ARTICLE
Dynamic Calls
In dynamic calls, the name of the called unit is specified as the
content of a character-like data object. If some or all of this content
originates outside of the calling program, there is a risk that units
are called unintentionally. The only way of tackling this security risk
is to perform a comparison with a whitelist . The class
CL_ABAP_DYN_PRG provides the
methods CHECK_WHITELIST_STR and CHECK_WHITELIST_TAB .
Potential dynamic calls and hence a potential security risk when
handling input can occur in the following cases:
When an executable program is specified dynamically after
SUBMIT .
When a transaction is specified dynamically after
CALL TRANSACTION and
LEAVE TO TRANSACTION .
When classes and methods are specified dynamically in a dynamic method
call using CALL METHOD .
When a class is specified dynamically in
CREATE OBJECT (a dynamic call of the instance constructor).
When the function module is specified dynamically in a function module
call using CALL FUNCTION (particularly
if RFC is used).
When subroutines and programs are specified dynamically in dynamic
subroutine calls using PERFORM .
When the system function is specified dynamically in the internal
statement CALL .
Note
As well as checking intentional calls, it is also necessary to perform
an authorization check on the current user in program calls.
Example
In the following program section, a transaction name, when entered, is
checked against a whitelist that contains only transactions from
the ABAP example library.
DATA whitelist TYPE HASHED TABLE OF string
WITH UNIQUE KEY table_line.
SELECT obj_name
FROM tadir
INTO TABLE whitelist
WHERE pgmid = 'R3TR' AND
object = 'TRAN' AND
devclass = 'SABAPDEMOS'.
DATA transaction TYPE sy-tcode.
cl_demo_input=>request( CHANGING field = transaction ).
TRY.
transaction = cl_abap_dyn_prg=>check_whitelist_tab(
val = transaction
whitelist = whitelist ).
CATCH cx_abap_not_in_whitelist INTO DATA(exc).
cl_demo_output=>display( exc->get_text( ) ).
LEAVE PROGRAM.
ENDTRY.
TRY.
CALL TRANSACTION transaction WITH AUTHORITY-CHECK.
CATCH cx_sy_authorization_error ##NO_HANDLER.
ENDTRY.
Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved