SQL Server administration and T-SQL development, Web Programming with ASP.NET, HTML5 and Javascript, Windows Phone 8 app development, SAP Smartforms and ABAP Programming, Windows 7, Visual Studio and MS Office software SAP ABAP Programming and HANA Database Tutorials
Development resources, articles, tutorials, code samples and tools and downloads for ASP.Net, SQL Server, R Script, Windows, Windows Phone, AWS, SAP HANA and ABAP, like SAP UI5, Screen Personas, etc.




Install SAP Free


UI-driven or RFC-driven dynamic function module call

If ABAP programmer is calling function modules dynamically using a variable for function module name instead of a static ABAP function module name following CVA security check can be displayed as priority one issue in ATC findings:
UI-driven or RFC-driven dynamic function module call

The variable function module name value could be provided by an entry on user interface. In this case the input function module name can be used for different purposes by wrong users. The input values must be validated by comparing a whilelist of ABAP function modules.

There is a good article posted about CVA findings which is suggesting use of cl_abap_dyn_prg=>check_whitelist_str() class method to check whether the function module name exposed in variable is a whitelisted function module name or not.

In fact if you follow the official help documentation displayed available at CVA error details, ABAP developers can find more details about the procedure to secure the dynamic function module call.

Click on the ATC check message UI-driven or RFC-driven dynamic function module call for procedure to clear CVA security threat

UI-driven or RFC-driven dynamic function module call

Check Title: Security Checks for ABAP (CVA)
Check Message: UI-driven or RFC-driven dynamic function module call
Priority 1
Variable LV_FM can be used externally to control dynamic function module calls.
Risk of attacks through the user interface.
Invalid sanitization: Whitelist is identical to the value being checked.
Cannot be suppressed using a pragma or pseudo-comment

Assume that you have a function module name read from a structure field.
Pass the dynamic function module name as input parameter to the cl_abap_dyn_prg=>check_whitelist_str method or cl_abap_dyn_prg=>check_whitelist_tab method.

DATA(lv_fm) = ls_functionmodules-fmname.
TRY.
lv_fm = cl_abap_dyn_prg=>check_whitelist_str(
 val = lv_fm
 whitelist = 'ZREADTEXT,ZREADORGKEYTEXT' ).
CATCH cx_abap_not_in_whitelist.
 RETURN.
ENDTRY.

CALL FUNCTION lv_fm
EXPORTING name = lv_name
TABLES lines = lt_tdline.

If the ABAP class cl_abap_dyn_prg methods check_whitelist_str and check_whitelist_tab does not help to check if the function module is in whitelist and remove the CVA finding at ATC, then an ATC exemption can be requested.






SAP Tutorials

SAP Tutorial

SAP Forums

SAP Tools

SAP Transaction Codes Table


Meetup Sunumu 1 meetup






Copyright © 2004 - 2019 Eralper YILMAZ. All rights reserved.
Community Server by Telligent Systems