Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Potential ABAP Command Injection & Dynamic Code Generation

Forrest
Advisor
Advisor
‎06-05-2021 1:20 AM
Working with SAP partners over many years to test and certify their ABAP add-ons, I have come to appreciate the Code Vulnerability Analyzer (CVA) tool in the ABAP workbench as a useful safeguard, and also learned to help partners interpret the results of the CVA scan. This blog is to illustrate why you always have Potential ABAP Command Injection in your CVA report, when you implement ABAP Dynamic Code Generation.

ABAP supports generating programs at runtime and execute. In order to do so, below are the major logic steps:

  1. The source code has to be created at runtime.

  2. The generated source code, later, is handed over to some ABAP commands for dynamic code generation and execution.

  3. These ABAP commands generate and execute the program.


Normally, there are two manners to choose for establishing the dynamic code at runtime.

The first one is to generate the code as intermediated program under internal session. Once the internal session is over, the code and program will be deleted without trace.

The second option allows to generate code persistently, which means that even after internal session, the code and program can be kept in the database and they are reusable.

As dynamic code generation is an efficient, yet highly sophisticated programming skill in ABAP, it requires experience and should be a last resort. For instance, in the situation that,  it is not possible to determine the data structure until you have the outcome from runtime, then you have to adopt Dynamic Code Generation.

The most important statements in dynamic programming are

  • GENERATE SUBROUTINE POOL ( not focus in this blog)

  • INSERT REPORT 


A typical syntax of Insert Report is code line as below:

INSERT REPORT prog FROM itab
[MAXIMUM WIDTH INTO wid]
{ [KEEPING DIRECTORY ENTRY]
| { [PROGRAM TYPE pt]
[FIXED-POINT ARITHMETIC fp]
[VERSION vs] }
| [DIRECTORY ENTRY dir] }.

The CVA scan, by default, generates a priority 1 message when it detects an “Insert Report” syntax in the ABAP program, as it is not possible for CVA to know if the “Insert Report” syntax is from Dynamic Code Generation as a mandatory syntax, or it is virus planted.

In the situation that SAP CVA tool identifies your code as Potential ABAP Command Injection and a Priority 1 issue, below actions are suggested:

  • To investigate the error message and find if the cause is from the detection of “Insert Table” syntax of Dynamic code generation.

  • Document the environment in details.

  • Partners can also contact the SAP Integration Certification Center(icc-info@sap.com) to analyze the program thoroughly.


 
6 Comments
Labels in this area
Popular Blog Posts