ABAP Keyword Documentation →  ABAP - Security Notes →  Security Risks in Dynamic Programming → 

Dynamic Calls

In dynamic calls, the name of the called unit is specified as the content of a character-like data object. If some or all of this content originates outside of the calling program, there is a risk that units are called unintentionally. The only way of tackling this security risk is to perform a comparison with a whitelist. The class CL_ABAP_DYN_PRG provides the methods CHECK_WHITELIST_STR and CHECK_WHITELIST_TAB.

Potential dynamic calls and hence a potential security risk when handling input can occur in the following cases:

Note

As well as checking intentional calls, it is also necessary to perform an authorization check on the current user in program calls.

Example

In the following program section, a transaction name, when entered, is checked against a whitelist that contains only transactions from the ABAP example library.

DATA whitelist TYPE HASHED TABLE OF string
               WITH UNIQUE KEY table_line.
SELECT obj_name
       FROM tadir
       INTO TABLE whitelist
       WHERE pgmid    = 'R3TR' AND
             object   = 'TRAN' AND
             devclass = 'SABAPDEMOS'.

DATA transaction TYPE sy-tcode.
cl_demo_input=>request( CHANGING field = transaction ).

TRY.
    transaction = cl_abap_dyn_prg=>check_whitelist_tab(
      val = transaction
      whitelist = whitelist ).
  CATCH cx_abap_not_in_whitelist INTO DATA(exc).
    cl_demo_output=>display( exc->get_text( ) ).
    LEAVE PROGRAM.
ENDTRY.

TRY.
    CALL TRANSACTION transaction WITH AUTHORITY-CHECK.
  CATCH cx_sy_authorization_error ##NO_HANDLER.
ENDTRY.