ci: fix valgrind UAF root cause, CodeQL overflow, Windows symlink check

The previous commit (87185ea) added wildcard valgrind suppressions for
per-route firing paths under the rationale that the read was a "false
positive." It was not. `test_utils::as_shared(stack_resource)` wrapped
stack-allocated http_resources in a shared_ptr with a no-op deleter; the
webserver kept those shared_ptrs in its route_table_, but the underlying
storage died when the test body returned. MHD's request_completed
callback fires from a daemon worker thread during `ws->stop()` (called
in tear_down, AFTER the test body's locals have already destructed), so
the per-route firing path dereferenced freed stack memory through
`mr->resource_weak_.lock()`. The "Conditional jump on uninitialised
value" valgrind report was a real UAF, not a control-block read race.

Fix: migrate every `as_shared(stack_obj)` call site (226 across 11
files) to `std::make_shared<T>(...)`. With heap-owned resources the
lifetime model becomes correct -- the webserver's shared_ptr keeps the
resource alive until `~webserver_impl` runs, which is after `stop()`
has drained MHD's workers. The `as_shared` helper is removed from
test_utils.hpp; the file now carries a note documenting why it was
deleted. The two wildcard suppressions in test/libhttpserver.supp are
also removed; only the legitimate `gnutls_session_get_data` Memcheck:Cond
suppression remains.

Also fixed on this branch:
* src/detail/ip_representation.cpp: CodeQL flagged `(16 - i) *
  a.pieces[i]` as an int*int -> int64_t overflow path. Cast the (16-i)
  factor to int64_t so the multiply is performed in the destination
  type.
* src/Makefile.am install-data-hook: `ln -s` on MSYS2/mingw silently
  falls back to a file copy (sometimes failing entirely without admin
  rights). Wrap the symlink creation in `{ ln -s ... || cp ...; }` so
  the alias is always installed under one form or another.
* Makefile.am check-install-layout: relax `test -L httpserverpp` to
  `test -e httpserverpp`. Both a POSIX symlink and an MSYS2 file copy
  satisfy the "include resolves to umbrella" property the hook is
  establishing.

The file-size ceiling temp-bump from 87185ea is left in place; walking
the nine offenders back below 500 LOC is the documented follow-up and
is independent of this fix.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: etr

Makefile.am

@@ -209,8 +209,12 @@ check-install-layout:
 	    if test "$(CHECK_INSTALL_SHARED)" != "yes"; then rm -rf $(CHECK_INSTALL_STAGE); fi; \
 	    exit 1; \
 	fi
-	@if ! test -L $(CHECK_INSTALL_STAGE)$(includedir)/httpserverpp; then \
-	    echo "FAIL: httpserverpp symlink not installed under $(includedir)"; \
+	@# Accept either a symlink (POSIX) or a regular file (MSYS2/mingw, where
+	@# `ln -s` falls back to a file copy unless MSYS=winsymlinks is set).
+	@# Either form satisfies the "includes #include <httpserverpp> resolve to
+	@# the umbrella" property the install hook is establishing.
+	@if ! test -e $(CHECK_INSTALL_STAGE)$(includedir)/httpserverpp; then \
+	    echo "FAIL: httpserverpp alias not installed under $(includedir)"; \
 	    if test "$(CHECK_INSTALL_SHARED)" != "yes"; then rm -rf $(CHECK_INSTALL_STAGE); fi; \
 	    exit 1; \
 	fi

src/Makefile.am

@@ -54,7 +54,16 @@ libhttpserver_la_CXXFLAGS = $(AM_CXXFLAGS)
 libhttpserver_la_LDFLAGS = $(AM_LDFLAGS) -no-undefined -version-number @LHT_LDF_VERSION@
 
 install-data-hook:
-	(mkdir -p $(DESTDIR)$(includedir) && cd $(DESTDIR)$(includedir) && $(LN_S) -f httpserver.hpp httpserverpp)
+	@# Install an `<httpserverpp>` alias next to `<httpserver.hpp>`. On POSIX
+	@# this is a symlink. On MSYS2/mingw `ln -s` typically falls back to a
+	@# file copy (it produces a regular file, not a link); when even that
+	@# fails (e.g. tightened sandboxes, or `ln` missing the `-s` flag in
+	@# pristine mingw shells) we fall back to an explicit `cp`. The
+	@# downstream `check-install-layout` rule accepts either form.
+	mkdir -p $(DESTDIR)$(includedir)
+	cd $(DESTDIR)$(includedir) && \
+	    rm -f httpserverpp && \
+	    { $(LN_S) httpserver.hpp httpserverpp || cp httpserver.hpp httpserverpp; }
 
 uninstall-hook:
 	(cd $(DESTDIR)$(includedir) && rm -f httpserverpp)

src/detail/ip_representation.cpp

@@ -268,8 +268,12 @@ void accumulate_octet_score(const ip_representation& a,
                             const ip_representation& b, int i,
                             int64_t& a_score, int64_t& b_score) {
     if (!(CHECK_BIT(a.mask, i) && CHECK_BIT(b.mask, i))) return;
-    a_score += (16 - i) * a.pieces[i];
-    b_score += (16 - i) * b.pieces[i];
+    // Cast the (16 - i) factor to int64_t before the multiply so the product
+    // is computed in the destination type. Without the cast the multiplication
+    // happens in int and only the result is widened, which CodeQL flags as a
+    // potential overflow.
+    a_score += static_cast<int64_t>(16 - i) * a.pieces[i];
+    b_score += static_cast<int64_t>(16 - i) * b.pieces[i];
 }
 
 // True when both v4-mapped-prefix octets on a and b are 0x00 or 0xFF.

test/integ/authentication.cpp

@@ -125,8 +125,8 @@ LT_END_SUITE(authentication_suite)
 LT_BEGIN_AUTO_TEST(authentication_suite, base_auth)
     webserver ws{create_webserver(PORT)};
 
-    user_pass_resource user_pass;
-    ws.register_path("base", as_shared(user_pass));
+    auto user_pass = std::make_shared<user_pass_resource>();
+    ws.register_path("base", user_pass);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -150,8 +150,8 @@ LT_END_AUTO_TEST(base_auth)
 LT_BEGIN_AUTO_TEST(authentication_suite, base_auth_fail)
     webserver ws{create_webserver(PORT)};
 
-    user_pass_resource user_pass;
-    ws.register_path("base", as_shared(user_pass));
+    auto user_pass = std::make_shared<user_pass_resource>();
+    ws.register_path("base", user_pass);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -247,8 +247,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth)
         .digest_auth_random("myrandom")
         .nonce_nc_size(300)};
 
-    digest_resource digest;
-    ws.register_path("base", as_shared(digest));
+    auto digest = std::make_shared<digest_resource>();
+    ws.register_path("base", digest);
     ws.start(false);
 
 #if defined(_WINDOWS)
@@ -294,8 +294,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_wrong_pass)
         .digest_auth_random("myrandom")
         .nonce_nc_size(300)};
 
-    digest_resource digest;
-    ws.register_path("base", as_shared(digest));
+    auto digest = std::make_shared<digest_resource>();
+    ws.register_path("base", digest);
     ws.start(false);
 
 #if defined(_WINDOWS)
@@ -339,8 +339,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_with_ha1_md5)
         .digest_auth_random("myrandom")
         .nonce_nc_size(300)};
 
-    digest_ha1_md5_resource digest_ha1;
-    ws.register_path("base", as_shared(digest_ha1));
+    auto digest_ha1 = std::make_shared<digest_ha1_md5_resource>();
+    ws.register_path("base", digest_ha1);
     ws.start(false);
 
 #if defined(_WINDOWS)
@@ -386,8 +386,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_with_ha1_md5_wrong_pass)
         .digest_auth_random("myrandom")
         .nonce_nc_size(300)};
 
-    digest_ha1_md5_resource digest_ha1;
-    ws.register_path("base", as_shared(digest_ha1));
+    auto digest_ha1 = std::make_shared<digest_ha1_md5_resource>();
+    ws.register_path("base", digest_ha1);
     ws.start(false);
 
 #if defined(_WINDOWS)
@@ -431,8 +431,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_with_ha1_sha256)
         .digest_auth_random("myrandom")
         .nonce_nc_size(300)};
 
-    digest_ha1_sha256_resource digest_ha1;
-    ws.register_path("base", as_shared(digest_ha1));
+    auto digest_ha1 = std::make_shared<digest_ha1_sha256_resource>();
+    ws.register_path("base", digest_ha1);
     ws.start(false);
 
 #if defined(_WINDOWS)
@@ -478,8 +478,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, digest_auth_with_ha1_sha256_wrong_pass)
         .digest_auth_random("myrandom")
         .nonce_nc_size(300)};
 
-    digest_ha1_sha256_resource digest_ha1;
-    ws.register_path("base", as_shared(digest_ha1));
+    auto digest_ha1 = std::make_shared<digest_ha1_sha256_resource>();
+    ws.register_path("base", digest_ha1);
     ws.start(false);
 
