Disallow build products that are symlinks

Otherwise you can do

  ln -s /etc/passwd $out/foo
  echo "file misc $out/foo" >> $out/nix-support/hydra-build-products

and get Hydra to serve its /etc/passwd file.

src/lib/Hydra/Controller/Build.pm

@@ -173,6 +173,7 @@ sub checkPath {
     my $storeDir = $Nix::Config::storeDir . "/";
     error($c, "Invalid path in build product.")
         if substr($path, 0, length($storeDir)) ne $storeDir || $path =~ /\/\.\./;
+    error($c, "Path ‘$path’ is a symbolic link.") if -l $path;
 }
 
 

src/lib/Hydra/Helper/AddBuilds.pm

@@ -788,16 +788,15 @@ sub addBuildProducts {
                 # Ensure that the path exists and points into the Nix store.
                 next unless File::Spec->file_name_is_absolute($path);
                 next if $path =~ /\/\.\./; # don't go up
-                next unless -e $path;
                 next unless substr($path, 0, length($storeDir)) eq $storeDir;
+                next unless -e $path;
+                next if -l $path;
 
                 # FIXME: check that the path is in the input closure
                 # of the build?
 
                 my $fileSize, my $sha1, my $sha256;
 
-                # !!! validate $path, $defaultPath
-
                 if (-f $path) {
                     my $st = stat($path) or die "cannot stat $path: $!";
                     $fileSize = $st->size;