From cb34175dfd07a56eea3497ebc2c2937a99e922e9 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Tue, 26 May 2026 02:05:58 +0100
Subject: [PATCH] fix(matrix): reject malformed integer cli values

---
 extensions/matrix/src/cli.test.ts | 14 ++++++++++++++
 extensions/matrix/src/cli.ts      |  3 +++
 2 files changed, 17 insertions(+)

diff --git a/extensions/matrix/src/cli.test.ts b/extensions/matrix/src/cli.test.ts
index 9adefaf2695..9c60511d70a 100644
--- a/extensions/matrix/src/cli.test.ts
+++ b/extensions/matrix/src/cli.test.ts
@@ -386,6 +386,20 @@ describe("matrix CLI verification commands", () => {
     expect(consoleLogMock).toHaveBeenCalledWith("Backup: active and trusted on this device");
   });
 
+  it("rejects malformed Matrix self-verification timeout values", async () => {
+    const program = buildProgram();
+
+    await program.parseAsync(["matrix", "verify", "self", "--timeout-ms", "5000ms"], {
+      from: "user",
+    });
+
+    expect(process.exitCode).toBe(1);
+    expect(consoleErrorMock).toHaveBeenCalledWith(
+      "Self-verification failed: --timeout-ms must be an integer",
+    );
+    expect(runMatrixSelfVerificationMock).not.toHaveBeenCalled();
+  });
+
   it("requests Matrix self-verification and prints the follow-up SAS commands", async () => {
     requestMatrixVerificationMock.mockResolvedValue(
       mockMatrixVerificationSummary({
diff --git a/extensions/matrix/src/cli.ts b/extensions/matrix/src/cli.ts
index d4492973bbb..d3e08ac758f 100644
--- a/extensions/matrix/src/cli.ts
+++ b/extensions/matrix/src/cli.ts
@@ -234,6 +234,9 @@ function parseOptionalInt(value: string | undefined, fieldName: string): number
   if (!trimmed) {
     return undefined;
   }
+  if (!/^-?\d+$/.test(trimmed)) {
+    throw new Error(`${fieldName} must be an integer`);
+  }
   const parsed = Number.parseInt(trimmed, 10);
   if (!Number.isFinite(parsed)) {
     throw new Error(`${fieldName} must be an integer`);