From 6ecf9e091c53d592edeb202378a5b5c920dfde55 Mon Sep 17 00:00:00 2001
From: Robert Helgesson <robert@rycee.net>
Date: Wed, 13 Sep 2017 15:19:49 +0200
Subject: [PATCH] home-environment: fail if a home.file is outside $HOME

---
 modules/home-environment.nix | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/modules/home-environment.nix b/modules/home-environment.nix
index 5db2fbd6f..db4a9847a 100644
--- a/modules/home-environment.nix
+++ b/modules/home-environment.nix
@@ -416,11 +416,19 @@ in
             concatStringsSep "\n" (
               mapAttrsToList (n: v:
                 ''
+                  target="$(realpath -m "$out/${v.target}")"
+
+                  # Target file must be within $HOME.
+                  if [[ ! "$target" =~ "$out" ]] ; then
+                    echo "Error installing file '${v.target}' outside \$HOME" >&2
+                    exit 1
+                  fi
+
                   if [ -d "${v.source}" ]; then
                     mkdir -pv "$(dirname "$out/${v.target}")"
-                    ln -sv "${v.source}" "$out/${v.target}"
+                    ln -sv "${v.source}" "$target"
                   else
-                    install -D -m${v.mode} "${v.source}" "$out/${v.target}"
+                    install -D -m${v.mode} "${v.source}" "$target"
                   fi
                 ''
               ) cfg.file