diff_test does not escape the error message string and allows for shell injection

[kharvd]

Strings in failure_message are interpolated into the generated shell script without escaping special characters:

diff_test(
    name ="foo",
    file1 = ":a.txt",
    file2 = ":b.txt",
    failure_message = "shell injection: `echo hello world`",
)

Actual test output:

exec ${PAGER:-/usr/bin/less} "$0" || exit 1
Executing tests from //:foo
-----------------------------------------------------------------------------
1d0
< 1
FAIL: files "a.txt" and "b.txt" differ. shell injection: hello world

expected:

exec ${PAGER:-/usr/bin/less} "$0" || exit 1
Executing tests from //:foo
-----------------------------------------------------------------------------
1d0
< 1
FAIL: files "a.txt" and "b.txt" differ. shell injection: `echo hello world`

Same issue with using failure_message = "$(echo hello world)"

[alexeagle]

I see there's a helper in Bazel's native Java code https://github.com/bazelbuild/bazel/blob/master/src/main/java/com/google/devtools/build/lib/util/ShellEscaper.java
Looks like that's pretty straightforward to port it to Starlark?