Fix validation findings: bounds check, DRY, const refs, empty guard

- Add bounds checking for url_pieces[chunks[i]] to prevent potential
  buffer overflow when cached endpoint chunks don't match request pieces
- Extract URL parameter extraction from cache hit/miss paths into single
  block after match resolution (DRY fix)
- Use const references for vectors instead of by-value copies to avoid
  heap allocations under cache lock
- Add empty-string guard to standardize_url before calling back()
- Extract ensure_path_pieces_cached() helper to deduplicate caching logic
  in get_path_pieces() and get_path_piece()
- Add RFC 7230 comment documenting case-sensitive strcmp intent

Author: etr

src/http_utils.cpp

@@ -218,6 +218,8 @@ std::vector<std::string> http_utils::tokenize_url(const std::string& str, const
 }
 
 std::string http_utils::standardize_url(const std::string& url) {
+    if (url.empty()) return url;
+
     std::string result = url;
 
     auto new_end = std::unique(result.begin(), result.end(), [](char a, char b) { return (a == b) && (a == '/'); });

src/httpserver/http_request.hpp

@@ -93,10 +93,7 @@ class http_request {
       * @return a vector of strings containing all pieces
      **/
      const std::vector<std::string> get_path_pieces() const {
-         if (!cache->path_pieces_cached) {
-             cache->path_pieces = http::http_utils::tokenize_url(path);
-             cache->path_pieces_cached = true;
-         }
+         ensure_path_pieces_cached();
          return cache->path_pieces;
      }
 
@@ -106,10 +103,7 @@ class http_request {
       * @return the selected piece in form of string
      **/
      const std::string get_path_piece(int index) const {
-         if (!cache->path_pieces_cached) {
-             cache->path_pieces = http::http_utils::tokenize_url(path);
-             cache->path_pieces_cached = true;
-         }
+         ensure_path_pieces_cached();
          if (static_cast<int>(cache->path_pieces.size()) > index) {
              return cache->path_pieces[index];
          }
@@ -453,6 +447,13 @@ class http_request {
         bool path_pieces_cached = false;
      };
      std::unique_ptr<http_request_data_cache> cache = std::make_unique<http_request_data_cache>();
+     void ensure_path_pieces_cached() const {
+         if (!cache->path_pieces_cached) {
+             cache->path_pieces = http::http_utils::tokenize_url(path);
+             cache->path_pieces_cached = true;
+         }
+     }
+
      // Populate the data cache unescaped_args
      void populate_args() const;
 

src/webserver.cpp

@@ -758,21 +758,15 @@ MHD_Result webserver::finalize_answer(MHD_Connection* connection, struct details
                     details::http_endpoint endpoint(st_url, false, false, false);
 
                     // Check the LRU route cache first
+                    const details::http_endpoint* matched_ep = nullptr;
                     {
                         std::lock_guard<std::mutex> cache_lock(route_cache_mutex);
                         auto cache_it = route_cache_map.find(mr->standardized_url);
                         if (cache_it != route_cache_map.end()) {
                             // Cache hit — move to front of LRU list
                             route_cache_list.splice(route_cache_list.begin(), route_cache_list, cache_it->second);
                             const route_cache_entry& cached = cache_it->second->second;
-
-                            vector<string> url_pars = cached.matched_endpoint.get_url_pars();
-                            vector<string> url_pieces = endpoint.get_url_pieces();
-                            vector<int> chunks = cached.matched_endpoint.get_chunk_positions();
-                            for (unsigned int i = 0; i < url_pars.size(); i++) {
-                                mr->dhr->set_arg(url_pars[i], url_pieces[chunks[i]]);
-                            }
-
+                            matched_ep = &cached.matched_endpoint;
                             hrm = cached.resource;
                             found = true;
                         }
@@ -782,15 +776,13 @@ MHD_Result webserver::finalize_answer(MHD_Connection* connection, struct details
                         // Cache miss — perform regex scan
                         map<details::http_endpoint, http_resource*>::iterator found_endpoint;
 
-                        map<details::http_endpoint, http_resource*>::iterator it;
-
                         size_t len = 0;
                         size_t tot_len = 0;
-                        for (it = registered_resources_regex.begin(); it != registered_resources_regex.end(); ++it) {
-                            size_t endpoint_pieces_len = (*it).first.get_url_pieces().size();
-                            size_t endpoint_tot_len = (*it).first.get_url_complete().size();
+                        for (auto it = registered_resources_regex.begin(); it != registered_resources_regex.end(); ++it) {
+                            size_t endpoint_pieces_len = it->first.get_url_pieces().size();
+                            size_t endpoint_tot_len = it->first.get_url_complete().size();
                             if (!found || endpoint_pieces_len > len || (endpoint_pieces_len == len && endpoint_tot_len > tot_len)) {
-                                if ((*it).first.match(endpoint)) {
+                                if (it->first.match(endpoint)) {
                                     found = true;
                                     len = endpoint_pieces_len;
                                     tot_len = endpoint_tot_len;
@@ -800,14 +792,7 @@ MHD_Result webserver::finalize_answer(MHD_Connection* connection, struct details
                         }
 
                         if (found) {
-                            vector<string> url_pars = found_endpoint->first.get_url_pars();
-
-                            vector<string> url_pieces = endpoint.get_url_pieces();
-                            vector<int> chunks = found_endpoint->first.get_chunk_positions();
-                            for (unsigned int i = 0; i < url_pars.size(); i++) {
-                                mr->dhr->set_arg(url_pars[i], url_pieces[chunks[i]]);
-                            }
-
+                            matched_ep = &found_endpoint->first;
                             hrm = found_endpoint->second;
 
                             // Store in LRU cache
@@ -823,6 +808,18 @@ MHD_Result webserver::finalize_answer(MHD_Connection* connection, struct details
                             }
                         }
                     }
+
+                    // Extract URL parameters from matched endpoint
+                    if (found && matched_ep != nullptr) {
+                        const auto& url_pars = matched_ep->get_url_pars();
+                        const auto& url_pieces = endpoint.get_url_pieces();
+                        const auto& chunks = matched_ep->get_chunk_positions();
+                        for (unsigned int i = 0; i < url_pars.size(); i++) {
+                            if (chunks[i] >= 0 && static_cast<size_t>(chunks[i]) < url_pieces.size()) {
+                                mr->dhr->set_arg(url_pars[i], url_pieces[chunks[i]]);
+                            }
+                        }
+                    }
                 }
             } else {
                 hrm = fe->second;
@@ -939,6 +936,7 @@ MHD_Result webserver::answer_to_connection(void* cls, MHD_Connection* connection
 
     access_log(static_cast<webserver*>(cls), mr->complete_uri + " METHOD: " + method);
 
+    // Case-sensitive per RFC 7230 §3.1.1: HTTP method is case-sensitive.
     if (0 == strcmp(method, http_utils::http_method_get)) {
         mr->callback = &http_resource::render_GET;
     } else if (0 == strcmp(method, http_utils::http_method_post)) {