php.lang.security.file-inclusion.file-inclusion

profile photo of semgrepsemgrep
Author
4,178
Download Count*
LGPL Commons Clause
License

Detected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers. Instead, explicitly specify what to include. If that is not a viable solution, validate user input thoroughly.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: file-inclusion
    message: Detected non-constant file inclusion. This can lead to local file
      inclusion (LFI) or remote file inclusion (RFI) if user input reaches this
      statement. LFI and RFI could lead to sensitive files being obtained by
      attackers. Instead, explicitly specify what to include. If that is not a
      viable solution, validate user input thoroughly.
    metadata:
      cwe:
        - "CWE-98: Improper Control of Filename for Include/Require Statement in
          PHP Program ('PHP Remote File Inclusion')"
      references:
        - https://www.php.net/manual/en/function.include.php
        - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/EasyRFISniff.php
        - https://en.wikipedia.org/wiki/File_inclusion_vulnerability#Types_of_Inclusion
      category: security
      technology:
        - php
      owasp:
        - A03:2021 - Injection
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    languages:
      - php
    severity: ERROR
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-either:
              - pattern: $_GET
              - pattern: $_POST
              - pattern: $_COOKIE
              - pattern: $_REQUEST
              - pattern: $_SERVER
    pattern-sanitizers:
      - patterns:
          - pattern-either:
              - pattern-inside: basename($PATH, ...)
              - pattern-inside: linkinfo($PATH, ...)
              - pattern-inside: readlink($PATH, ...)
              - pattern-inside: realpath($PATH, ...)
              - pattern-inside: include_safe(...)
    pattern-sinks:
      - patterns:
          - pattern-inside: $FUNC(...);
          - pattern: $VAR
          - metavariable-regex:
              metavariable: $FUNC
              regex: \b(include|include_once|require|require_once)\b

Examples

file-inclusion.php

<?php

$user_input = $_GET["tainted"];

// ruleid: file-inclusion
include($user_input);

// ok: file-inclusion
include('constant.php');

// ruleid: file-inclusion
include_once($user_input);

// ok: file-inclusion
include_once('constant.php');

// ruleid: file-inclusion
require($user_input);

// ok: file-inclusion
require('constant.php');

// ruleid: file-inclusion
require_once($user_input);

// ok: file-inclusion
require_once('constant.php');

// ruleid: file-inclusion
include(__DIR__ . $user_input);

// ok: file-inclusion
include(__DIR__ . 'constant.php');

// ok: file-inclusion
include_safe(__DIR__ . $user_input);

// ok: file-inclusion
require_once(CONFIG_DIR . '/constant.php');

// ok: file-inclusion
require_once( dirname( __FILE__ ) . '/admin.php' );

// ok: file-inclusion
$pth = 'foo/bar.php';
require_once $pth;