Prevent injection through include statements

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST 규칙 > Prevent injection through include statements

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: php-security/include-injection

Language: PHP

Severity: Info

Category: Best Practices

CWE: 78

Description

This rule aims to prevent code injection vulnerabilities that arise from dynamically including files through include, include_once, require, or require_once statements. Including files based on untrusted or user-supplied input can lead to arbitrary code execution, allowing attackers to inject malicious scripts into the application.

To avoid violations of this rule, developers should avoid directly using user input in include statements without proper validation or sanitization. Instead, use predefined constants, fixed paths, or whitelist allowed file names. When dynamic paths are necessary, validate them rigorously or use safe abstractions to ensure only intended files are included.

For example, instead of include($_GET['page']);, use a mapping of allowed pages or sanitize the input before including: include(__DIR__ . '/pages/' . basename($_GET['page']) . '.php');. This approach reduces the risk of injection through include statements.

Non-Compliant Code Examples

<?php

$val = "foo";

function foo($arg) {

    $val = $_GET["getsomevalue"];

    include($val);
}

?>

<?php

$val = $_GET["getsomevalue"];

include($val);
include_once($val);
require($val);
require_once($val);
include(__DIR__ . $val);
?>

Compliant Code Examples

<?php


include('something.php');

include_once('something_else.php');

require('other_stuff.php');

require_once('more_stuff.php');

require_once(CONFIG_DIR . '/mypage.php');

require_once( dirname( __FILE__ ) . '/apage.php' );

$foo = 'foo/bar.php';
require_once $foo;
?>