SAP DYN FILE SCRTY documentation, setup help and example usage

ARTICLE

Directory Traversal
File names can be specified as the content of a character-like data object in the statements and system class of the ABAP file interface . If some or all of this content originates outside of the calling program, there is a risk that files or file paths are accessed by unauthorized sources (this is known as directory traversal ). To combat security risks of this type, the file names must be validated . Here, the function module FILE_VALIDATE_NAME is recommended, which uses the existing logical file names as a
whitelist .
Potential dynamic access to the file interface and hence a potential security risk when handling input can occur in the following cases:

When the file name is specified dynamically in the statements OPEN DATASET and DELETE DATASET .

When the file name is specified dynamically for the method

CREATE_UTF8_FILE_WITH_BOM of the system class CL_ABAP_FILE_UTILITIES .

Note
Alongside the validation of file names, adequate checks should be made on the authorizations for file access .

Example
The following program section shows how a physical file name entered by an external source is validated by checking whether a logical file name exists for it.
DATA file TYPE string.
cl_demo_input=>request( CHANGING field = file ).

CALL FUNCTION 'FILE_VALIDATE_NAME'
EXPORTING
logical_filename = 'EXAMPLE_FILE'
CHANGING
physical_filename = file
EXCEPTIONS
logical_filename_not_found = 1
validation_failed = 2
OTHERS = 3.
IF sy-subrc = 0.
OPEN DATASET file FOR OUTPUT IN BINARY MODE.
ELSE.
cl_demo_output=>display( |Error return code { sy-subrc }| ).
ENDIF.