ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2809/abap/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

109 lines
3.4 KiB
Plaintext
Raw Blame History

Using "CALL TRANSACTION" statements without an authority check is security sensitive. Its access should be restricted to specific users.
This rule raises when a ``++CALL TRANSACTION++`` has no explicit authorization check, i.e. when:
* the ``++CALL TRANSACTION++`` statement is not followed by ``++WITH AUTHORITY-CHECK++``.
* the ``++CALL TRANSACTION++`` statement is not following an ``++AUTHORITY-CHECK++`` statement.
* the ``++CALL TRANSACTION++`` statement is not following a call to the ``++AUTHORITY_CHECK_TCODE++`` function.
== Ask Yourself Whether
* the ``++CALL TRANSACTION++`` statement is restricted to the right users.
There is a risk if you answered no to this question.
== Recommended Secure Coding Practices
Check current user's authorization before every ``++CALL TRANSACTION++`` statement. Since ABAP 7.4 this should be done by appending ``++WITH AUTHORITY-CHECK++`` to ``++CALL TRANSACTION++`` statements. In earlier versions the ``++AUTHORITY-CHECK++`` statement or a call to the ``++AUTHORITY_CHECK_TCODE++`` function can be used.
Note that since ABAP 7.4 any ``++CALL TRANSACTION++`` statement not followed by ``++WITH AUTHORITY-CHECK++`` or ``++WITHOUT AUTHORITY-CHECK++`` https://help.sap.com/doc/abapdocu_751_index_htm/7.51/en-US/abapcall_transaction_authority.htm[is obsolete].
== Sensitive Code Example
----
CALL TRANSACTION 'MY_DIALOG'. " Sensitive as there is no apparent authorization check. It is also obsolete since ABAP 7.4.
----
== Compliant Solution
[source,abap]
----
AUTHORITY-CHECK OBJECT 'S_DIAGID'
ID 'ACTVT' FIELD '03'.
IF sy-subrc <> 0.
" show an error message...
ENDIF.
CALL TRANSACTION 'MY_DIALOG'. " Ok but obsolete since ABAP 7.4.
----
or
[source,abap]
----
CALL FUNCTION 'AUTHORITY_CHECK_TCODE'
exporting
tcode = up_fdta
exceptions
ok = 0
others = 4.
IF sy-subrc <> 0.
" show an error message...
ENDIF.
CALL TRANSACTION up_fdta USING up_bdc mode 'E'. " Ok but obsolete since ABAP 7.4.
----
or
[source,abap]
----
CALL TRANSACTION 'MY_DIALOG' WITH AUTHORITY-CHECK. " Recommended way since ABAP 7.4.
----
== Exceptions
No issue will be raised when ``++CALL TRANSACTION++`` is followed by ``++WITHOUT AUTHORITY-CHECK++`` as it explicitly says that the TRANSACTION does not require an authorization check.
== See
* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
* CWE - https://cwe.mitre.org/data/definitions/285[CWE-285 - Improper Authorization]
* CWE - https://cwe.mitre.org/data/definitions/862[CWE-862 - Missing Authorization]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make sure that using this "CALL TRANSACTION" statement without an authority check is safe here.
'''
== Comments And Links
(visible only on this page)
=== on 7 Apr 2015, 19:44:04 Ann Campbell wrote:
http://scn.sap.com/thread/706673
=== on 12 May 2015, 13:04:55 Ann Campbell wrote:
\[~nicolas.peru] I've updated the message, description and code samples based on this article: \https://www.kiuwan.com/blog/abap-code-quality-security-vulnerabilities-detection/
Please double-check me.
=== on 12 May 2015, 14:28:31 Nicolas Peru wrote:
Looks good.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink