Unsanitized user input in file path
- Rule ID: php_lang_path_using_user_input
- Languages: php
- Source: path_using_user_input.yml
Description
Unsanitized user input in file paths can compromise your system's security. This vulnerability arises when user input is directly used to construct file names or paths without proper sanitization, potentially leading to path manipulation. Attackers could exploit this to access files or directories outside the intended scope, posing a significant security risk.
Remediations
- Do not use unsanitized user input to construct file paths. Unchecked input can be manipulated to access unauthorized files.
- Do restrict user input to a predefined list of allowed values when constructing file paths. This limits the scope of accessible resources to only those explicitly permitted.
$allowed_filenames = array("resource-1", "resource-2");
$filename = $_GET["resource_name"];
if (in_array($filename, $allowed_filenames)) {
readfile("/files/${filename}");
} else {
// Handle unexpected filename
} - Do validate and sanitize file paths against a safe base path. This ensures that the resulting path is within a controlled and expected directory.
$path = realpath("/safe/prefix/" . $_GET["resource_name"]);
if (str_starts_with($path, "/safe/prefix/")) {
readfile($path);
} else {
// Handle unexpected path
}
References
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=php_lang_path_using_user_inputTo run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=php_lang_path_using_user_input