File Inclusion

[MadhumithaSTR]

Hi Team! While running a vulnerability test using Snyk tool, I encountered a "File Inclusion" issue in the {project_name}\vendor\yiisoft\yii2\console\Application.php file, specifically at line no - 108. The issue is described as: Unsanitized input from an HTTP header flows into require, where it is included dynamically. Allowing unvalidated user input to control files that are included dynamically in PHP can lead to malicious code execution.

I'm currently using "yiisoft/yii2": ">=2.0.5",

Could you please help me resolve this? Thanks in advance!

File Path : https://github.com/yiisoft/yii2/blob/master/framework/console/Application.php

[samdark]

Obviously, that's a false positive since there are no HTTP headers in console.

[MdMumtajTR]

In the vendor/yiisoft/yii2/console/Application.php file, unsanitized input from an HTTP header flows into die/exit at line 111, where it is used to render an HTML page returned to the user, potentially leading to a Cross-Site Scripting (XSS) attack. A similar XSS issue exists in the same file.
File Path : https://github.com/yiisoft/yii2/blob/master/framework/console/Application.php

Can anyone provide suggestions to fix the XSS issue?

[samdark]

There is no XSS issue. It is a console.