16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
55 lines
1.6 KiB
Plaintext
55 lines
1.6 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Checking logged users' permissions by comparing their name to a hardcoded string can create security vulnerabilities. It prevents system administrators from changing users' permissions when needed (example: when their account has been compromised). Thus system fields ``++SY-UNAME++`` and ``++SYST-UNAME++`` should not be compared to hardcoded strings. Use instead ``++AUTHORITY-CHECK++`` to check users' permissions.
|
|
|
|
|
|
This rule raises an issue when either of the system fields ``++SY-UNAME++`` or ``++SYST-UNAME++`` are compared to a hardcoded value in a ``++CASE++`` statement or using one of the following operators: ``++=++``, ``++EQ++``, ``++<>++``, ``++NE++``.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,abap]
|
|
----
|
|
IF SY-UNAME = 'ALICE'. " Noncompliant
|
|
ENDIF.
|
|
|
|
CASE SY-UNAME.
|
|
WHEN 'A'. " Noncompliant
|
|
ENDCASE.
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,abap]
|
|
----
|
|
AUTHORITY-CHECK OBJECT 'S_CARRID'
|
|
ID 'CARRID' FIELD mycarrid.
|
|
IF sy-subrc <> 0.
|
|
MESSAGE 'Not authorized' TYPE 'E'.
|
|
ENDIF.
|
|
----
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Replace this hard-coded comparison of "SY-UNAME" with an "AUTHORITY-CHECK".
|
|
|
|
Replace this hard-coded comparison of "SYST-UNAME" with an "AUTHORITY-CHECK".
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 20 Dec 2018, 15:53:00 Nicolas Harraudeau wrote:
|
|
For now this rule exists only for ABAP but this is a common mistake in many programming languages. ACL libraries should be preferred to hardcoded reference to a specific user.
|
|
|
|
endif::env-github,rspecator-view[]
|