SAP GENERIC PROG SCRTY

Get Example source ABAP code based on a different SAP table
  


ARTICLE

ABAP Command Injections
ABAP command injections, the injection of malicious ABAP code into programs, is a potential risk in generic programming. The most important statements in generic programming are
GENERATE SUBROUTINE POOL
INSERT REPORT
Both of these statements can be used to create executable ABAP code, some or all of which can originate outside of the program. Careful checks must be made on those parts of programs created in this way that originate from outside of the program. The greater the number of these parts, the more difficult this is. For this reason, it is recommended that all other dynamic programming techniques are tried before resorting to program generation. If it is absolutely necessary to use program generation, the dynamic parts of programs should be kept as few as possible. Persistently saved forms are useful here, in which placeholders are replaced by the dynamic parts and whose static parts are checked for security gaps. If the dynamic parts originate outside the program, they must be checked in accordance with how they are used in the form.

Note
In principle, the ABAP command injections cover all individual security risks that can occur in dynamic programming.

Example
The following program is a perfect example of a worst case scenario. Every user with authorization for this program can enter and execute source code at will. The minimum action that must be taken is to check the development authorization of the current user (see the example for authorizations). Another option is to check whether the system in question is a development or production system. Checking entered program code, on the other hand, is very difficult, particularly if the entire program is modifiable (as here) and not just a single line in a pattern. The example Program Generation shows an attempt to restrict a freely modifiable program to make it secure. TYPES prog TYPE TABLE OF string WITH EMPTY KEY.

DATA(text) = concat_lines_of( VALUE prog(
( |PROGRAM. | )
( |FORM do_it. | )
( | ... | )
( |ENDFORM.| ) ) ).

CALL FUNCTION 'DEMO_INPUT_TEXT'
CHANGING
text_string = text
EXCEPTIONS
canceled = 4.
IF sy-subrc = 4.
LEAVE PROGRAM.
ENDIF.
SPLIT text AT | | INTO TABLE DATA(prog).

GENERATE SUBROUTINE POOL prog NAME DATA(pool).
IF sy-subrc = 0.
PERFORM do_it IN PROGRAM (pool).
ENDIF.