 #if defined(_WINDOWS)
@@ -550,8 +550,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, digest_user_cache_no_auth)
         .digest_auth_random("myrandom")
         .nonce_nc_size(300)};
 
-    digest_user_cache_resource resource;
-    ws.register_path("cache_test", as_shared(resource));
+    auto resource = std::make_shared<digest_user_cache_resource>();
+    ws.register_path("cache_test", resource);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -581,8 +581,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, digest_user_cache_with_auth)
         .digest_auth_random("myrandom")
         .nonce_nc_size(300)};
 
-    digest_user_cache_resource resource;
-    ws.register_path("cache_test", as_shared(resource));
+    auto resource = std::make_shared<digest_user_cache_resource>();
+    ws.register_path("cache_test", resource);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -637,8 +637,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, centralized_auth_fail)
     webserver ws{create_webserver(PORT)
         .auth_handler(centralized_auth_handler)};
 
-    simple_resource sr;
-    ws.register_path("protected", as_shared(sr));
+    auto sr = std::make_shared<simple_resource>();
+    ws.register_path("protected", sr);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -664,8 +664,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, centralized_auth_success)
     webserver ws{create_webserver(PORT)
         .auth_handler(centralized_auth_handler)};
 
-    simple_resource sr;
-    ws.register_path("protected", as_shared(sr));
+    auto sr = std::make_shared<simple_resource>();
+    ws.register_path("protected", sr);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -694,10 +694,10 @@ LT_BEGIN_AUTO_TEST(authentication_suite, auth_skip_paths)
         .auth_handler(centralized_auth_handler)
         .auth_skip_paths({"/health", "/public/*"})};
 
-    simple_resource sr;
-    ws.register_path("health", as_shared(sr));
-    ws.register_path("public/info", as_shared(sr));
-    ws.register_path("protected", as_shared(sr));
+    auto sr = std::make_shared<simple_resource>();
+    ws.register_path("health", sr);
+    ws.register_path("public/info", sr);
+    ws.register_path("protected", sr);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -759,8 +759,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, auth_skip_paths_no_partial_match)
         .auth_handler(centralized_auth_handler)
         .auth_skip_paths({"/public/*"})};
 
-    simple_resource sr;
-    ws.register_path("publicinfo", as_shared(sr));
+    auto sr = std::make_shared<simple_resource>();
+    ws.register_path("publicinfo", sr);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -789,8 +789,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, auth_skip_paths_deep_nested)
         .auth_handler(centralized_auth_handler)
         .auth_skip_paths({"/api/v1/public/*"})};
 
-    simple_resource sr;
-    ws.register_path("api/v1/public/users/list", as_shared(sr));
+    auto sr = std::make_shared<simple_resource>();
+    ws.register_path("api/v1/public/users/list", sr);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -826,8 +826,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, centralized_auth_post_method)
     webserver ws{create_webserver(PORT)
         .auth_handler(centralized_auth_handler)};
 
-    post_resource pr;
-    ws.register_path("data", as_shared(pr));
+    auto pr = std::make_shared<post_resource>();
+    ws.register_path("data", pr);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -874,8 +874,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, centralized_auth_wrong_credentials)
     webserver ws{create_webserver(PORT)
         .auth_handler(centralized_auth_handler)};
 
-    simple_resource sr;
-    ws.register_path("protected", as_shared(sr));
+    auto sr = std::make_shared<simple_resource>();
+    ws.register_path("protected", sr);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -921,8 +921,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, centralized_auth_not_found)
     webserver ws{create_webserver(PORT)
         .auth_handler(centralized_auth_handler)};
 
-    simple_resource sr;
-    ws.register_path("exists", as_shared(sr));
+    auto sr = std::make_shared<simple_resource>();
+    ws.register_path("exists", sr);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -950,8 +950,8 @@ LT_END_AUTO_TEST(centralized_auth_not_found)
 LT_BEGIN_AUTO_TEST(authentication_suite, no_auth_handler_default)
     webserver ws{create_webserver(PORT)};  // No auth_handler
 
-    simple_resource sr;
-    ws.register_path("open", as_shared(sr));
+    auto sr = std::make_shared<simple_resource>();
+    ws.register_path("open", sr);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -981,11 +981,11 @@ LT_BEGIN_AUTO_TEST(authentication_suite, auth_multiple_skip_paths)
         .auth_handler(centralized_auth_handler)
         .auth_skip_paths({"/health", "/metrics", "/status", "/public/*"})};
 
