PHP-CS-Fixer cache file publicly accessible (.php_cs.cache)
Description
PHP-CS-Fixer is a widely-used tool that automatically fixes PHP coding standards violations. By default, it creates a cache file named .php_cs.cache to improve performance on subsequent runs. This vulnerability occurs when the cache file is accessible via direct web requests, exposing internal project information that should remain private. The cache file contains metadata about your codebase structure, file paths, and configuration details that could aid attackers in reconnaissance activities.
Remediation
Prevent public access to the .php_cs.cache file by configuring your web server to deny requests to hidden files (those starting with a dot). Implement one of the following solutions based on your web server:
For Apache (.htaccess):
<FilesMatch "^\.">
Require all denied
</FilesMatch>For Nginx:location ~ /\. {
deny all;
return 404;
}Alternative approach: Store the cache file outside your web root by configuring PHP-CS-Fixer to use a different cache location in your .php-cs-fixer.php configuration file:return (new PhpCsFixer\Config())
->setCacheFile(__DIR__ . '/var/cache/.php_cs.cache');After implementing these changes, verify the file is no longer accessible by attempting to access it directly through your browser.