Avoid potential path injections in Laravel

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

ID: php-security/laravel-avoid-path-injection

Language: PHP

Severity: Error

Category: Security

CWE: 22

Description

Path injection attacks occur when user-supplied data is used to construct a pathname that leads to access of a filesystem. This would let attackers manipulate the file path in a manner that allows them to access, modify, or delete sensitive files in your system.

This rule is important because it helps protect your application from unauthorized file access, potential data loss, or leakage of sensitive information. If an attacker is able to manipulate your filesystem through path injection, they might gain access to confidential data, perform unauthorized changes, or even execute arbitrary code.

Always sanitize user-supplied inputs that will be used in filesystem operations. Use functions to handle file paths safely, and use allowlists to limit the paths that can be specified by the user.

Non-Compliant Code Examples

<?php
class Foo extends Controller
{
  public function __invoke($name)
  {
    $path = 'uploads/'.$name;
    return response()->download($path);
  }
}

Route::get('/endpoint/{var}', function ($var) {
  require_once('includes/'.$var);
});

Route::match(['get', 'post'], '/endpoint/{var}', function ($var) {
  include_once('includes/'.$var);
});

Compliant Code Examples

<?php
class Foo extends Controller
{
  public function __invoke($name)
  {
    $path = 'uploads/'.basename($name);
    if (!file_exists($path)) {
      abort(404);
    }
    return response()->download($path);
  }
}

Route::get('/endpoint/{var}', function ($var) {
  $allowed_files = ['file1.php', 'file2.php', 'file3.php'];
  if (in_array($var, $allowed_files)) {
    include_once('includes/'.$var);
  } else {
    abort(404);
  }
});

Route::match(['get', 'post'], '/endpoint/{var}', function ($var) {
  $allowed_files = ['file1.php', 'file2.php', 'file3.php'];
  if (in_array($var, $allowed_files)) {
    include_once('includes/'.$var);
  } else {
    abort(404);
  }
});
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis