diff --git a/tests/functional/shell-hello.nix b/tests/functional/shell-hello.nix
index 5c9b7a4d9..c46fdec8a 100644
--- a/tests/functional/shell-hello.nix
+++ b/tests/functional/shell-hello.nix
@@ -32,6 +32,14 @@ rec {
       '';
   };
 
+  forbidden-symlink = mkDerivation {
+    name = "forbidden-symlink";
+    buildCommand =
+      ''
+        ln -s /tmp/foo/bar $out
+      '';
+  };
+
   salve-mundi = mkDerivation {
     name = "salve-mundi";
     outputs = [ "out" ];
diff --git a/tests/functional/shell.sh b/tests/functional/shell.sh
index abc091d92..8a3fef3e7 100644
--- a/tests/functional/shell.sh
+++ b/tests/functional/shell.sh
@@ -13,6 +13,9 @@ nix shell -f shell-hello.nix 'hello^*' -c hello2 | grep 'Hello2'
 # Test output paths that are a symlink.
 nix shell -f shell-hello.nix hello-symlink -c hello | grep 'Hello World'
 
+# Test that symlinks outside of the store don't work.
+expect 1 nix shell -f shell-hello.nix forbidden-symlink -c hello 2>&1 | grepQuiet "is not in the Nix store"
+
 if isDaemonNewer "2.20.0pre20231220"; then
     # Test that command line attribute ordering is reflected in the PATH
     # https://github.com/NixOS/nix/issues/7905