rspec/rules/S2809/abap/rule.adoc

Using "CALL TRANSACTION" statements without an authority check is security sensitive. Its access should be restricted to specific users.


This rule raises when a ``++CALL TRANSACTION++`` has no explicit authorization check, i.e. when:

* the ``++CALL TRANSACTION++`` statement is not followed by ``++WITH AUTHORITY-CHECK++``.
* the ``++CALL TRANSACTION++`` statement is not following an ``++AUTHORITY-CHECK++`` statement.
* the ``++CALL TRANSACTION++`` statement is not following a call to the ``++AUTHORITY_CHECK_TCODE++`` function.


== Ask Yourself Whether

* the ``++CALL TRANSACTION++`` statement is restricted to the right users.

There is a risk if you answered no to this question.


== Recommended Secure Coding Practices

Check current user's authorization before every ``++CALL TRANSACTION++`` statement. Since ABAP 7.4 this should be done by appending ``++WITH AUTHORITY-CHECK++`` to ``++CALL TRANSACTION++`` statements. In earlier versions the ``++AUTHORITY-CHECK++`` statement or a call to the ``++AUTHORITY_CHECK_TCODE++`` function can be used.


Note that since ABAP 7.4 any ``++CALL TRANSACTION++`` statement not followed by ``++WITH AUTHORITY-CHECK++`` or ``++WITHOUT AUTHORITY-CHECK++`` https://help.sap.com/doc/abapdocu_751_index_htm/7.51/en-US/abapcall_transaction_authority.htm[is obsolete].


== Sensitive Code Example

----
CALL TRANSACTION 'MY_DIALOG'.  " Sensitive as there is no apparent authorization check. It is also obsolete since ABAP 7.4.
----


== Compliant Solution

[source,abap]
----
AUTHORITY-CHECK OBJECT 'S_DIAGID'
                  ID 'ACTVT' FIELD '03'.
IF sy-subrc <> 0.
  " show an error message...
ENDIF.

CALL TRANSACTION 'MY_DIALOG'. " Ok but obsolete since ABAP 7.4.
----
or

[source,abap]
----
CALL FUNCTION 'AUTHORITY_CHECK_TCODE'
  exporting
    tcode  = up_fdta
  exceptions
    ok     = 0
    others = 4.
IF sy-subrc <> 0.
  " show an error message...
ENDIF.

CALL TRANSACTION up_fdta USING up_bdc mode 'E'. " Ok but obsolete since ABAP 7.4.
----
or

[source,abap]
----
CALL TRANSACTION 'MY_DIALOG' WITH AUTHORITY-CHECK. " Recommended way since ABAP 7.4.
----


== Exceptions

No issue will be raised when ``++CALL TRANSACTION++`` is followed by ``++WITHOUT AUTHORITY-CHECK++`` as it explicitly says that the TRANSACTION does not require an authorization check.


== See

* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
* CWE - https://cwe.mitre.org/data/definitions/285[CWE-285 - Improper Authorization]
* CWE - https://cwe.mitre.org/data/definitions/862[CWE-862 - Missing Authorization]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure that using this "CALL TRANSACTION" statement without an authority check is safe here.


'''
== Comments And Links
(visible only on this page)

=== on 7 Apr 2015, 19:44:04 Ann Campbell wrote:
http://scn.sap.com/thread/706673

=== on 12 May 2015, 13:04:55 Ann Campbell wrote:
\[~nicolas.peru] I've updated the message, description and code samples based on this article: \https://www.kiuwan.com/blog/abap-code-quality-security-vulnerabilities-detection/

Please double-check me.

=== on 12 May 2015, 14:28:31 Nicolas Peru wrote:
Looks good.

endif::env-github,rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`Using "CALL TRANSACTION" statements without an authority check is security sensitive. Its access should be restricted to specific users.`


			This rule raises when a ``++CALL TRANSACTION++`` has no explicit authorization check, i.e. when:

			* the ``++CALL TRANSACTION++`` statement is not followed by ``++WITH AUTHORITY-CHECK++``.
			* the ``++CALL TRANSACTION++`` statement is not following an ``++AUTHORITY-CHECK++`` statement.
			* the ``++CALL TRANSACTION++`` statement is not following a call to the ``++AUTHORITY_CHECK_TCODE++`` function.

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Ask Yourself Whether`

			* the ``++CALL TRANSACTION++`` statement is restricted to the right users.

			`There is a risk if you answered no to this question.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Recommended Secure Coding Practices`

			Check current user's authorization before every ``++CALL TRANSACTION++`` statement. Since ABAP 7.4 this should be done by appending ``++WITH AUTHORITY-CHECK++`` to ``++CALL TRANSACTION++`` statements. In earlier versions the ``++AUTHORITY-CHECK++`` statement or a call to the ``++AUTHORITY_CHECK_TCODE++`` function can be used.


			Note that since ABAP 7.4 any ``++CALL TRANSACTION++`` statement not followed by ``++WITH AUTHORITY-CHECK++`` or ``++WITHOUT AUTHORITY-CHECK++`` https://help.sap.com/doc/abapdocu_751_index_htm/7.51/en-US/abapcall_transaction_authority.htm[is obsolete].

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Sensitive Code Example`

			`----`
			`CALL TRANSACTION 'MY_DIALOG'. " Sensitive as there is no apparent authorization check. It is also obsolete since ABAP 7.4.`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,abap]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`AUTHORITY-CHECK OBJECT 'S_DIAGID'`
			`ID 'ACTVT' FIELD '03'.`
			`IF sy-subrc <> 0.`
			`" show an error message...`
			`ENDIF.`

			`CALL TRANSACTION 'MY_DIALOG'. " Ok but obsolete since ABAP 7.4.`
			`----`
			`or`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,abap]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`CALL FUNCTION 'AUTHORITY_CHECK_TCODE'`
			`exporting`
			`tcode = up_fdta`
			`exceptions`
			`ok = 0`
			`others = 4.`
			`IF sy-subrc <> 0.`
			`" show an error message...`
			`ENDIF.`

			`CALL TRANSACTION up_fdta USING up_bdc mode 'E'. " Ok but obsolete since ABAP 7.4.`
			`----`
			`or`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,abap]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`CALL TRANSACTION 'MY_DIALOG' WITH AUTHORITY-CHECK. " Recommended way since ABAP 7.4.`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Exceptions`

			No issue will be raised when ``++CALL TRANSACTION++`` is followed by ``++WITHOUT AUTHORITY-CHECK++`` as it explicitly says that the TRANSACTION does not require an authorization check.

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]`
			`* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]`
			`* CWE - https://cwe.mitre.org/data/definitions/285[CWE-285 - Improper Authorization]`
			`* CWE - https://cwe.mitre.org/data/definitions/862[CWE-862 - Missing Authorization]`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure that using this "CALL TRANSACTION" statement without an authority check is safe here.`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 7 Apr 2015, 19:44:04 Ann Campbell wrote:`
			`http://scn.sap.com/thread/706673`

			`=== on 12 May 2015, 13:04:55 Ann Campbell wrote:`
			`\[~nicolas.peru] I've updated the message, description and code samples based on this article: \https://www.kiuwan.com/blog/abap-code-quality-security-vulnerabilities-detection/`

			`Please double-check me.`

			`=== on 12 May 2015, 14:28:31 Nicolas Peru wrote:`
			`Looks good.`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`