Unsanitized user input in file path


Unsanitized user input in file paths can compromise your system's security. This vulnerability arises when user input is directly used to construct file names or paths without proper sanitization, potentially leading to path manipulation. Attackers could exploit this to access files or directories outside the intended scope, posing a significant security risk.


  • Do not use unsanitized user input to construct file paths. Unchecked input can be manipulated to access unauthorized files.
  • Do restrict user input to a predefined list of allowed values when constructing file paths. This limits the scope of accessible resources to only those explicitly permitted.
    $allowed_filenames = array("resource-1", "resource-2");
    $filename = $_GET["resource_name"];

    if (in_array($filename, $allowed_filenames)) {
    } else {
    // Handle unexpected filename
  • Do validate and sanitize file paths against a safe base path. This ensures that the resulting path is within a controlled and expected directory.
    $path = realpath("/safe/prefix/" . $_GET["resource_name"]);
    if (str_starts_with($path, "/safe/prefix/")) {
    } else {
    // Handle unexpected path


Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_path_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_path_using_user_input