cmd/go/internal/script: add fuzz test for quoteArgs

Adds a fuzz test for quoteArgs and fixes the bugs it found:
handling of empty strings and strings containing "&" or "$".

This is a copy of a similar change submitted to rsc.io/script:
https://github.com/rsc/script/pull/10

Change-Id: I76e7fc89475e1c4e415f45f2c7ac4a87a7a659e6
Reviewed-on: https://go-review.googlesource.com/c/go/+/566316
Reviewed-by: Michael Matloob <matloob@golang.org>
Reviewed-by: Michael Matloob <matloob@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>

5 files changed, 42 insertions, 3 deletions

diff --git a/src/cmd/internal/script/engine.go b/src/cmd/internal/script/engine.go
index 9480741c10..7ca2be1a77 100644
--- a/src/cmd/internal/script/engine.go
+++ b/src/cmd/internal/script/engine.go
@@ -493,15 +493,13 @@ func expandArgs(s *State, rawArgs [][]argFragment, regexpArgs []int) []string {
 }
 
 // quoteArgs returns a string that parse would parse as args when passed to a command.
-//
-// TODO(bcmills): This function should have a fuzz test.
 func quoteArgs(args []string) string {
 	var b strings.Builder
 	for i, arg := range args {
 		if i > 0 {
 			b.WriteString(" ")
 		}
-		if strings.ContainsAny(arg, "'"+argSepChars) {
+		if len(arg) == 0 || strings.ContainsAny(arg, "&'$"+argSepChars) {
 			// Quote the argument to a form that would be parsed as a single argument.
 			b.WriteString("'")
 			b.WriteString(strings.ReplaceAll(arg, "'", "''"))
diff --git a/src/cmd/internal/script/engine_test.go b/src/cmd/internal/script/engine_test.go
new file mode 100644
index 0000000000..45d0a0faf9
--- /dev/null
+++ b/src/cmd/internal/script/engine_test.go
@@ -0,0 +1,35 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package script
+
+import (
+	"context"
+	"slices"
+	"testing"
+)
+
+func FuzzQuoteArgs(f *testing.F) {
+	state, err := NewState(context.Background(), f.TempDir(), nil /* env */)
+	if err != nil {
+		f.Fatalf("failed to create state: %v", err)
+	}
+
+	f.Add("foo")
+	f.Add(`"foo"`)
+	f.Add(`'foo'`)
+	f.Fuzz(func(t *testing.T, s string) {
+		give := []string{s}
+		quoted := quoteArgs(give)
+		cmd, err := parse("file.txt", 42, "cmd "+quoted)
+		if err != nil {
+			t.Fatalf("quoteArgs(%q) = %q cannot be parsed: %v", give, quoted, err)
+		}
+		args := expandArgs(state, cmd.rawArgs, nil /* regexpArgs */)
+
+		if !slices.Equal(give, args) {
+			t.Fatalf("quoteArgs failed to round-trip.\ninput:\n\t%#q\nquoted:\n\t%q\nparsed:\n\t%#q", give, quoted, args)
+		}
+	})
+}
diff --git a/src/cmd/internal/script/testdata/fuzz/FuzzQuoteArgs/2abacd54f8b6b056 b/src/cmd/internal/script/testdata/fuzz/FuzzQuoteArgs/2abacd54f8b6b056
new file mode 100644
index 0000000000..8e2be246c5
--- /dev/null
+++ b/src/cmd/internal/script/testdata/fuzz/FuzzQuoteArgs/2abacd54f8b6b056
@@ -0,0 +1,2 @@
+go test fuzz v1
+string("0\xa2$000")
diff --git a/src/cmd/internal/script/testdata/fuzz/FuzzQuoteArgs/5838cdfae7b16cde b/src/cmd/internal/script/testdata/fuzz/FuzzQuoteArgs/5838cdfae7b16cde
new file mode 100644
index 0000000000..64c3abaff8
--- /dev/null
+++ b/src/cmd/internal/script/testdata/fuzz/FuzzQuoteArgs/5838cdfae7b16cde
@@ -0,0 +1,2 @@
+go test fuzz v1
+string("")
diff --git a/src/cmd/internal/script/testdata/fuzz/FuzzQuoteArgs/e6019c3e89cc4df9 b/src/cmd/internal/script/testdata/fuzz/FuzzQuoteArgs/e6019c3e89cc4df9
new file mode 100644
index 0000000000..67f8cfc58b
--- /dev/null
+++ b/src/cmd/internal/script/testdata/fuzz/FuzzQuoteArgs/e6019c3e89cc4df9
@@ -0,0 +1,2 @@
+go test fuzz v1
+string("&")