2021-04-28 16:49:39 +02:00
Using "CALL TRANSACTION" statements without an authority check is security sensitive. Its access should be restricted to specific users.
This rule raises when a ``++CALL TRANSACTION++`` has no explicit authorization check, i.e. when:
* the ``++CALL TRANSACTION++`` statement is not followed by ``++WITH AUTHORITY-CHECK++``.
* the ``++CALL TRANSACTION++`` statement is not following an ``++AUTHORITY-CHECK++`` statement.
* the ``++CALL TRANSACTION++`` statement is not following a call to the ``++AUTHORITY_CHECK_TCODE++`` function.
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== Ask Yourself Whether
* the ``++CALL TRANSACTION++`` statement is restricted to the right users.
There is a risk if you answered no to this question.
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== Recommended Secure Coding Practices
Check current user's authorization before every ``++CALL TRANSACTION++`` statement. Since ABAP 7.4 this should be done by appending ``++WITH AUTHORITY-CHECK++`` to ``++CALL TRANSACTION++`` statements. In earlier versions the ``++AUTHORITY-CHECK++`` statement or a call to the ``++AUTHORITY_CHECK_TCODE++`` function can be used.
Note that since ABAP 7.4 any ``++CALL TRANSACTION++`` statement not followed by ``++WITH AUTHORITY-CHECK++`` or ``++WITHOUT AUTHORITY-CHECK++`` https://help.sap.com/doc/abapdocu_751_index_htm/7.51/en-US/abapcall_transaction_authority.htm[is obsolete].
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== Sensitive Code Example
----
CALL TRANSACTION 'MY_DIALOG'. " Sensitive as there is no apparent authorization check. It is also obsolete since ABAP 7.4.
----
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== Compliant Solution
2022-02-04 17:28:24 +01:00
[source,abap]
2021-04-28 16:49:39 +02:00
----
AUTHORITY-CHECK OBJECT 'S_DIAGID'
ID 'ACTVT' FIELD '03'.
IF sy-subrc <> 0.
" show an error message...
ENDIF.
CALL TRANSACTION 'MY_DIALOG'. " Ok but obsolete since ABAP 7.4.
----
or
2022-02-04 17:28:24 +01:00
[source,abap]
2021-04-28 16:49:39 +02:00
----
CALL FUNCTION 'AUTHORITY_CHECK_TCODE'
exporting
tcode = up_fdta
exceptions
ok = 0
others = 4.
IF sy-subrc <> 0.
" show an error message...
ENDIF.
CALL TRANSACTION up_fdta USING up_bdc mode 'E'. " Ok but obsolete since ABAP 7.4.
----
or
2022-02-04 17:28:24 +01:00
[source,abap]
2021-04-28 16:49:39 +02:00
----
CALL TRANSACTION 'MY_DIALOG' WITH AUTHORITY-CHECK. " Recommended way since ABAP 7.4.
----
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== Exceptions
No issue will be raised when ``++CALL TRANSACTION++`` is followed by ``++WITHOUT AUTHORITY-CHECK++`` as it explicitly says that the TRANSACTION does not require an authorization check.
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== See
2021-11-01 15:00:32 +01:00
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
2022-07-08 13:58:56 +02:00
* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
2022-04-07 08:53:59 -05:00
* https://cwe.mitre.org/data/definitions/285[MITRE, CWE-285] - Improper Authorization
* https://cwe.mitre.org/data/definitions/862[MITRE, CWE-862] - Missing Authorization
2021-04-28 16:49:39 +02:00
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
2021-04-28 18:08:03 +02:00
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::comments-and-links.adoc[]
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
