Audit required: Include statements might be vulnerable to injection attacks PHP-A1001

The include (or require) statements are used to include and copy all the text/code/markup from an external file into the file that uses the include statement. This issue flags the use of this statement when a user-provided value is directly used in it.

Using user-provided values to construct the include/require statement can allow an attacker to control which files are included, giving them the ability to execute arbitrary code.

In past it has led to the following vulnerabilities:

• CVE-2009-1936
• CVE-2005-2154
• CVE-2004-0127

All user-provided data (POST/GET variables, cookie values, etc.) should be sanitized and whitelisted before passing it to the include/require statement.

Bad practice

$dir = $_GET['module_name'];

// sensitive: $dir is not sanitized
include $dir . '/functions.php';

Recommended

$dir = $_GET['module_name'];
$allowedModules = ['customer_module', 'product_module'];

if (in_array($dir, $allowedModules)) {
    include $dir . '/functions.php';
}

References

• Data Filtering
• OWASP Top 10:2021 > A03 - Injection
• OWASP Top 10:2017 > A01 - Injection
• CWE-20: Improper Input Validation
• CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')