In dynamic calls, the name of the called unit is specified as the content of a character-like data object. If some or all of this content originates outside of the calling program, there is a risk that units are called unintentionally. The only way of tackling this security risk is to perform a comparison with a whitelist. The class CL_ABAP_DYN_PRG provides the methods CHECK_WHITELIST_STR and CHECK_WHITELIST_TAB.
Potential dynamic calls and hence a potential security risk when handling input can occur in the following cases:
- When an executable program is specified dynamically after
- When classes and methods are specified dynamically in a dynamic method call using
- When a class is specified dynamically in
CREATE OBJECT(a dynamic call of the instance constructor).
- When the function module is specified dynamically in a function module call using
CALL FUNCTION(particularly if RFC is used).
- When subroutines and programs are specified dynamically in dynamic subroutine calls using
- When the system function is specified dynamically in the internal statement
7.31 | 7.40 | 7.54
As well as checking intentional calls, it is also necessary to perform a sufficient authorization check on the current user in program calls.
In the following program section, a transaction name, when entered, is checked against a whitelist that contains only transactions from the ABAP example library.
DATA whitelist TYPE HASHED TABLE OF string WITH UNIQUE KEY table_line. SELECT obj_name FROM tadir WHERE pgmid = 'R3TR' AND object = 'TRAN' AND devclass = 'SABAPDEMOS' INTO TABLE @whitelist. DATA transaction TYPE sy-tcode. cl_demo_input=>request( CHANGING field = transaction ). TRY. transaction = cl_abap_dyn_prg=>check_whitelist_tab( val = transaction whitelist = whitelist ). CATCH cx_abap_not_in_whitelist INTO DATA(exc). cl_demo_output=>display( exc->get_text( ) ). LEAVE PROGRAM. ENDTRY. TRY. CALL TRANSACTION transaction WITH AUTHORITY-CHECK. CATCH cx_sy_authorization_error ##NO_HANDLER. ENDTRY.