Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on Drupal.

  1. Use Drupal's file system service to resolve paths safely:

    $file_system = \Drupal::service('file_system');
$realpath = $file_system->realpath($uri);

  2. Never build file paths from unvalidated user input.

  3. Use Drupal stream wrappers (e.g., public:

    //, private://) which enforce containment within configured directories.
Back to top