SAP NetWeaver AS ABAP Release 740, ©Copyright 2014 SAP AG. All rights reserved.
ABAP Keyword Documentation → ABAP - Security Notes → Security Risks in Dynamic Programming →Dynamic Calls
In dynamic calls, the name of the called unit is specified as the content of a character-like data object. If some or all of this content originates outside of the calling program, there is a risk that units are called unintentionally. The only way of tackling this security risk is to perform a comparison with a whitelist. The class CL_ABAP_DYN_PRG provides the methods CHECK_WHITELIST_STR and CHECK_WHITELIST_TAB.
Potential dynamic calls and hence a potential security risk when handling input can occur in the following cases:
Note
As well as checking intentional calls, it is also necessary to perform an authorization check on the current user in program calls.
Example
In the following program section, a transaction name, when entered, is checked against a whitelist that contains only transactions from the ABAP example library.
DATA whitelist TYPE HASHED TABLE OF string
WITH UNIQUE KEY table_line.
SELECT obj_name
FROM tadir
INTO TABLE whitelist
WHERE pgmid = 'R3TR' AND
object = 'TRAN' AND
devclass = 'SABAPDEMOS'.
DATA transaction TYPE sy-tcode.
cl_demo_input=>request( CHANGING field = transaction ).
TRY.
transaction = cl_abap_dyn_prg=>check_whitelist_tab(
val = transaction
whitelist = whitelist ).
CATCH cx_abap_not_in_whitelist INTO DATA(exc).
cl_demo_output=>display( exc->get_text( ) ).
LEAVE PROGRAM.
ENDTRY.
TRY.
CALL TRANSACTION transaction WITH AUTHORITY-CHECK.
CATCH cx_sy_authorization_error ##NO_HANDLER.
ENDTRY.