Do not trust unsanitized user input for I/O

Metadata

ID: php-security/avoid-path-injection

Language: PHP

Severity: Error

Category: Security

CWE: 22

Description

User input, if not properly validated or sanitized, can lead to security vulnerabilities like path traversal and code injection. These risks can compromise the application, leak sensitive data, or even lead to complete system takeover. Functions like file_get_contents can retrieve content from any location on the local disk or even from remote URLs; if they receive unsanitized user input, they might be used to perform a wide range of security attacks.

Always validate and sanitize user input before using it in file I/O operations. This can be achieved through built-in PHP functions like filter_input(), or by implementing custom validation functions. Also, consider using an allowlist approach, where only known safe input is allowed. For example, in the compliant code below, the function is_allowed() could be used to check if the filename provided by the user is in a list of allowed filenames.

Non-Compliant Code Examples

<?php
$fileName = $_GET["filename"];
file_get_contents($fileName);

Compliant Code Examples

<?php
$fileName = $_GET["filename"];
if (is_allowed($fileName)) {
    file_get_contents($fileName);
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis