- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: php-security/avoid-path-injection
Language: PHP
Severity: Error
Category: Security
CWE: 22
User input, if not properly validated or sanitized, can lead to security vulnerabilities like path traversal and code injection. These risks can compromise the application, leak sensitive data, or even lead to complete system takeover.
Functions like file_get_contents
can retrieve content from any location on the local disk or even from remote URLs; if they receive unsanitized user input, they might be used to perform a wide range of security attacks.
Always validate and sanitize user input before using it in file I/O operations. This can be achieved through built-in PHP functions like filter_input()
, or by implementing custom validation functions. Also, consider using an allowlist approach, where only known safe input is allowed. For example, in the compliant code below, the function is_allowed()
could be used to check if the filename provided by the user is in a list of allowed filenames.
<?php
$fileName = $_GET["filename"];
file_get_contents($fileName);
<?php
$fileName = $_GET["filename"];
if (is_allowed($fileName)) {
file_get_contents($fileName);
}
|
|
For more information, please read the Code Security documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products