From b1044d52cec54b8b251f84a80f30e375cac2d63c Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Thu, 11 Apr 2024 09:04:26 +0200
Subject: [PATCH] nix shell: Test that store paths cannot link outside of the
 store

(cherry picked from commit 26a4688a868e848760908ee15434eff2774952c3)
---
 tests/functional/shell-hello.nix | 8 ++++++++
 tests/functional/shell.sh        | 3 +++
 2 files changed, 11 insertions(+)

diff --git a/tests/functional/shell-hello.nix b/tests/functional/shell-hello.nix
index 5c9b7a4d9..c46fdec8a 100644
--- a/tests/functional/shell-hello.nix
+++ b/tests/functional/shell-hello.nix
@@ -32,6 +32,14 @@ rec {
       '';
   };
 
+  forbidden-symlink = mkDerivation {
+    name = "forbidden-symlink";
+    buildCommand =
+      ''
+        ln -s /tmp/foo/bar $out
+      '';
+  };
+
   salve-mundi = mkDerivation {
     name = "salve-mundi";
     outputs = [ "out" ];
diff --git a/tests/functional/shell.sh b/tests/functional/shell.sh
index abc091d92..8a3fef3e7 100644
--- a/tests/functional/shell.sh
+++ b/tests/functional/shell.sh
@@ -13,6 +13,9 @@ nix shell -f shell-hello.nix 'hello^*' -c hello2 | grep 'Hello2'
 # Test output paths that are a symlink.
 nix shell -f shell-hello.nix hello-symlink -c hello | grep 'Hello World'
 
+# Test that symlinks outside of the store don't work.
+expect 1 nix shell -f shell-hello.nix forbidden-symlink -c hello 2>&1 | grepQuiet "is not in the Nix store"
+
 if isDaemonNewer "2.20.0pre20231220"; then
     # Test that command line attribute ordering is reflected in the PATH
     # https://github.com/NixOS/nix/issues/7905