By DeepSource

Audit required: Include statements might be vulnerable to injection attacks PHP-A1001

a03 sans top 25 owasp top 10 cwe-98

The include (or require) statements are used to include and copy all the text/code/markup from an external file into the file that uses the include statement. This issue flags the use of this statement when a user-provided value is directly used in it.

Using user-provided values to construct the include/require statement can allow an attacker to control which files are included, giving them the ability to execute arbitrary code.

In past it has led to the following vulnerabilities:

All user-provided data (POST/GET variables, cookie values, etc.) should be sanitized and whitelisted before passing it to the include/require statement.

Bad practice

$dir = $_GET['module_name'];

// sensitive: $dir is not sanitized
include $dir . '/functions.php';


$dir = $_GET['module_name'];
$allowedModules = ['customer_module', 'product_module'];

if (in_array($dir, $allowedModules)) {
    include $dir . '/functions.php';