Rule Definition
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to: Code execution on the web server Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS) Denial of Service (DoS) Sensitive Information Disclosure

Remediation
The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible, use a white list. Never include files using anonymously relative paths, instead using either an absolute path or root relative path.

Violation Code Sample

Sample 1:
<jsp:include page="<%= (String)request.getParameter(\"template\")%>">   // VIOLATION: page is tainted input

Sample 2:
<c:import url="<%= request.getParameter("privacy")%>">   // VIOLATION: url is tainted input

Fixed Code Sample

Sample 1:
<jsp:include page="notainted.jsp" />    // FIXED: page is safe

Sample 2:
<c:import url="notaintedurl">   // FIXED: url is safe

CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page https://cwe.mitre.org/data/definitions/97.html CWE-829: Inclusion of Functionality from Untrusted Control Sphere https://cwe.mitre.org/data/definitions/829.html OWASP - WSTG - v4.2 - Testing for Local File Inclusion https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion