ARTIClE
Program Generation
This example demonstrates how a program is generated using
GENERATE
SUBROUTINE POOL .
ABAP_SOURCE_CODE
ABAP_EXEC
ABAP_DESCRIPTION
The program permits declaration statements to be entered in a
declaration part and operational statements to be entered in an implem
entation part. These entries are inserted consecutively into a method of
a pattern program, which is imported into an internal table using the
statement READ REPORT . When Execute
is selected, the program is generated using
GENERATE SUBROUTINE POOL and
the method is called. Before this happens, the syntax is checked using
SYNTAX-CHECK .
The ability to enter source code for a generic program presents the
greatest potential security risk. The following measures have been taken
to avoid abuse of this program:
The static constructor of the class display checks whether the
program is executed in a production system (a system with production
clients). Source code cannot be entered in these systems and no function
codes are accepted apart from the display of documentation.
The static constructor of the class display checks whether the
current user has authorization for ABAP Editor in the current system and
development authorization for modifying and executing temporary
programs. Only these users can enter source code and execute programs,
since all actions possible here are also possible in the development
environment.
Since developers in particular are tempted to test the vulnerability of
their test programs, the available statements are restricted as follows:
Only declarative statements can be entered in the declaration part. This
is checked using the same syntax check as for the declaration part of a
class. This check is made in the method check_declarations of
the class program .
Only those statements entered in a white list are valid in the
implementation part. A black list prevents the use of other
classes or objects (except for the output class
CL_DEMO_OUTPUT ). This check is made
in the method check_implementation of the class program ,
with the method CHECK of the class CL_DEMO_SECURE_ABAP_CODE
being called. If the statements INSERT , MODIFY , or
DELETE are used, the addressed table must be declared in the
declaration part. This prevents writes from being performed on database
tables.
Note
If, despite these measures, it is still possible to generate and execute
potentially dangerous code with this program without manipulating the
program flow or the program data in the debugger, inform the component
BC-ABA-LA immediately.
Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved