fix: Plug shutdown UAF, reset reconnect state, lock down OAuth/HTTP

- plugin-main: tear down EgressLinkDock / WsPortalDock before deleting
  apiClient so OBS-owned dock destructors do not run against freed
  WsPortalClient state
- WsClient: drop CURLOPT_CONNECTTIMEOUT to 3s so OBS shutdown waits at
  most ~3s per worker; document the QPointer/joinConnectThread invariant
  on the worker -> UI invokeMethod; pin pingTimestamp to successful
  sends and gate pong RTT on a non-zero timestamp; log a partial
  fragment-buffer discard on close; include the port in the Origin
  header when it is not the scheme default; document the order
  invariant of cleanup() (notifier disconnect/deleteLater before
  curl_easy_cleanup); document sendRaw()'s UI-thread invariant; align
  the fragment-buffer cast with qsizetype
- CurlHttpClient: pin allowed protocols to http,https on the easy
  handle and on redirected requests; reject CR/LF/NUL in header keys
  or values and fail the request via the existing nullptr path;
  classify headerCallback overflow as ResponseTooLarge to match
  writeCallback; FIXME the RequestContext raw-new pattern for a
  separate RAII PR
- HttpRequestInvoker: in the 401 retry refresh-failure branch,
  remove self from the queue under the mutex before unlink/emit/delete
  to match the non-401 path and avoid re-entrant deadlock
- SRCLinkApiClient: use OS ephemeral port for the OAuth callback
  listener; switch the cached-token freshness check to the static
  QDateTime::currentSecsSinceEpoch() form; FIXME the terminate()
  fire-and-forget DELETE that is canceled by plugin teardown
- SRCLinkWebSocketClient / WsPortalClient: reset reconnect counter,
  timer, and pending flag on a successful connection so flap-then-
  recover restarts from the short backoff
- LocalHttpServer: hard-fail listen on Windows when
  setsockopt(SO_EXCLUSIVEADDRUSE) is rejected to keep the OAuth
  callback off shared ports
- IngressLinkSource: guard the reload_stages button callback with
  QPointer<IngressLinkSource> and a non-null source check before
  re-opening source properties; defer onSettingsUpdate's else-branch
  saveSettings() to the UI thread, matching the if-branch pattern
- CMakeLists: replace the mbedtls fail-fast text with an explicit
  unsupported-host message; reject SRC_LINK_LINUX_CA_PATH values
  containing quote or backslash before they reach the C macro
- build-aux/.run-format.zsh: enforce the cmake-format 0.6.13 upper
  bound locally to mirror the CI pin
- CLAUDE.md: drop the deleted Frameworks.cmake.in entry and replace
  the old request-invoker reference with the src/net/ subtree

Author: hanatyan128

CLAUDE.md

@@ -24,7 +24,6 @@ src-link/
 ├── CMakePresets.json            # CMake presets (windows-x64, macos, linux-x86_64, linux-aarch64, CI variants)
 ├── buildspec.json               # Build specification (name, version, dependencies, UUIDs)
 ├── build.ps1                    # Local Windows build script (RelWithDebInfo)
-├── Frameworks.cmake.in          # macOS framework configuration
 ├── .clang-format                # C++ code style (clang-format ≥ 16)
 ├── .cmake-format.json           # CMake code style
 ├── .github/
@@ -41,7 +40,15 @@ src-link/
 │   ├── plugin-main.cpp          # Plugin entry point (module load/unload)
 │   ├── api-client.hpp / .cpp    # SRCLinkApiClient: central orchestrator, OAuth, REST API, WebSocket
 │   ├── api-websocket.hpp / .cpp # SRCLinkWebSocketClient: control API WebSocket client
-│   ├── request-invoker.hpp / .cpp # HTTP request sequencing (OAuth2 via in-tree src/net/ stack)
+│   ├── net/
+│   │   ├── http-request-invoker.hpp / .cpp   # OAuth2-aware HTTP request invoker
+│   │   ├── http-response.hpp                 # HTTP response struct
+│   │   ├── http-error.hpp / .cpp             # HTTP error mapping helpers
+│   │   ├── curl-http-client.hpp / .cpp       # libcurl-based HTTP client
+│   │   ├── ws-client.hpp / .cpp              # libcurl-based WebSocket client
+│   │   ├── oauth2-client.hpp / .cpp          # OAuth2 authorization-code flow client
+│   │   ├── local-http-server.hpp / .cpp      # OAuth2 redirect-uri loopback server
+│   │   └── linux-ca-locations.hpp / .cpp     # Linux CA bundle path discovery
 │   ├── settings.hpp / .cpp      # SRCLinkSettingsStore: persistent settings (OBS profile INI)
 │   ├── schema.hpp               # JSON data schemas (Account, Party, Stage, Uplink, Downlink, etc.)
 │   ├── utils.hpp / .cpp         # Utility functions, encoder helpers, network helpers

