Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2809

Using "CALL TRANSACTION" statements without an authority check is security-sensitive

    XMLWordPrintable

    Details

    • Message:
      Make sure that using this "CALL TRANSACTION" statement without an authority check is safe here.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Covered Languages:
      ABAP
    • Irrelevant for Languages:
      C#, C, C++, Cobol, CSS, Flex, HTML, Java, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      20min
    • CWE:
      CWE-285, CWE-862
    • OWASP:
      A2
    • SANS Top 25:
      Porous Defenses

      Description

      Using "CALL TRANSACTION" statements without an authority check is security sensitive. Its access should be restricted to specific users.

      This rule raises when a CALL TRANSACTION has no explicit authorization check, i.e. when:

      • the CALL TRANSACTION statement is not followed by WITH AUTHORITY-CHECK.
      • the CALL TRANSACTION statement is not following an AUTHORITY-CHECK statement.
      • the CALL TRANSACTION statement is not following a call to the AUTHORITY_CHECK_TCODE function.

      Ask Yourself Whether

      • the CALL TRANSACTION statement is restricted to the right users.

      There is a risk if you answered no to this question.

      Recommended Secure Coding Practices

      Check current user's authorization before every CALL TRANSACTION statement. Since ABAP 7.4 this should be done by appending WITH AUTHORITY-CHECK to CALL TRANSACTION statements. In earlier versions the AUTHORITY-CHECK statement or a call to the AUTHORITY_CHECK_TCODE function can be used.

      Note that since ABAP 7.4 any CALL TRANSACTION statement not followed by WITH AUTHORITY-CHECK or WITHOUT AUTHORITY-CHECK is obsolete.

      Sensitive Code Example

      CALL TRANSACTION 'MY_DIALOG'.  " Sensitive as there is no apparent authorization check. It is also obsolete since ABAP 7.4.

      Compliant Solution

      AUTHORITY-CHECK OBJECT 'S_DIAGID'
                  ID 'ACTVT' FIELD '03'.
IF sy-subrc <> 0.
  " show an error message...
ENDIF.

CALL TRANSACTION 'MY_DIALOG'. " Ok but obsolete since ABAP 7.4.

      or

      CALL FUNCTION 'AUTHORITY_CHECK_TCODE'
  exporting
    tcode  = up_fdta
  exceptions
    ok     = 0
    others = 4.
IF sy-subrc <> 0.
  " show an error message...
ENDIF.

CALL TRANSACTION up_fdta USING up_bdc mode 'E'. " Ok but obsolete since ABAP 7.4.

      or

      CALL TRANSACTION 'MY_DIALOG' WITH AUTHORITY-CHECK. " Recommended way since ABAP 7.4.

      Exceptions

      No issue will be raised when CALL TRANSACTION is followed by WITHOUT AUTHORITY-CHECK as it explicitly says that the TRANSACTION does not require an authorization check.

      See

        Attachments

          Issue Links

          is implemented by

          New Feature - A new feature of the product, which has yet to be developed. SONARABAP-384 Rule S2809: Permissions should be checked before "CALL TRANSACTION"

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. SONARABAP-408 Update message of Rule s2809

          • Major - Major loss of function.
          • Closed

          False-Positive - Unexpected issue reported by a rule SONARABAP-407 FP on Rule s2809 when "WITHOUT AUTHORITY-CHECK" or "AUTHORITY_CHECK_TCODE" are used

          • Major - Major loss of function.
          • Closed

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: