo(MemoryTracker* tracker) const {

test/es-module/test-cjs-legacyMainResolve.js

@@ -133,6 +133,14 @@ describe('legacyMainResolve', () => {
     );
   });
 
+  it('should not crash when cannot resolve to a file that contains special chars', () => {
+    const packageJsonUrl = pathToFileURL('/c/file%20with%20percents/package.json');
+    assert.throws(
+      () => legacyMainResolve(packageJsonUrl, { main: null }, packageJsonUrl),
+      { code: 'ERR_MODULE_NOT_FOUND' },
+    );
+  });
+
   it('should throw when cannot resolve to a file (base not defined)', () => {
     const packageJsonUrl = pathToFileURL(
       path.resolve(