Metadata

ID: php-security/include-injection

Language: PHP

Severity: Info

Category: Best Practices

CWE: 78

Description

This rule aims to prevent code injection vulnerabilities that arise from dynamically including files through include, include_once, require, or require_once statements. Including files based on untrusted or user-supplied input can lead to arbitrary code execution, allowing attackers to inject malicious scripts into the application.

To avoid violations of this rule, developers should avoid directly using user input in include statements without proper validation or sanitization. Instead, use predefined constants, fixed paths, or whitelist allowed file names. When dynamic paths are necessary, validate them rigorously or use safe abstractions to ensure only intended files are included.

For example, instead of include($_GET['page']);, use a mapping of allowed pages or sanitize the input before including: include(__DIR__ . '/pages/' . basename($_GET['page']) . '.php');. This approach reduces the risk of injection through include statements.

Non-Compliant Code Examples

<?php

$val = "foo";

function foo($arg) {

    $val = $_GET["getsomevalue"];

    include($val);
}

?>

<?php

$val = $_GET["getsomevalue"];

include($val);
include_once($val);
require($val);
require_once($val);
include(__DIR__ . $val);
?>

Compliant Code Examples

<?php


include('something.php');

include_once('something_else.php');

require('other_stuff.php');

require_once('more_stuff.php');

require_once(CONFIG_DIR . '/mypage.php');

require_once( dirname( __FILE__ ) . '/apage.php' );

$foo = 'foo/bar.php';
require_once $foo;
?>

Integraciones sin problemas. Prueba Datadog Code Security

Datadog Code Security