nix shell: Test that store paths cannot link outside of the store

tests/functional/shell-hello.nix

@@ -32,6 +32,14 @@ rec {
       '';
   };
 
+  forbidden-symlink = mkDerivation {
+    name = "forbidden-symlink";
+    buildCommand =
+      ''
+        ln -s /tmp/foo/bar $out
+      '';
+  };
+
   salve-mundi = mkDerivation {
     name = "salve-mundi";
     outputs = [ "out" ];

tests/functional/shell.sh

@@ -13,6 +13,9 @@ nix shell -f shell-hello.nix 'hello^*' -c hello2 | grep 'Hello2'
 # Test output paths that are a symlink.
 nix shell -f shell-hello.nix hello-symlink -c hello | grep 'Hello World'
 
+# Test that symlinks outside of the store don't work.
+expect 1 nix shell -f shell-hello.nix forbidden-symlink -c hello 2>&1 | grepQuiet "is not in the Nix store"
+
 if isDaemonNewer "2.20.0pre20231220"; then
     # Test that command line attribute ordering is reflected in the PATH
     # https://github.com/NixOS/nix/issues/7905