CMakeLists.txt

@@ -155,7 +155,8 @@ function(_src_link_setup_curl)
     if(NOT TARGET mbedtls
        OR NOT TARGET mbedx509
        OR NOT TARGET mbedcrypto)
-      message(FATAL_ERROR "mbedtls FetchContent targets missing — _src_link_setup_mbedtls() must run first")
+      message(FATAL_ERROR "SRC-Link does not support this host platform. Only Linux, macOS, and Windows are supported. \
+mbedtls FetchContent targets are missing because _src_link_setup_mbedtls() runs only on Linux.")
     endif()
     # FIXME: passing target names as strings relies on CMake ≥ 3.22 (CMP0125 NEW) so regular variables shadow
     # find_library cache lookups and prevent system mbedtls fallback. Migrate to find_package(MbedTLS CONFIG) once
@@ -236,6 +237,9 @@ if(OS_LINUX)
   set(SRC_LINK_LINUX_CA_PATH
       "/etc/ssl/certs"
       CACHE STRING "CA bundle path for Linux TLS (directory → CURLOPT_CAPATH, file → CURLOPT_CAINFO)")
+  if(SRC_LINK_LINUX_CA_PATH MATCHES "[\"\\\\]")
+    message(FATAL_ERROR "SRC_LINK_LINUX_CA_PATH must not contain '\"' or '\\\\' characters: ${SRC_LINK_LINUX_CA_PATH}")
+  endif()
   target_compile_definitions(${CMAKE_PROJECT_NAME} PRIVATE SRC_LINK_LINUX_CA_PATH="${SRC_LINK_LINUX_CA_PATH}")
 endif()
 

build-aux/.run-format.zsh

@@ -63,6 +63,11 @@ invoke_formatter() {
           log_error "cmake-format is not version 0.6.13 or above (found ${cmake_format_version})."
           exit 2
         fi
+
+        if is-at-least 0.6.14 ${cmake_format_version}; then
+          log_error "cmake-format must be exactly 0.6.13 (CI pinned). Got ${cmake_format_version}."
+          exit 2
+        fi
       } else {
         log_error "No viable cmake-format version found (required 0.6.13)"
         exit 2

src/api-client.cpp

@@ -23,7 +23,6 @@ with this program. If not, see <https://www.gnu.org/licenses/>
 #include <climits>
 
 #include <QMessageBox>
-#include <QRandomGenerator>
 #include <QDesktopServices>
 #include <QString>
 #include <QJsonDocument>
@@ -152,7 +151,7 @@ SRCLinkApiClient::SRCLinkApiClient(QObject *parent)
     oauth2Client->setRefreshTokenUrl(TOKEN_URL);
     oauth2Client->setClientId(CLIENT_ID);
     oauth2Client->setClientSecret(CLIENT_SECRET);
-    oauth2Client->setLocalPort(QRandomGenerator::system()->bounded(8000, 9000));
+    oauth2Client->setLocalPort(0);
     oauth2Client->setScope(QString::fromLatin1(SCOPE));
     oauth2Client->setStore(settings);
 
@@ -220,7 +219,7 @@ SRCLinkApiClient::SRCLinkApiClient(QObject *parent)
     tokenRefreshTimer->setSingleShot(true);
     connect(tokenRefreshTimer, &QTimer::timeout, this, [this]() { refresh(); });
 
-    if (oauth2Client->expires() - 60 <= QDateTime().currentSecsSinceEpoch()) {
+    if (oauth2Client->expires() - 60 <= QDateTime::currentSecsSinceEpoch()) {
         // Refresh token now
         refresh();
     } else {
@@ -330,6 +329,10 @@ void SRCLinkApiClient::terminate()
     API_LOG("Terminating API client.");
     terminating = true;
     uplink = QJsonObject();
+    // FIXME: deleteUplink(true) here is fire-and-forget — the in-flight DELETE is
+    // canceled by ~CurlHttpClient on plugin teardown, leaving the server uplink
+    // entry until its TTL. Replace with a bounded QEventLoop pump (or a sync
+    // curl_easy_perform call) in a separate PR.
     deleteUplink(true);
 }
 

src/api-websocket.cpp

@@ -91,6 +91,9 @@ SRCLinkWebSocketClient::~SRCLinkWebSocketClient()
 
 void SRCLinkWebSocketClient::onConnected()
 {
+    reconnectCount = 0;
+    reconnectTimer->stop();
+    reconnectPending = false;
     API_LOG("WebSocket connected");
     emit connected();
 }

src/net/curl-http-client.cpp

@@ -22,6 +22,13 @@ with this program. If not, see <https://www.gnu.org/licenses/>
 #include "linux-ca-locations.hpp"
 #include "../plugin-support.h"
 
+namespace {
+bool containsCrlfOrNul(const QByteArray &data)
+{
+    return data.contains('\r') || data.contains('\n') || data.contains('\0');
+}
+} // namespace
+
 CurlHttpClient::CurlHttpClient(QObject *parent) : QObject(parent), multi(curl_multi_init()), pollTimer(new QTimer(this))
 {
     obs_log(LOG_DEBUG, "CurlHttpClient created");
@@ -65,6 +72,17 @@ CURL *CurlHttpClient::createEasyHandle(
 
     struct curl_slist *headerList = nullptr;
     for (auto it = headers.constBegin(); it != headers.constEnd(); ++it) {
+        if (containsCrlfOrNul(it.key()) || containsCrlfOrNul(it.value())) {
+            obs_log(
+                LOG_ERROR, "CurlHttpClient: Refusing to send request with CR/LF/NUL in header (key=%s)",
+                it.key().constData()
+            );
+            if (headerList) {
+                curl_slist_free_all(headerList);
+            }
+            curl_easy_cleanup(easy);
+            return nullptr;
+        }
         QByteArray headerLine = it.key() + ": " + it.value();
         struct curl_slist *next = curl_slist_append(headerList, headerLine.constData());
         if (!next) {
@@ -81,6 +99,8 @@ CURL *CurlHttpClient::createEasyHandle(
     curl_easy_setopt(easy, CURLOPT_SSL_VERIFYPEER, 1L);
     curl_easy_setopt(easy, CURLOPT_SSL_VERIFYHOST, 2L);
     curl_easy_setopt(easy, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_3);
+    curl_easy_setopt(easy, CURLOPT_PROTOCOLS_STR, "http,https");
+    curl_easy_setopt(easy, CURLOPT_REDIR_PROTOCOLS_STR, "http,https");
     // Do not follow redirects: libcurl would replay the caller-supplied Authorization
     // header on the redirect target, leaking the OAuth2 Bearer token to a different host.
     // SRC-Link API endpoints are not expected to return 30x; any future endpoint that
@@ -338,6 +358,7 @@ size_t CurlHttpClient::headerCallback(char *ptr, size_t size, size_t nmemb, void
 {
     auto *ctx = static_cast<RequestContext *>(userdata);
     if (nmemb && size > SIZE_MAX / nmemb) {
+        ctx->responseTooLarge = true;
         return 0;
     }
     size_t totalSize = size * nmemb;

