Skip to content

ABAP Keyword Documentation →  ABAP - Security Notes →  Security Risks Caused by Input from Outside 

Dynamic Calls

In dynamic calls, the name of the called unit is specified as the content of a character-like data object. If some or all of this content originates outside of the calling program, there is a risk that units are called unintentionally. The only way of tackling this security risk is to perform a comparison with a whitelist. The class CL_ABAP_DYN_PRG provides the methods CHECK_WHITELIST_STR and CHECK_WHITELIST_TAB.

Potential dynamic calls and hence a potential security risk when handling input can occur in the following cases:

  • When an executable program is specified dynamically after SUBMIT.
  • When classes and methods are specified dynamically in a dynamic method call using CALL METHOD.
  • When a class is specified dynamically in CREATE OBJECT (a dynamic call of the instance constructor).
  • When the function module is specified dynamically in a function module call using CALL FUNCTION (particularly if RFC is used).
  • When subroutines and programs are specified dynamically in dynamic subroutine calls using PERFORM.
  • When the system function is specified dynamically in the internal statement CALL.

Other versions: 7.31 | 7.40 | 7.54


Note

As well as checking intentional calls, it is also necessary to perform a sufficient authorization check on the current user in program calls.


Example

In the following program section, a transaction name, when entered, is checked against a whitelist that contains only transactions from the ABAP example library.

DATA whitelist TYPE HASHED TABLE OF string 
               WITH UNIQUE KEY table_line. 
SELECT obj_name 
       FROM tadir 
       WHERE pgmid    = 'R3TR' AND 
             object   = 'TRAN' AND 
             devclass = 'SABAPDEMOS' 
       INTO TABLE @whitelist. 

DATA transaction TYPE sy-tcode. 
cl_demo_input=>request( CHANGING field = transaction ). 

TRY. 
    transaction = cl_abap_dyn_prg=>check_whitelist_tab( 
      val = transaction 
      whitelist = whitelist ). 
  CATCH cx_abap_not_in_whitelist INTO DATA(exc). 
    cl_demo_output=>display( exc->get_text( ) ). 
    LEAVE PROGRAM. 
ENDTRY. 

TRY. 
    CALL TRANSACTION transaction WITH AUTHORITY-CHECK. 
  CATCH cx_sy_authorization_error ##NO_HANDLER. 
ENDTRY.