cmd/cgo: add test for sanitizing smuggled doc comment code

Updates #76697

Change-Id: If24eec2bc2f8bfd903a4cc8f5499e77ea2f255c8
Reviewed-on: https://go-review.googlesource.com/c/go/+/736780
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

diff --git a/src/cmd/cgo/internal/testout/out_test.go b/src/cmd/cgo/internal/testout/out_test.go
index e8ea5092a3562b2fe0d9b26298c989c254706a25..ff506c8cd97fbde8c789ac127cee1ef893b49e90 100644 (file)
--- a/src/cmd/cgo/internal/testout/out_test.go
+++ b/src/cmd/cgo/internal/testout/out_test.go
@@ -18,6 +18,32 @@ import (
        "testing"
 )
 
+// TestDisallowSmuggledCode tests that
+// docstrings do not smuggle code into
+// files generated by Cgo.
+func TestDisallowSmuggledCode(t *testing.T) {
+       testenv.MustHaveGoRun(t)
+       testenv.MustHaveCGO(t)
+       objDir := cgo(t, "comments.go")
+
+       file, err := os.Open(filepath.Join(objDir, "_cgo_export.h"))
+       if err != nil {
+               t.Fatal(err)
+       }
+       defer file.Close()
+
+       scanner := bufio.NewScanner(file)
+       for scanner.Scan() {
+               line := strings.TrimSpace(scanner.Text())
+               if strings.Contains(line, `"Hello, I am exploiting CVE-2025-61732!\n"`) {
+                       t.Fatalf(`got %q, want ""`, line)
+               }
+       }
+       if err := scanner.Err(); err != nil {
+               t.Fatal(err)
+       }
+}
+
 type methodAlign struct {
        Method string
        Align  int
@@ -43,23 +69,7 @@ var wantAligns = map[string]int{
 func TestAligned(t *testing.T) {
        testenv.MustHaveGoRun(t)
        testenv.MustHaveCGO(t)
-
-       testdata, err := filepath.Abs("testdata")
-       if err != nil {
-               t.Fatal(err)
-       }
-
-       objDir := t.TempDir()
-
-       cmd := testenv.Command(t, testenv.GoToolPath(t), "tool", "cgo",
-               "-objdir", objDir,
-               filepath.Join(testdata, "aligned.go"))
-       cmd.Stderr = new(bytes.Buffer)
-
-       err = cmd.Run()
-       if err != nil {
-               t.Fatalf("%#q: %v\n%s", cmd, err, cmd.Stderr)
-       }
+       objDir := cgo(t, "aligned.go")
 
        haveAligns, err := parseAlign(filepath.Join(objDir, "_cgo_export.c"))
        if err != nil {
@@ -84,6 +94,28 @@ func TestAligned(t *testing.T) {
        }
 }
 
+// cgo executes 'go tool cgo' on testFile
+// and returns the objdir containing the
+// generated files.
+func cgo(t *testing.T, testFile string) string {
+       objDir := t.TempDir()
+       testdata, err := filepath.Abs("testdata")
+       if err != nil {
+               t.Fatal(err)
+       }
+
+       cmd := testenv.Command(t, testenv.GoToolPath(t), "tool", "cgo",
+               "-objdir", objDir,
+               filepath.Join(testdata, testFile))
+
+       cmd.Stderr = new(bytes.Buffer)
+       if err = cmd.Run(); err != nil {
+               t.Fatalf("%#q: %v\n%s", cmd, err, cmd.Stderr)
+       }
+
+       return objDir
+}
+
 func parseAlign(filename string) ([]methodAlign, error) {
        file, err := os.Open(filename)
        if err != nil {

diff --git a/src/cmd/cgo/internal/testout/testdata/comments.go b/src/cmd/cgo/internal/testout/testdata/comments.go
new file mode 100644 (file)
index 0000000..c1fcaee
--- /dev/null
+++ b/src/cmd/cgo/internal/testout/testdata/comments.go
@@ -0,0 +1,47 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+/*
+#include <stdio.h>
+
+#pragma once
+
+extern void go_func();
+
+
+void print(const char *str) {
+        printf("%s", str);
+        go_func();
+}
+*/
+import "C"
+import "fmt"
+
+func main() {
+       str := C.CString("Hello from C\n")
+       C.print(str)
+}
+
+// \
+/*
+
+#ifndef AUTO_PRINT_H
+#define AUTO_PRINT_H
+
+#include <stdio.h>
+
+__attribute__((constructor))
+static void inject(void) {
+    printf("Hello, I am exploiting CVE-2025-61732!\n");
+}
+
+#endif
+
+/* */
+//export go_func
+func go_func() {
+       fmt.Println("Hello from Go")
+}