SQL Server administration and T-SQL development, Web Programming with ASP.NET, HTML5 and Javascript, Windows Phone 8 app development, SAP Smartforms and ABAP Programming, Windows 7, Visual Studio and MS Office software
Development resources, articles, tutorials, code samples, tools and downloads for SAP HANA and ABAP, HANA Database, SQLScript, SAP UI5, Screen Personas, Web Dynpro, Workflow

ATC Check CVA Finding: User-driven dynamic procedure call of program unit

Dynamic program calls in ABAP code are reported as the CVA finding User-driven dynamic procedure call of program unit in ATC check results list if the program name variable value is not validated using a whitelist of program names. If ABAP developers validate dynamic program name before using it in their dynamic programming codes, ATC checks will not classify those code blocks as unsecure.

In dynamic programming calls, ABAP developer passes the name of the called program as a character-like or string data object or variable value. If the target program is outside of the calling ABAP program, then it is obvious that there is a risk of inappropriate use especially if the string variable value is read from selection screen input or from a GUI which enables user interaction.

User-driven dynamic procedure call of program unit

Check Title: Security Checks for ABAP (CVA)
Check Message: User-driven dynamic procedure call of program unit
Priority: Priority 1
Variable SO_PROG-LOW can be used externally to control dynamic program calls.
Risk of attacks through the user interface.
Data Flow:
Program: ZMAIL_FROM_ALV Input Field: SO_PROG[] (REPS ZMAIL_FROM_ALV_SEL [6])
SO_PROG[] -> SO_PROG (include ZMAIL_FROM_ALV_EVENTS, line 26) Cannot be suppressed using a pragma or pseudo-comment

In my ABAP program, when I executed an ATC check mentioned CVA finding "User-driven dynamic procedure call of program unit" was reported for the below SUBMIT command line.

SUBMIT (p_pgm) USING SELECTION-SET p_vari
TO SAP-SPOOL SPOOL PARAMETERS params WITHOUT SPOOL DYNPRO
AND RETURN.
ABAP Code

To resolve the problem, the best approach is to convert the dynamic program calls into static calls. Of course this is not always possible.
If you cannot avoid dynamic programming and have to implement dynamic program call, the input program name should be checked by comparing the program name within a whitelisted program names using SAP class CL_ABAP_DYN_PRG

ABAP class CL_ABAP_DYN_PRG provides two methods for ABAP programmers to compare the dynamic program name variable value with a validated whitelist:
1. check_whitelist_str
2. check_whitelist_tab

After the dynamic program name is validated with one of the methods of ABAP class CL_ABAP_DYN_PRG, it is assumed secure to call it and ATC will not report a security issue

Above sample ABAP code causing ATC error can be secured by adding below code block before SUBMIT command as follows:

DATA lt_whitelist TYPE HASHED TABLE OF string WITH UNIQUE KEY table_line.
SELECT obj_name FROM tadir INTO TABLE lt_whitelist
 WHERE pgmid = 'R3TR' AND object = 'PROG' AND obj_name = p_pgm.
TRY.
 p_pgm = cl_abap_dyn_prg=>check_whitelist_tab( val = p_pgm whitelist = lt_whitelist ).
CATCH cx_abap_not_in_whitelist INTO DATA(exc).
 LEAVE PROGRAM.
ENDTRY.
ABAP Code

If we don't have an exception in TRY-CATCH ABAP block where cl_abap_dyn_prg=>check_whitelist_tab method is called, we can run SUBMIT(report_name) dynamic program call



SAP HANA and ABAP

Install SAP Free
CRM Companies List
Web Based CRM Software

Copyright © 2004 - 2021 Eralper YILMAZ. All rights reserved.