Details
-
Type:
Security Hotspot Detection
-
Status: Active
-
Resolution: Unresolved
-
Labels:
-
Message:Make sure that using this "CALL TRANSACTION" statement without an authority check is safe here.
-
Default Severity:Critical
-
Impact:High
-
Likelihood:Low
-
Covered Languages:ABAP
-
Irrelevant for Languages:C#, C, C++, Cobol, CSS, Flex, HTML, Java, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, VB.Net, VB6, XML
-
Remediation Function:Constant/Issue
-
Constant Cost:20min
-
CWE:CWE-285, CWE-862
-
OWASP:A2
-
SANS Top 25:Porous Defenses
Description
Using "CALL TRANSACTION" statements without an authority check is security sensitive. Its access should be restricted to specific users.
This rule raises when a CALL TRANSACTION has no explicit authorization check, i.e. when:
- the CALL TRANSACTION statement is not followed by WITH AUTHORITY-CHECK.
- the CALL TRANSACTION statement is not following an AUTHORITY-CHECK statement.
- the CALL TRANSACTION statement is not following a call to the AUTHORITY_CHECK_TCODE function.
Ask Yourself Whether
- the CALL TRANSACTION statement is restricted to the right users.
There is a risk if you answered no to this question.
Recommended Secure Coding Practices
Check current user's authorization before every CALL TRANSACTION statement. Since ABAP 7.4 this should be done by appending WITH AUTHORITY-CHECK to CALL TRANSACTION statements. In earlier versions the AUTHORITY-CHECK statement or a call to the AUTHORITY_CHECK_TCODE function can be used.
Note that since ABAP 7.4 any CALL TRANSACTION statement not followed by WITH AUTHORITY-CHECK or WITHOUT AUTHORITY-CHECK is obsolete.
Sensitive Code Example
CALL TRANSACTION 'MY_DIALOG'. " Sensitive as there is no apparent authorization check. It is also obsolete since ABAP 7.4.
Compliant Solution
AUTHORITY-CHECK OBJECT 'S_DIAGID' ID 'ACTVT' FIELD '03'. IF sy-subrc <> 0. " show an error message... ENDIF. CALL TRANSACTION 'MY_DIALOG'. " Ok but obsolete since ABAP 7.4.
or
CALL FUNCTION 'AUTHORITY_CHECK_TCODE' exporting tcode = up_fdta exceptions ok = 0 others = 4. IF sy-subrc <> 0. " show an error message... ENDIF. CALL TRANSACTION up_fdta USING up_bdc mode 'E'. " Ok but obsolete since ABAP 7.4.
or
CALL TRANSACTION 'MY_DIALOG' WITH AUTHORITY-CHECK. " Recommended way since ABAP 7.4.
Exceptions
No issue will be raised when CALL TRANSACTION is followed by WITHOUT AUTHORITY-CHECK as it explicitly says that the TRANSACTION does not require an authorization check.
See
- OWASP Top 10 2017 Category A2 - Broken Authentication
- MITRE, CWE-285 - Improper Authorization
- MITRE, CWE-862 - Missing Authorization
- SANS Top 25 - Porous Defenses
Attachments
Issue Links
- is implemented by
-
SONARABAP-384 Rule S2809: Permissions should be checked before "CALL TRANSACTION"
-
- Closed
-
-
SONARABAP-408 Update message of Rule s2809
-
- Closed
-
-
SONARABAP-407 FP on Rule s2809 when "WITHOUT AUTHORITY-CHECK" or "AUTHORITY_CHECK_TCODE" are used
-
- Closed
-