cmd/go/internal/script: add fuzz test for quoteArgs

Adds a fuzz test for quoteArgs and fixes the bugs it found:
handling of empty strings and strings containing "&" or "$".

This is a copy of a similar change submitted to rsc.io/script:
https://github.com/rsc/script/pull/10

Change-Id: I76e7fc89475e1c4e415f45f2c7ac4a87a7a659e6
Reviewed-on: https://go-review.googlesource.com/c/go/+/566316
Reviewed-by: Michael Matloob <matloob@golang.org>
Reviewed-by: Michael Matloob <matloob@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>

1 files changed, 1 insertions, 3 deletions

diff --git a/src/cmd/internal/script/engine.go b/src/cmd/internal/script/engine.go
index 9480741c10..7ca2be1a77 100644
--- a/src/cmd/internal/script/engine.go
+++ b/src/cmd/internal/script/engine.go
@@ -493,15 +493,13 @@ func expandArgs(s *State, rawArgs [][]argFragment, regexpArgs []int) []string {
 }
 
 // quoteArgs returns a string that parse would parse as args when passed to a command.
-//
-// TODO(bcmills): This function should have a fuzz test.
 func quoteArgs(args []string) string {
 	var b strings.Builder
 	for i, arg := range args {
 		if i > 0 {
 			b.WriteString(" ")
 		}
-		if strings.ContainsAny(arg, "'"+argSepChars) {
+		if len(arg) == 0 || strings.ContainsAny(arg, "&'$"+argSepChars) {
 			// Quote the argument to a form that would be parsed as a single argument.
 			b.WriteString("'")
 			b.WriteString(strings.ReplaceAll(arg, "'", "''"))