Skip to content

Commit

Permalink
no-broken-symlinks: restrict checks to symlinks pointing inside the s…
Browse files Browse the repository at this point in the history
…tore (#376261)
ConnorBaker authored Jan 25, 2025
2 parents b8ea3c5 + 1166b63 commit b52c272
Showing 3 changed files with 27 additions and 4 deletions.
4 changes: 4 additions & 0 deletions doc/stdenv/stdenv.chapter.md
Original file line number Diff line number Diff line change
@@ -1377,6 +1377,10 @@ This setup hook checks for, reports, and (by default) fails builds when "broken"

This hook can be disabled by setting `dontCheckForBrokenSymlinks`.

::: {.note}
The hook only considers symlinks with targets inside the Nix store.
:::

::: {.note}
The check for reflexivity is direct and does not account for transitivity, so this hook will not prevent cycles in symlinks.
:::
5 changes: 5 additions & 0 deletions pkgs/build-support/setup-hooks/no-broken-symlinks.sh
Original file line number Diff line number Diff line change
@@ -45,6 +45,11 @@ noBrokenSymlinks() {
symlinkTarget="$(realpath --no-symlinks --canonicalize-missing "$pathParent/$symlinkTarget")"
fi

if [[ $symlinkTarget != "$NIX_STORE"/* ]]; then
nixInfoLog "symlink $path points outside the Nix store; ignoring"
continue
fi

if [[ $path == "$symlinkTarget" ]]; then
nixErrorLog "the symlink $path is reflexive $symlinkTarget"
numReflexiveSymlinks+=1
22 changes: 18 additions & 4 deletions pkgs/test/stdenv/no-broken-symlinks.nix
Original file line number Diff line number Diff line change
@@ -5,21 +5,25 @@
}:

let
inherit (lib.strings) concatStringsSep;
inherit (lib.strings) concatStringsSep optionalString;
inherit (pkgs) runCommand;
inherit (pkgs.testers) testBuildFailure;

mkDanglingSymlink = absolute: ''
ln -s${if absolute then "r" else ""} "$out/dangling" "$out/dangling-symlink"
ln -s${optionalString (!absolute) "r"} "$out/dangling" "$out/dangling-symlink"
'';

mkReflexiveSymlink = absolute: ''
ln -s${if absolute then "r" else ""} "$out/reflexive-symlink" "$out/reflexive-symlink"
ln -s${optionalString (!absolute) "r"} "$out/reflexive-symlink" "$out/reflexive-symlink"
'';

mkValidSymlink = absolute: ''
touch "$out/valid"
ln -s${if absolute then "r" else ""} "$out/valid" "$out/valid-symlink"
ln -s${optionalString (!absolute) "r"} "$out/valid" "$out/valid-symlink"
'';

mkValidSymlinkOutsideNixStore = absolute: ''
ln -s${optionalString (!absolute) "r"} "/etc/my_file" "$out/valid-symlink"
'';

testBuilder =
@@ -188,4 +192,14 @@ in
name = "pass-valid-symlink-absolute";
commands = [ (mkValidSymlink true) ];
};

pass-valid-symlink-outside-nix-store-relative = testBuilder {
name = "pass-valid-symlink-outside-nix-store-relative";
commands = [ (mkValidSymlinkOutsideNixStore false) ];
};

pass-valid-symlink-outside-nix-store-absolute = testBuilder {
name = "pass-valid-symlink-outside-nix-store-absolute";
commands = [ (mkValidSymlinkOutsideNixStore true) ];
};
}

0 comments on commit b52c272

Please sign in to comment.