1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
//! UTF-8-safe string truncation helpers.
//!
//! Error, log, and audit paths routinely truncate user-controlled query text
//! for display. Slicing a `&str` at a fixed byte offset (`&s[..100]`) panics
//! when that offset lands inside a multi-byte UTF-8 character — a
//! remotely-triggerable abort if the truncated string is attacker-influenced
//! (audit H20). These helpers truncate on character boundaries instead.
/// Borrow the longest prefix of `s` that is at most `max_bytes` long and ends
/// on a UTF-8 character boundary.
///
/// Returns `s` unchanged when it already fits. Never panics and never splits a
/// character: if `max_bytes` falls inside a multi-byte character, the prefix is
/// shortened to the preceding boundary (so the result may be a few bytes
/// shorter than `max_bytes`).
/// Render `s` for inclusion in an error/log message, truncated to `max_bytes`.
///
/// Returns `s` unchanged when it fits; otherwise a character-boundary-safe
/// prefix followed by a trailing `...`. This is the char-safe replacement for
/// the `if s.len() > N { format!("{}...", &s[..N]) } else { s.to_string() }`
/// snippet that was copy-pasted across the query-timeout, audit-export, and
/// error-formatting paths (audit H20).