Introduction
This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.
Description
Drupal 8 is designed to support namespaces.
Namespace import mechanism through the keyword use
should be prefered over require
and include
functions.
Impact
Using require
and include
functions may lead to file inclusion attacks
- Import functions :
- require
- require_once
- include
- include_once
Noncompliant Code Example
require_once('./modules/Module/src/Entiry/User.php');
Compliant Solution
use `Drupal\Module\Entity\User`
Exceptions
autoload.php
ScriptHandler.php
References
- MITRE CWE-97 - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
- OWASP Top 10 2017 Category A5 - Broken Access Control
Type
Security Hotspot
Tags
cwe, owasp-a5, drupal