Prevent injection through include statements

Docs > Plateforme de sécurité Datadog > Code Security > Static Code Analysis (SAST) > Règles SAST > Prevent injection through include statements

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: php-security/include-injection

Language: PHP

Severity: Info

Category: Best Practices

CWE: 78

Description

This rule aims to prevent code injection vulnerabilities that arise from dynamically including files through include, include_once, require, or require_once statements. Including files based on untrusted or user-supplied input can lead to arbitrary code execution, allowing attackers to inject malicious scripts into the application.

To avoid violations of this rule, developers should avoid directly using user input in include statements without proper validation or sanitization. Instead, use predefined constants, fixed paths, or whitelist allowed file names. When dynamic paths are necessary, validate them rigorously or use safe abstractions to ensure only intended files are included.

For example, instead of include($_GET['page']);, use a mapping of allowed pages or sanitize the input before including: include(__DIR__ . '/pages/' . basename($_GET['page']) . '.php');. This approach reduces the risk of injection through include statements.

Non-Compliant Code Examples

<?php

$val = "foo";

function foo($arg) {

    $val = $_GET["getsomevalue"];

    include($val);
}

?>

<?php

$val = $_GET["getsomevalue"];

include($val);
include_once($val);
require($val);
require_once($val);
include(__DIR__ . $val);
?>

Compliant Code Examples

<?php


include('something.php');

include_once('something_else.php');

require('other_stuff.php');

require_once('more_stuff.php');

require_once(CONFIG_DIR . '/mypage.php');

require_once( dirname( __FILE__ ) . '/apage.php' );

$foo = 'foo/bar.php';
require_once $foo;
?>