From bd44a51b8dc33179f7f985f8344938e6409fca12 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 8 Jun 2026 05:08:44 +0000
Subject: [PATCH] fix: validate --timeout CLI argument to prevent silent NaN
 timeout

Previously, passing a non-numeric value like --timeout notanumber caused
parseInt to return NaN. Since NaN is not null/undefined, the ?? fallback in
fetch.ts was skipped, and setTimeout received NaN (treated as 0 by browsers
and Node), aborting every request immediately with an opaque AbortError.

The fix:
- Errors immediately with a clear message if --timeout is missing its value
  or if the value parses to NaN or a non-positive number.
- Uses the raw string (not String(NaN)) to exclude the timeout value from
  the URL-candidate scan, fixing a secondary bug where the timeout string
  could have been picked up as the URL.

https://claude.ai/code/session_01V8MbP8UKNDFzXh4oMew2C2
---
 src/cli.ts | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/cli.ts b/src/cli.ts
index a6d2e8b..dec9c32 100644
--- a/src/cli.ts
+++ b/src/cli.ts
@@ -80,9 +80,18 @@ async function main() {
   }
 
   const jsonMode = args.includes('--json');
-  const timeoutArg = args.find((a, i) => a === '--timeout' && args[i + 1]);
-  const timeoutMs = timeoutArg ? parseInt(args[args.indexOf('--timeout') + 1], 10) : undefined;
-  const url = args.find(a => !a.startsWith('--') && a !== String(timeoutMs));
+  const timeoutIdx = args.indexOf('--timeout');
+  const rawTimeout = timeoutIdx !== -1 ? args[timeoutIdx + 1] : undefined;
+  if (timeoutIdx !== -1 && (rawTimeout === undefined || rawTimeout.startsWith('--'))) {
+    console.error('Error: --timeout requires a value in milliseconds (e.g. --timeout 5000)');
+    process.exit(1);
+  }
+  const timeoutMs = rawTimeout !== undefined ? parseInt(rawTimeout, 10) : undefined;
+  if (timeoutMs !== undefined && (isNaN(timeoutMs) || timeoutMs <= 0)) {
+    console.error(`Error: --timeout value must be a positive integer in milliseconds (e.g. --timeout 5000), got: '${rawTimeout}'`);
+    process.exit(1);
+  }
+  const url = args.find(a => !a.startsWith('--') && a !== rawTimeout);
   if (!url) {
     console.error('Usage: security-headers <url> [--json] [--timeout ms] [--help] [--version]');
     console.error('Run with --help for full usage information.');