ARTICLE
ABAP Command Injections
ABAP command injections ,
the injection of malicious ABAP code into programs, is a potential risk
in generic programming. The most important statements in generic
programming are
GENERATE SUBROUTINE POOL
INSERT REPORT
Both of these statements can be used to create executable ABAP code,
some or all of which can originate outside of the program. Careful
checks must be made on those parts of programs created in this way that
originate from outside of the program. The greater the number of these
parts, the more difficult this is. For this reason, it is recommended
that all other dynamic programming techniques are tried before resorting
to program generation. If it is absolutely necessary to use program
generation, the dynamic parts of programs should be kept as few as
possible. Persistently saved forms are useful here, in which
placeholders are replaced by the dynamic parts and whose static parts
are checked for security gaps. If the dynamic parts originate outside
the program, they must be checked in accordance with how they are used
in the form.
Note
In principle, the ABAP command injections cover all individual
security risks that can occur in dynamic programming.
Example
The following program is a perfect example of a
worst case
scenario . Every user with authorization for this program can enter
and execute source code at will. The minimum action that must be taken
is to check the development authorization of the current user (see the
example for authorizations ). Another option
is to check whether the system in question is a development or
production system. Checking entered program code, on the other hand, is
very difficult, particularly if the entire program is modifiable (as
here) and not just a single line in a pattern. The example
Program Generation shows an attempt
to restrict a freely modifiable program to make it secure.
TYPES prog TYPE TABLE OF string WITH EMPTY KEY.
DATA(text) = concat_lines_of( VALUE prog(
( |PROGRAM.\n\n| )
( |FORM do_it.\n| )
( | ...\n| )
( |ENDFORM.| ) ) ).
CALL FUNCTION 'DEMO_INPUT_TEXT'
CHANGING
text_string = text
EXCEPTIONS
canceled = 4.
IF sy-subrc = 4.
LEAVE PROGRAM.
ENDIF.
SPLIT text AT |\n| INTO TABLE DATA(prog).
GENERATE SUBROUTINE POOL prog NAME DATA(pool).
IF sy-subrc = 0.
PERFORM do_it IN PROGRAM (pool).
ENDIF.
Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved