[Drupal] Namespace importing should be preferred over include/require functions

php

(Pierre-Loup Tristant) #1

Introduction
This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.

Description
Drupal 8 is designed to support namespaces.
Namespace import mechanism through the keyword use should be prefered over require and include functions.

Impact
Using require and include functions may lead to file inclusion attacks

  • Import functions :
    • require
    • require_once
    • include
    • include_once

Noncompliant Code Example

require_once('./modules/Module/src/Entiry/User.php');

Compliant Solution

use `Drupal\Module\Entity\User`

Exceptions

  • autoload.php
  • ScriptHandler.php

References

Type
Security Hotspot

Tags
cwe, owasp-a5, drupal


(Alexandre Gigleux) #3

Hello @Pierre-Loup,

I don’t think this one is a security one as the use of namespaces will not protect against inclusion attacks.

Instead I prefer to create it as a Code Smell. Here are the specification RSPEC-4833 and the implementation SONARPHP-829 tickets.

Regards


(Pierre-Loup Tristant) #5

Hi @Alexandre_Gigleux

You’re right this rule belongs to the Code Smell type.

I also think that a Security Hotspot rule should check for local/remote file inclusion through import mecanismes.

The rule implementation has been merged: