ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2809/abap/rule.adoc
jtingsanchali 96d9ddb930
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) 
* Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files
2022-04-07 08:53:59 -05:00

97 lines
3.0 KiB
Plaintext
Raw Blame History

Using "CALL TRANSACTION" statements without an authority check is security sensitive. Its access should be restricted to specific users.
This rule raises when a ``++CALL TRANSACTION++`` has no explicit authorization check, i.e. when:
* the ``++CALL TRANSACTION++`` statement is not followed by ``++WITH AUTHORITY-CHECK++``.
* the ``++CALL TRANSACTION++`` statement is not following an ``++AUTHORITY-CHECK++`` statement.
* the ``++CALL TRANSACTION++`` statement is not following a call to the ``++AUTHORITY_CHECK_TCODE++`` function.
== Ask Yourself Whether
* the ``++CALL TRANSACTION++`` statement is restricted to the right users.
There is a risk if you answered no to this question.
== Recommended Secure Coding Practices
Check current user's authorization before every ``++CALL TRANSACTION++`` statement. Since ABAP 7.4 this should be done by appending ``++WITH AUTHORITY-CHECK++`` to ``++CALL TRANSACTION++`` statements. In earlier versions the ``++AUTHORITY-CHECK++`` statement or a call to the ``++AUTHORITY_CHECK_TCODE++`` function can be used.
Note that since ABAP 7.4 any ``++CALL TRANSACTION++`` statement not followed by ``++WITH AUTHORITY-CHECK++`` or ``++WITHOUT AUTHORITY-CHECK++`` https://help.sap.com/doc/abapdocu_751_index_htm/7.51/en-US/abapcall_transaction_authority.htm[is obsolete].
== Sensitive Code Example
----
CALL TRANSACTION 'MY_DIALOG'. " Sensitive as there is no apparent authorization check. It is also obsolete since ABAP 7.4.
----
== Compliant Solution
[source,abap]
----
AUTHORITY-CHECK OBJECT 'S_DIAGID'
ID 'ACTVT' FIELD '03'.
IF sy-subrc <> 0.
" show an error message...
ENDIF.
CALL TRANSACTION 'MY_DIALOG'. " Ok but obsolete since ABAP 7.4.
----
or
[source,abap]
----
CALL FUNCTION 'AUTHORITY_CHECK_TCODE'
exporting
tcode = up_fdta
exceptions
ok = 0
others = 4.
IF sy-subrc <> 0.
" show an error message...
ENDIF.
CALL TRANSACTION up_fdta USING up_bdc mode 'E'. " Ok but obsolete since ABAP 7.4.
----
or
[source,abap]
----
CALL TRANSACTION 'MY_DIALOG' WITH AUTHORITY-CHECK. " Recommended way since ABAP 7.4.
----
== Exceptions
No issue will be raised when ``++CALL TRANSACTION++`` is followed by ``++WITHOUT AUTHORITY-CHECK++`` as it explicitly says that the TRANSACTION does not require an authorization check.
== See
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
* https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
* https://cwe.mitre.org/data/definitions/285[MITRE, CWE-285] - Improper Authorization
* https://cwe.mitre.org/data/definitions/862[MITRE, CWE-862] - Missing Authorization
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
'''
== Comments And Links
(visible only on this page)
include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink