sapdev logo background
sapdev logo sapdev logo
Comments

SAP GENERIC PROG SCRTY documentation, setup help and example usage



Return to SAP documentation index


ARTICLE

ABAP Command Injections
ABAP command injections , the injection of malicious ABAP code into programs, is a potential risk in generic programming. The most important statements in generic programming are
  • GENERATE SUBROUTINE POOL

  • INSERT REPORT

    • Both of these statements can be used to create executable ABAP code, some or all of which can originate outside of the program. Careful checks must be made on those parts of programs created in this way that originate from outside of the program. The greater the number of these parts, the more difficult this is. For this reason, it is recommended that all other dynamic programming techniques are tried before resorting to program generation. If it is absolutely necessary to use program generation, the dynamic parts of programs should be kept as few as possible. Persistently saved forms are useful here, in which placeholders are replaced by the dynamic parts and whose static parts are checked for security gaps. If the dynamic parts originate outside the program, they must be checked in accordance with how they are used in the form.

    Note
    In principle, the ABAP command injections cover all individual security risks that can occur in dynamic programming.

    Example
    The following program is a perfect example of a worst case scenario . Every user with authorization for this program can enter and execute source code at will. The minimum action that must be taken is to check the development authorization of the current user (see the example for authorizations ). Another option is to check whether the system in question is a development or production system. Checking entered program code, on the other hand, is very difficult, particularly if the entire program is modifiable (as here) and not just a single line in a pattern. The example Program Generation shows an attempt to restrict a freely modifiable program to make it secure.
    TYPES prog TYPE TABLE OF string WITH EMPTY KEY.

    DATA(text) = concat_lines_of( VALUE prog(
    ( |PROGRAM.\n\n| )
    ( |FORM do_it.\n| )
    ( | ...\n| )
    ( |ENDFORM.| ) ) ).

    CALL FUNCTION 'DEMO_INPUT_TEXT'
    CHANGING
    text_string = text
    EXCEPTIONS
    canceled = 4.
    IF sy-subrc = 4.
    LEAVE PROGRAM.
    ENDIF.
    SPLIT text AT |\n| INTO TABLE DATA(prog).

    GENERATE SUBROUTINE POOL prog NAME DATA(pool).
    IF sy-subrc = 0.
    PERFORM do_it IN PROGRAM (pool).
    ENDIF.
    Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved




    GENERIC_PROGR_GUIDL
    GENERIC_TEXT_INTERNAL




    comments powered by Disqus
    SAP Development ABAP SAP Reporting Data Dictionary Search Helps SAP Tables
    Contact Us Partners Terms of Service Privacy Policy Advertise Resources