Audit required: Include statements might be vulnerable to injection attacks PHP-A1001
Include statement might be vulnerable to injection attack
15 }
16 public function render($template_file) {
17 if (file_exists($this->template_dir.$template_file)) {
18 include $this->template_dir.$template_file;19 } else {
20 throw new Exception('no template file ' . $template_file . ' present in directory ' . $this->template_dir);
21 }
Description
The include (or require) statements are used to include and copy all the text/code/markup from an external file into the file that uses the include statement. This issue flags the use of this statement when a user-provided value is directly used in it.
Using user-provided values to construct the include/require statement can allow an attacker to control which files are included, giving them the ability to execute arbitrary code.
In past it has led to the following vulnerabilities:
All user-provided data (POST/GET variables, cookie values, etc.) should be sanitized and whitelisted before passing it to the include/require statement.
Bad practice
$dir = $_GET['module_name'];
// sensitive: $dir is not sanitized
include $dir . '/functions.php';
Recommended
$dir = $_GET['module_name'];
$allowedModules = ['customer_module', 'product_module'];
if (in_array($dir, $allowedModules)) {
include $dir . '/functions.php';
}