cmd/cgo: add test for sanitizing smuggled doc comment code

Updates #76697

Change-Id: If24eec2bc2f8bfd903a4cc8f5499e77ea2f255c8
Reviewed-on: https://go-review.googlesource.com/c/go/+/736780
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

2 files changed, 96 insertions, 17 deletions

diff --git a/src/cmd/cgo/internal/testout/out_test.go b/src/cmd/cgo/internal/testout/out_test.go
index e8ea5092a3..ff506c8cd9 100644
--- a/src/cmd/cgo/internal/testout/out_test.go
+++ b/src/cmd/cgo/internal/testout/out_test.go
@@ -18,6 +18,32 @@ import (
 	"testing"
 )
 
+// TestDisallowSmuggledCode tests that
+// docstrings do not smuggle code into
+// files generated by Cgo.
+func TestDisallowSmuggledCode(t *testing.T) {
+	testenv.MustHaveGoRun(t)
+	testenv.MustHaveCGO(t)
+	objDir := cgo(t, "comments.go")
+
+	file, err := os.Open(filepath.Join(objDir, "_cgo_export.h"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer file.Close()
+
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if strings.Contains(line, `"Hello, I am exploiting CVE-2025-61732!\n"`) {
+			t.Fatalf(`got %q, want ""`, line)
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		t.Fatal(err)
+	}
+}
+
 type methodAlign struct {
 	Method string
 	Align  int
@@ -43,23 +69,7 @@ var wantAligns = map[string]int{
 func TestAligned(t *testing.T) {
 	testenv.MustHaveGoRun(t)
 	testenv.MustHaveCGO(t)
-
-	testdata, err := filepath.Abs("testdata")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	objDir := t.TempDir()
-
-	cmd := testenv.Command(t, testenv.GoToolPath(t), "tool", "cgo",
-		"-objdir", objDir,
-		filepath.Join(testdata, "aligned.go"))
-	cmd.Stderr = new(bytes.Buffer)
-
-	err = cmd.Run()
-	if err != nil {
-		t.Fatalf("%#q: %v\n%s", cmd, err, cmd.Stderr)
-	}
+	objDir := cgo(t, "aligned.go")
 
 	haveAligns, err := parseAlign(filepath.Join(objDir, "_cgo_export.c"))
 	if err != nil {
@@ -84,6 +94,28 @@ func TestAligned(t *testing.T) {
 	}
 }
 
+// cgo executes 'go tool cgo' on testFile
+// and returns the objdir containing the
+// generated files.
+func cgo(t *testing.T, testFile string) string {
+	objDir := t.TempDir()
+	testdata, err := filepath.Abs("testdata")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cmd := testenv.Command(t, testenv.GoToolPath(t), "tool", "cgo",
+		"-objdir", objDir,
+		filepath.Join(testdata, testFile))
+
+	cmd.Stderr = new(bytes.Buffer)
+	if err = cmd.Run(); err != nil {
+		t.Fatalf("%#q: %v\n%s", cmd, err, cmd.Stderr)
+	}
+
+	return objDir
+}
+
 func parseAlign(filename string) ([]methodAlign, error) {
 	file, err := os.Open(filename)
 	if err != nil {
diff --git a/src/cmd/cgo/internal/testout/testdata/comments.go b/src/cmd/cgo/internal/testout/testdata/comments.go
new file mode 100644
index 0000000000..c1fcaeea4a
--- /dev/null
+++ b/src/cmd/cgo/internal/testout/testdata/comments.go
@@ -0,0 +1,47 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+/*
+#include <stdio.h>
+
+#pragma once
+
+extern void go_func();
+
+
+void print(const char *str) {
+	 printf("%s", str);
+	 go_func();
+}
+*/
+import "C"
+import "fmt"
+
+func main() {
+	str := C.CString("Hello from C\n")
+	C.print(str)
+}
+
+// \
+/*
+
+#ifndef AUTO_PRINT_H
+#define AUTO_PRINT_H
+
+#include <stdio.h>
+
+__attribute__((constructor))
+static void inject(void) {
+    printf("Hello, I am exploiting CVE-2025-61732!\n");
+}
+
+#endif
+
+/* */
+//export go_func
+func go_func() {
+	fmt.Println("Hello from Go")
+}