sapdev logo background
sapdev logo sapdev logo
Comments

SAP DYN CALL SCRTY documentation, setup help and example usage



Return to SAP documentation index


ARTICLE

Dynamic Calls
In dynamic calls, the name of the called unit is specified as the content of a character-like data object. If some or all of this content originates outside of the calling program, there is a risk that units are called unintentionally. The only way of tackling this security risk is to perform a comparison with a whitelist . The class CL_ABAP_DYN_PRG provides the methods CHECK_WHITELIST_STR and CHECK_WHITELIST_TAB .
Potential dynamic calls and hence a potential security risk when handling input can occur in the following cases:
  • When an executable program is specified dynamically after SUBMIT .

  • When a transaction is specified dynamically after CALL TRANSACTION and LEAVE TO TRANSACTION .

  • When classes and methods are specified dynamically in a dynamic method call using CALL METHOD .

  • When a class is specified dynamically in

    • CREATE OBJECT (a dynamic call of the instance constructor).
  • When the function module is specified dynamically in a function module call using CALL FUNCTION (particularly if RFC is used).

  • When subroutines and programs are specified dynamically in dynamic subroutine calls using PERFORM .

  • When the system function is specified dynamically in the internal statement CALL .


    • Note
    As well as checking intentional calls, it is also necessary to perform an authorization check on the current user in program calls.

    Example
    In the following program section, a transaction name, when entered, is checked against a whitelist that contains only transactions from the ABAP example library.
    DATA whitelist TYPE HASHED TABLE OF string
    WITH UNIQUE KEY table_line.
    SELECT obj_name
    FROM tadir
    INTO TABLE whitelist
    WHERE pgmid = 'R3TR' AND
    object = 'TRAN' AND
    devclass = 'SABAPDEMOS'.

    DATA transaction TYPE sy-tcode.
    cl_demo_input=>request( CHANGING field = transaction ).

    TRY.
    transaction = cl_abap_dyn_prg=>check_whitelist_tab(
    val = transaction
    whitelist = whitelist ).
    CATCH cx_abap_not_in_whitelist INTO DATA(exc).
    cl_demo_output=>display( exc->get_text( ) ).
    LEAVE PROGRAM.
    ENDTRY.

    TRY.
    CALL TRANSACTION transaction WITH AUTHORITY-CHECK.
    CATCH cx_sy_authorization_error ##NO_HANDLER.
    ENDTRY.
    Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved




    DYN_ACCESS_DATA_OBJ_GUIDL
    DYN_FILE_SCRTY




    comments powered by Disqus
    SAP Development ABAP SAP Reporting Data Dictionary Search Helps SAP Tables
    Contact Us Partners Terms of Service Privacy Policy Advertise Resources