src/net/curl-http-client.hpp

@@ -90,6 +90,9 @@ class CurlHttpClient : public QObject {
     void cancelAllSilently();
 
 private:
+    // FIXME: Wrap RequestContext in std::unique_ptr and release ownership at
+    // startRequest() to remove the duplicated `delete ctx` cleanup paths in the
+    // 5 verb methods. Defer to a separate refactor PR.
     struct RequestContext {
         CURL *easy = nullptr;
         QByteArray responseData;

src/net/http-request-invoker.cpp

@@ -197,10 +197,10 @@ void HttpRequestInvoker::handleResponse(
                 } else {
                     // Refresh failed: clear the stored tokens so the user is forced
                     // back through the OAuth2 authorization flow on the next request.
-                    self->sequencer->oauth2Client->unlink();
                     QMutexLocker locker(&self->sequencer->mutex);
                     self->sequencer->requestQueue.removeOne(self);
                     locker.unlock();
+                    self->sequencer->oauth2Client->unlink();
                     emit self->finished(HttpError::AuthenticationRequired, data);
                     self->deleteLater();
                 }

src/net/local-http-server.cpp

@@ -94,7 +94,14 @@ bool LocalHttpServer::listen(int port)
     if (setsockopt(
             serverSocket, SOL_SOCKET, SO_EXCLUSIVEADDRUSE, reinterpret_cast<const char *>(&optval), sizeof(optval)
         ) != 0) {
-        obs_log(LOG_WARNING, "LocalHttpServer: setsockopt(SO_EXCLUSIVEADDRUSE) failed with error %d", WSAGetLastError());
+        obs_log(
+            LOG_ERROR,
+            "LocalHttpServer: setsockopt(SO_EXCLUSIVEADDRUSE) failed (WSAGetLastError=%d) — refusing to listen for OAuth2 callback on shared port",
+            WSAGetLastError()
+        );
+        closeSocket(serverSocket);
+        serverSocket = INVALID_SOCKET_HANDLE;
+        return false;
     }
 #else
     // Allow address reuse for quick restart after close

src/net/ws-client.cpp

@@ -96,14 +96,23 @@ void WsClient::open(const QUrl &url)
     }
     // Some servers require an Origin header for the upgrade handshake.
     if (!requestHeaders.contains("Origin")) {
-        QString scheme;
-        if (url.scheme().compare("wss", Qt::CaseInsensitive) == 0) {
-            scheme = "https";
+        const QString urlScheme = url.scheme().toLower();
+        QString originScheme;
+        if (urlScheme == "wss") {
+            originScheme = "https";
         } else {
-            scheme = "http";
+            originScheme = "http";
         }
-        QByteArray origin = QString("%1://%2").arg(scheme, url.host()).toUtf8();
-        slist = curl_slist_append(slist, QByteArray("Origin: " + origin).constData());
+        // RFC 6454 §6.1: omit the port when it matches the scheme default.
+        const int port = url.port();
+        QString origin;
+        if ((port == -1) || (port == 80 && (urlScheme == "ws" || urlScheme == "http")) ||
+            (port == 443 && (urlScheme == "wss" || urlScheme == "https"))) {
+            origin = QString("%1://%2").arg(originScheme, url.host());
+        } else {
+            origin = QString("%1://%2:%3").arg(originScheme, url.host()).arg(port);
+        }
+        slist = curl_slist_append(slist, QByteArray("Origin: " + origin.toUtf8()).constData());
     }
     headerList = slist;
 
@@ -129,7 +138,7 @@ void WsClient::performConnect()
     curl_easy_setopt(easy, CURLOPT_SSL_VERIFYPEER, 1L);
     curl_easy_setopt(easy, CURLOPT_SSL_VERIFYHOST, 2L);
     curl_easy_setopt(easy, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_3);
-    curl_easy_setopt(easy, CURLOPT_CONNECTTIMEOUT, 5L);
+    curl_easy_setopt(easy, CURLOPT_CONNECTTIMEOUT_MS, 3000L);
     curl_easy_setopt(easy, CURLOPT_NOSIGNAL, 1L);
     // TCP keepalive for dead peer detection (NAT timeout, cable unplug)
     curl_easy_setopt(easy, CURLOPT_TCP_KEEPALIVE, 1L);
@@ -170,6 +179,9 @@ void WsClient::performConnect()
     QPointer<WsClient> guard(this);
     connectThread = std::thread([guard, easyLocal, gen]() {
         CURLcode res = curl_easy_perform(easyLocal);
+        // QPointer contract: guard.data() is the receiver, but its dereference happens
+        // lazily inside the queued lambda on the UI thread, after dtor's joinConnectThread()
+        // ensures the worker has finished.
         QMetaObject::invokeMethod(
             guard.data(),
             [guard, res, gen]() {
@@ -275,6 +287,8 @@ void WsClient::cleanup()
         // Detach via deleteLater() so a cleanup() invoked synchronously from inside pollRecv()
         // (the recvNotifier's own slot) does not destroy the QObject whose signal stack is active.
         recvNotifier->setEnabled(false);
+        // Order: notifier disconnect/deleteLater must precede curl_easy_cleanup so the
+        // socket fd is not torn out from under an active slot.
         recvNotifier->disconnect();
         recvNotifier->deleteLater();
         recvNotifier = nullptr;
@@ -349,6 +363,7 @@ qint64 WsClient::sendRaw(const char *data, size_t len, unsigned int flags, bool
 
     size_t totalSent = 0;
     int selectRetries = 0;
+    // UI thread only — no `easy` reset can race the loop iteration.
     while (totalSent < len) {
         size_t sent = 0;
         CURLcode res = curl_ws_send(easy, data + totalSent, len - totalSent, &sent, 0, flags);
@@ -401,12 +416,13 @@ void WsClient::ping()
         return;
     }
 
-    pingTimestamp = QDateTime::currentMSecsSinceEpoch();
     size_t sent = 0;
     CURLcode res = curl_ws_send(easy, "", 0, &sent, 0, CURLWS_PING);
     // CURLE_AGAIN here just means the socket buffer is briefly full; treat it as best-effort.
     // Any other error indicates the connection is gone — handle the same way as a recv failure.
-    if (res != CURLE_OK && res != CURLE_AGAIN) {
+    if (res == CURLE_OK) {
+        pingTimestamp = QDateTime::currentMSecsSinceEpoch();
+    } else if (res != CURLE_AGAIN) {
         obs_log(LOG_DEBUG, "WsClient ping send failed: %s", curl_easy_strerror(res));
         // Mark disconnected synchronously so subsequent ping ticks short-circuit via isValid().
         connected = false;
@@ -463,13 +479,24 @@ void WsClient::pollRecv()
                 obs_log(LOG_DEBUG, "WsClient close echo failed: %s", curl_easy_strerror(echoRes));
             }
             connected = false;
+            if (!fragmentBuffer.isEmpty()) {
+                obs_log(
+                    LOG_INFO, "Discarding partial fragmented message (%lld bytes, type=%d) on close",
+                    static_cast<long long>(fragmentBuffer.size()), static_cast<int>(fragmentType)
+                );
+            }
             cleanup();
             emit closed();
             return;
         }
 
         if (meta->flags & CURLWS_PONG) {
-            qint64 elapsed = QDateTime::currentMSecsSinceEpoch() - pingTimestamp;
+            if (pingTimestamp == 0) {
+                // Unsolicited PONG (RFC 6455 §5.5.3) — skip RTT report.
+                continue;
+            }
+            const qint64 elapsed = QDateTime::currentMSecsSinceEpoch() - pingTimestamp;
+            pingTimestamp = 0; // reset after consuming
             emit pongReceived(static_cast<quint64>(elapsed >= 0 ? elapsed : 0));
             continue;
         }