Prevent errors when non-string CSP values are defined in the manifest

mozilla · Feb 12, 2024 · 6c9dad6 · 6c9dad6
1 parent 1cdb761
commit 6c9dad6
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/src/parsers/manifestjson.js b/src/parsers/manifestjson.js
@@ -1149,6 +1149,10 @@ export default class ManifestJSONParser extends JSONParser {
   }
 
   validateCspPolicyString(policy, manifestPropName) {
+    if (typeof policy !== 'string') {
+      return;
+    }
+
     const directives = parseCspPolicy(policy);
 
     // The order is important here, 'default-src' needs to be before

diff --git a/tests/unit/parsers/test.manifestjson.js b/tests/unit/parsers/test.manifestjson.js
@@ -2248,6 +2248,24 @@ describe('ManifestJSONParser', () => {
         expect(warningsV3.length).toEqual(6);
       }
     );
+
+    // See: https://github.com/mozilla/addons-linter/issues/5194
+    it('should handle non-string values', () => {
+      const addonLinter = new Linter({ _: ['bar'] });
+      const json = validManifestJSON({ content_security_policy: [true] });
+
+      const manifestJSONParser = new ManifestJSONParser(
+        json,
+        addonLinter.collector
+      );
+
+      const { errors } = addonLinter.collector;
+      expect(errors[0]).toMatchObject({
+        code: messages.MANIFEST_FIELD_INVALID.code,
+        message: '"/content_security_policy" must be string',
+      });
+      expect(manifestJSONParser.isValid).toEqual(false);
+    });
   });
 
   describe('update_url', () => {