rules:
  - id: file-inclusion
    patterns:
      - pattern: $FUNC(...);
      - pattern-not: $FUNC("...");
      - pattern-not: $FUNC(__DIR__ . "...");
      - metavariable-regex:
          metavariable: $FUNC
          regex: \b(include|include_once|require|require_once|virtual)\b
    message: >-
      Detected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers. Instead, explicitly specify what to include. If that is not a viable solution, validate user input thoroughly.
    metadata:
      references:
        - https://www.php.net/manual/en/function.include.php
        - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/EasyRFISniff.php
        - https://en.wikipedia.org/wiki/File_inclusion_vulnerability#Types_of_Inclusion
      category: security
      technology:
        - php
    languages: [php]
    severity: ERROR