-    simple_resource sr;
-    ws.register_path("health", as_shared(sr));
-    ws.register_path("metrics", as_shared(sr));
-    ws.register_path("status", as_shared(sr));
-    ws.register_path("protected", as_shared(sr));
+    auto sr = std::make_shared<simple_resource>();
+    ws.register_path("health", sr);
+    ws.register_path("metrics", sr);
+    ws.register_path("status", sr);
+    ws.register_path("protected", sr);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -1059,8 +1059,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, auth_skip_path_root)
         .auth_handler(centralized_auth_handler)
         .auth_skip_paths({"/"})};
 
-    simple_resource sr;
-    ws.register_prefix("/", as_shared(sr));
+    auto sr = std::make_shared<simple_resource>();
+    ws.register_prefix("/", sr);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -1090,10 +1090,10 @@ LT_BEGIN_AUTO_TEST(authentication_suite, auth_skip_path_wildcard)
         .auth_handler(centralized_auth_handler)
         .auth_skip_paths({"/pub/*"})};
 
-    simple_resource sr;
-    ws.register_path("pub/anything", as_shared(sr));
-    ws.register_path("pub/nested/path", as_shared(sr));
-    ws.register_path("private/secret", as_shared(sr));
+    auto sr = std::make_shared<simple_resource>();
+    ws.register_path("pub/anything", sr);
+    ws.register_path("pub/nested/path", sr);
+    ws.register_path("private/secret", sr);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -1152,8 +1152,8 @@ LT_BEGIN_AUTO_TEST(authentication_suite, auth_empty_skip_paths)
         .auth_handler(centralized_auth_handler)
         .auth_skip_paths({})};  // Empty skip paths
 
-    simple_resource sr;
-    ws.register_path("test", as_shared(sr));
+    auto sr = std::make_shared<simple_resource>();
+    ws.register_path("test", sr);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -1183,9 +1183,9 @@ LT_BEGIN_AUTO_TEST(authentication_suite, auth_skip_path_traversal_bypass)
         .auth_handler(centralized_auth_handler)
         .auth_skip_paths({"/public/*"})};
 
-    simple_resource sr;
-    ws.register_path("protected", as_shared(sr));
-    ws.register_path("public/info", as_shared(sr));
+    auto sr = std::make_shared<simple_resource>();
+    ws.register_path("protected", sr);
+    ws.register_path("public/info", sr);
     ws.start(false);
 
     curl_global_init(CURL_GLOBAL_ALL);

test/integ/ban_system.cpp

@@ -80,8 +80,8 @@ LT_BEGIN_AUTO_TEST(ban_system_suite, accept_default_block_blocks)
     webserver ws{create_webserver(PORT).default_policy(http_utils::ACCEPT)};
     ws.start(false);
 
-    ok_resource resource;
-    ws.register_path("base", as_shared(resource));
+    auto resource = std::make_shared<ok_resource>();
+    ws.register_path("base", resource);
 
     curl_global_init(CURL_GLOBAL_ALL);
 
@@ -138,8 +138,8 @@ LT_BEGIN_AUTO_TEST(ban_system_suite, reject_policy_neither_allowed_nor_blocked)
     webserver ws{create_webserver(PORT).default_policy(http_utils::REJECT)};
     ws.start(false);
 
-    ok_resource resource;
-    ws.register_path("base", as_shared(resource));
+    auto resource = std::make_shared<ok_resource>();
+    ws.register_path("base", resource);
 
     curl_global_init(CURL_GLOBAL_ALL);
 
@@ -164,8 +164,8 @@ LT_BEGIN_AUTO_TEST(ban_system_suite, block_with_weight_comparison)
     webserver ws{create_webserver(PORT).default_policy(http_utils::ACCEPT)};
     ws.start(false);
 
-    ok_resource resource;
-    ws.register_path("base", as_shared(resource));
+    auto resource = std::make_shared<ok_resource>();
+    ws.register_path("base", resource);
 
     curl_global_init(CURL_GLOBAL_ALL);
 
@@ -198,8 +198,8 @@ LT_BEGIN_AUTO_TEST(ban_system_suite, block_specific_then_wildcard)
     webserver ws{create_webserver(PORT).default_policy(http_utils::ACCEPT)};
     ws.start(false);
 
-    ok_resource resource;
-    ws.register_path("base", as_shared(resource));
+    auto resource = std::make_shared<ok_resource>();
+    ws.register_path("base", resource);
 
     curl_global_init(CURL_GLOBAL_ALL);