Skip to content

[duplicate-code] Duplicate Code Pattern: Manual truncation bypassing strutil/sanitize utilities #3737

Closed
#3750
Closed
[duplicate-code] Duplicate Code Pattern: Manual truncation bypassing strutil/sanitize utilities#3737
#3750
Labels
automated-analysiscode-quality
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 14, 2026

Part of duplicate code analysis: #3735

Summary

Two files in the latest commit perform manual inline string truncation using raw byte-index slicing + "..." concatenation, bypassing the established strutil.Truncate and sanitize.TruncateSecret utilities that already exist in the codebase for exactly this purpose.

Duplication Details

Pattern: Inline truncation instead of strutil.Truncate / sanitize.TruncateSecret

  • Severity: Medium
  • Occurrences: 2 (bypassing 2 different established utilities)
  • Locations:
    • internal/logger/rpc_helpers.go (line 133)
    • internal/cmd/root.go (line 608)

Instance 1 — rpc_helpers.go:133 (bypasses strutil.Truncate):

// Current — manual truncation:
if len(cleanedLine) > 200 {
    cleanedLine = cleanedLine[:197] + "..."
}

// Should be:
cleanedLine = strutil.Truncate(cleanedLine, 197)

The package already imports strutil (used in truncateAndSanitize on line 48). The manual pattern repeats logic already in strutil.Truncate.

Instance 2 — root.go:608 (bypasses sanitize.TruncateSecret):

// Current — custom 10-char truncation for secret display:
displayValue := value
if len(value) > 0 {
    displayValue = value[:min(10, len(value))] + "..."
}
log.Printf("  Loaded: %s=%s", key, displayValue)

// Should use the established secret truncation utility:
log.Printf("  Loaded: %s=%s", key, sanitize.TruncateSecret(value))

The codebase uses sanitize.TruncateSecret throughout for exactly this purpose (auth headers, env vars in launcher, session IDs). The custom code truncates to 10 chars whereas TruncateSecret truncates to 4 chars — an inconsistency in security logging depth.

Impact Analysis

  • Maintainability: If strutil.Truncate or sanitize.TruncateSecret semantics change, these inline versions won't track the change
  • Bug Risk: Medium — root.go:608 exposes 10 chars of environment variable values in logs; TruncateSecret consistently exposes only 4 chars. This inconsistency could leak more of a secret value than intended
  • Code Bloat: Minor — but the inconsistency creates confusion about which truncation approach is authoritative

Refactoring Recommendations

  1. rpc_helpers.go:133 — Replace 4-line manual truncation with strutil.Truncate:

    cleanedLine = strutil.Truncate(cleanedLine, 197)

    Note: strutil.Truncate(s, 197) produces s[:197] + "..." for strings longer than 197 bytes, which is equivalent to the current code.

  2. root.go:608 — Replace custom secret truncation with sanitize.TruncateSecret:

    log.Printf("  Loaded: %s=%s", key, sanitize.TruncateSecret(value))

    Add import: "github.com/github/gh-aw-mcpg/internal/logger/sanitize" (or the existing import if present).

Implementation Checklist

  • Replace manual truncation in rpc_helpers.go:133 with strutil.Truncate
  • Replace custom secret display in root.go:608 with sanitize.TruncateSecret
  • Verify import paths are correct in both files
  • Run make test-unit to confirm no regressions
  • Note: TruncateSecret shows 4 chars vs the current 10 — confirm with security posture

Parent Issue

See parent analysis report: #3735
Related to #3735

Generated by Duplicate Code Detector · ● 2.4M ·

  • expires on Apr 21, 2026, 6:13 AM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automated-analysiscode-quality

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions