Defect #1: Security

Hello, we’re Adventier. Our ABAP quality assurance solution, CodeProfiler, is the only application that SAP endorses and uses internally to keep their ABAP code efficient, secure and compliant.

CodeProfiler can find this defect in less than a second – can you?

The Code.

TYPES: line(72) TYPE c.

DATA: lt_tab TYPE STANDARD TABLE OF line.
DATA: lv_input TYPE string.
DATA: lv_code TYPE string.

lv_input = me->request->get_form_field( ‘lv_input’ ).

CONCATENATE `WRITE ‘` lv_input `’.` INTO lv_code.

APPEND ‘report CP_REPORT.’ TO lt_tab.
APPEND ‘write: ”Hello world!”.’ TO lt_tab.
APPEND lv_code TO lt_tab.

INSERT REPORT ‘CP_REPORT’ FROM lt_tab.

Here’s the solution to Defect #1.

Defect Name: ABAP Command Injection (Report)

Risk: The ABAP commands INSERT REPORT and SUBMIT together can create and execute dynamic ABAP code at runtime. This is a very high security risk when user input is part of a dynamic report.

Business Risk: If a user can execute arbitrary ABAP commands on a SAP system, then the system could be completely compromised.

- Read and write access to all business data in the database
- Execution of arbitrary business logic

ABAP Command Injection violate regulatory compliance.

Detail Explanation
The ABAP command INSERT REPORT is used to dynamically construct an ABAP report. This is done by concatenating strings that are usually read from a data source. Once the ABAP report has been assembled, it can be executed with the command GENERATE REPORT.

Such coding practice is very dangerous, as it may construct malicious code on the fly and leaves no trace of this code in the system.

Congratulations to Larry at Schneider Electric for figuring it out!

Here’s the Solution in General.

TYPES: line(72) TYPE c.

DATA: lt_tab TYPE STANDARD TABLE OF line.
DATA: lv_input TYPE string.
DATA: lv_code TYPE string.

lv_input = me->request->get_form_field( ‘lv_input’ ).

IF lv_input CN ’0123456789′.
lv_input = ’0′.
ENDIF.

CONCATENATE `WRITE ‘` lv_input `’.` INTO lv_code.

APPEND ‘report CP_REPORT.’ TO lt_tab.
APPEND ‘write: ”Hello world!”.’ TO lt_tab.
APPEND lv_code TO lt_tab.

INSERT REPORT ‘CP_REPORT’ FROM lt_tab.

SUBMIT (‘CP_REPORT’).

Good luck on the next one.

Comments are closed.