Software Defectsfield guide to stateful defects

the same logic pasted until the copies disagree

Copy-Pasta Mistakes

Duplicated logic drifts apart. A fix applied to one copy and missed in the others is the most common way a closed bug quietly reopens.

Every paste is a future bug: one copy gets fixed, the others rot.

01in the wild

In the wild

Validation That Drifts

The same check pasted in two places. Now a fix is two fixes -- and you'll miss one.

example.js
// SMELL: the same validation, copied and drifting apart
if (!email.includes("@") || email.length > 254) reject(email);
// ...200 lines later...
if (!addr.includes("@") || addr.length > 255) reject(addr);  // 254? 255?

// RIGHT: one source of truth
const isValidEmail = (e) => e.includes("@") && e.length <= 254;
if (!isValidEmail(email)) reject(email);
Copies drift. The pasted check used 255, the original 254 -- a bug born the moment someone duplicated it.
// observed
copies: two rules that disagree by one
shared: one rule, fixed once, applied everywhere

Auth Copied Per Endpoint

Copy-pasta is most dangerous where it guards access -- one forgotten copy is an open door.

example.py
# SMELL: three endpoints, three hand-rolled auth checks
def view_a(req):
    if not req.user or req.user.role != "admin": return deny()
def view_b(req):
    if not req.user or req.user.role != "admin": return deny()

# RIGHT: extract the rule into a decorator
def admin_only(view):
    def wrapped(req):
        if not req.user or req.user.role != "admin":
            return deny()
        return view(req)
    return wrapped
Auth is exactly where copy-pasta turns into a vulnerability -- one forgotten copy is an open door.
// observed
copied:    miss one endpoint -> privilege escalation
decorator: the rule can't be forgotten

The Pasted Constant

A duplicated literal gets 'tuned' in one place only, and the copies silently disagree.

example.ts
// SMELL: the same timeout pasted, then one gets tweaked
setTimeout(retry, 30000);   // payments.ts
setTimeout(retry, 3000);    // billing.ts  -- typo? or intentional?

// RIGHT: one named constant, imported everywhere
export const RETRY_MS = 30_000;
setTimeout(retry, RETRY_MS);
Duplicated literals drift independently. A single exported constant has one value and one place to change it.
// observed
pasted: 30000 vs 3000 -- which is right?
shared: RETRY_MS, identical everywhere
02weakness catalog

Mapped weaknesses (CWE)

On its own, this defect is catalogued by MITRE as one or more of these weaknesses. The exploitable vulnerability usually appears only when it chains or combines with another.