Skip to main content

Remote File Inclusion


Prevention of remote file inclusion and execution


  • Usage of Ruby 2.5 for executing Ruby code and running Ruby applications
  • Usage of Rails framework for building web applications
  • Usage of ActiveRecord for Object-Relational Mapping (ORM) in database operations


Non compliant code

class UserController < ApplicationController
def index
@user = User.find(params[:id])
render params[:template]

In the above code, we have a UserController with an index action that fetches a user from the database using an id passed in via params. After fetching the user, it renders a template also passed in via params.

The vulnerability here lies in the use of params[:template] in the render method. This allows an attacker to pass in a path to a malicious template that resides in a remote location. This is known as Remote File Inclusion (RFI).

For instance, an attacker could craft a URL such as When this URL is accessed, the application would fetch the malicious template from the remote server and render it, leading to potential data leakage or remote command execution.


  • Sanitize user input: Validate and sanitize any user input before using it to render templates.
  • Whitelist allowed templates: Create a whitelist of allowed templates and only render templates from this list.
  • Avoid dynamic template rendering: Instead of allowing users to specify the template to render, use a fixed template or a limited set of predefined templates.
  • Implement access controls: Ensure that only authorized users can access the UserController#index action.
  • Keep the application and dependencies up to date: Regularly update the Ruby on Rails framework and its dependencies to benefit from security patches and fixes.
  • Implement a Web Application Firewall (WAF): Use a WAF to detect and block attempts to exploit remote file inclusion vulnerabilities.
  • Perform security testing: Regularly conduct security testing, such as penetration testing and code reviews, to identify and fix vulnerabilities.

Compliant code

class UserController < ApplicationController
before_action :authenticate_user!
TEMPLATE_WHITELIST = ['template1', 'template2', 'template3']

def index
@user = User.find(params[:id])
template = params[:template]
if TEMPLATE_WHITELIST.include?(template)
render template
render 'default_template'

The updated code includes several measures to mitigate the risk of Remote File Inclusion:

  1. Sanitize user input: The params[:template] is now checked against a whitelist of allowed templates (TEMPLATE_WHITELIST). If the provided template is not in the whitelist, a default template is rendered. This ensures that only valid templates can be rendered, preventing the inclusion of malicious files.

  2. Whitelist allowed templates: The TEMPLATE_WHITELIST constant is a list of allowed templates. This is a form of input validation that ensures only predefined templates can be rendered.

  3. Avoid dynamic template rendering: By checking the user-provided template against a whitelist, the application no longer allows arbitrary templates to be rendered. This reduces the attack surface for Remote File Inclusion.

  4. Implement access controls: The before_action :authenticate_user! ensures that only authenticated users can access the index action. This is a form of access control that can prevent unauthorized access to sensitive data.

Remember to keep your application and its dependencies up to date, implement a Web Application Firewall (WAF), and perform regular security testing to further enhance the security of your application.