Comments
SAP OBSCURE CODE SCRTY documentation, setup help and example usage
ARTICLE
Obscuring ABAP Source Code
ABAP source code is obscured if tasks that can be performed directly are instead performed across diversions that disguise the real purpose. One common form of obscured code is found when information that could be specified statically is specified using dynamic programming techniques instead. Code can be obscured for one of the following reasons:
In general, any type of obscured code presents a security risk. Instead of bypassing static checks by using obscured code, false positives should be handled using other methods, such as exemptions . Obscured code can often only be detected using a two-man rule (
Example
Maliciously obscured code in a
user-dependent program flow , which can generally only be detected using code inspections .
ASSIGN (field) TO FIELD-SYMBOL(<(><<)>field>).
...
IF <(><<)>field> = `...`.
...
ENDIF.
Example
Code obscured without malicious intent. In a HTTP request handler
a HTML file is created by calling a method in which potential cross site scripting ( XSS ) has already been prevented. A static security check that ignores the called method can classify this as a security risk, however, and demand that the HTML is masked again. The dynamic assignment of the HTML
to a field symbol is used to bypass the false positive raised by the security check.
DATA(html) = cl_demo_html_provider=>get( ).
"XSS is prevented in cl_demo_html_provider
DATA(html_name) = `HTML`.
ASSIGN (html_name) TO FIELD-SYMBOL(<(><<)>html>).
server->response->set_cdata( data = <(><<)>html> ).
ENDMETHOD.
The correct forma of the HTTP request handler would be:
DATA(html) = cl_demo_html_provider=>get( ).
"XSS is prevented in cl_demo_html_provider
server->response->set_cdata( data = html ).
ENDMETHOD.
If the security check raises a false positive, either an exemption or an improvement to the check should be requested.
Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved
