From 6658419f69756a005c2b9c0ac89d5a6447a4a053 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Sat, 23 Feb 2013 16:28:44 +0100
Subject: [PATCH] Disallow build products that are symlinks

Otherwise you can do

  ln -s /etc/passwd $out/foo
  echo "file misc $out/foo" >> $out/nix-support/hydra-build-products

and get Hydra to serve its /etc/passwd file.
---
 src/lib/Hydra/Controller/Build.pm | 1 +
 src/lib/Hydra/Helper/AddBuilds.pm | 5 ++---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lib/Hydra/Controller/Build.pm b/src/lib/Hydra/Controller/Build.pm
index 8f90af43..4670e05b 100644
--- a/src/lib/Hydra/Controller/Build.pm
+++ b/src/lib/Hydra/Controller/Build.pm
@@ -173,6 +173,7 @@ sub checkPath {
     my $storeDir = $Nix::Config::storeDir . "/";
     error($c, "Invalid path in build product.")
         if substr($path, 0, length($storeDir)) ne $storeDir || $path =~ /\/\.\./;
+    error($c, "Path ‘$path’ is a symbolic link.") if -l $path;
 }
 
 
diff --git a/src/lib/Hydra/Helper/AddBuilds.pm b/src/lib/Hydra/Helper/AddBuilds.pm
index 6c108574..69cdbb46 100644
--- a/src/lib/Hydra/Helper/AddBuilds.pm
+++ b/src/lib/Hydra/Helper/AddBuilds.pm
@@ -788,16 +788,15 @@ sub addBuildProducts {
                 # Ensure that the path exists and points into the Nix store.
                 next unless File::Spec->file_name_is_absolute($path);
                 next if $path =~ /\/\.\./; # don't go up
-                next unless -e $path;
                 next unless substr($path, 0, length($storeDir)) eq $storeDir;
+                next unless -e $path;
+                next if -l $path;
 
                 # FIXME: check that the path is in the input closure
                 # of the build?
 
                 my $fileSize, my $sha1, my $sha256;
 
-                # !!! validate $path, $defaultPath
-
                 if (-f $path) {
                     my $st = stat($path) or die "cannot stat $path: $!";
                     $fileSize = $st->size;