on 02-09-2016 6:39 PM
Hi Everyone,
All the OData services are created using RFC generators. Now we are in process of migrating objects to Quality environment from DEV.Before that want to ensure all the objects are clean without any errors/security risks or vulnerabilities. When running code profiler we encountered errors stating dynamic RFC impose a high security risk. This is due to generated SAP standard code in both DPC & DPC_EXT.
Our security team see this is as a security threat and not able to proceed further.
Kindly help in getting through this issue. Appreciate your help.
Regards
Prabaharan
Hi Prabaharan,
generated coding is nothing new at SAP.
But this is not SAP standard code but you as a developer have generated this code.
So what is the security risk here?
Best Regards,
Andre
I assume the code we are talking about looks like the following:
lv_rfc_name = 'BAPI_EPM_SO_GET_DETAIL'.
IF lv_destination IS INITIAL OR lv_destination EQ 'NONE'.
TRY.
CALL FUNCTION lv_rfc_name
EXPORTING
so_id = so_id
TABLES
return = return
itemdata = itemdata
EXCEPTIONS
system_failure = 1000 message lv_exc_msg
OTHERS = 1002.
lv_subrc = sy-subrc.
*in case of co-deployment the exception is raised and needs to be caught
CATCH cx_root INTO lx_root.
lv_subrc = 1001.
lv_exc_msg = lx_root->if_message~get_text( ).
ENDTRY.
ELSE.
CALL FUNCTION lv_rfc_name DESTINATION lv_destination
EXPORTING
so_id = so_id
TABLES
return = return
itemdata = itemdata
EXCEPTIONS
system_failure = 1000 MESSAGE lv_exc_msg
communication_failure = 1001 MESSAGE lv_exc_msg
OTHERS = 1002.
lv_subrc = sy-subrc.
ENDIF.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Andre,
Thanks for your turnaround .
I admit it is not the SAP Standard code. But still it is the Gateway framework which is generating the base classes and extension classes(DPC,DPC_EXT,MPC,MPC_EXT) with dynamic RFC calls when generate runtime artifacts.
So what is the security risk here?
Code profiler is showing this dynamic RFC call as a high security risk and our audit/security are advising to fix the errors before taking over to Quality environment. If we change the code manually in DPC the changes are lost everytime the project is generated.
Kindly provide your suggestion on this. I am also going to raise a OSS note on this regard to SAP.
Regards
Prabaharan Asokan
The code above is not a workaround. You may find a similar code in corresponding *GET_ENTITY or, even commonly, in *GET_ENTITYSET method of DPC class. And you should know, that the only way to bypass it is to redefine the very same method of DPC_EXT class, not DPC one, as you mentioned. DPC_EXT class is not influenced by the project regeneration. It is well-explained in some manuals prepared by Andre and other colleagues of this community. So try to use non-dynamic RFC call there and it may solve your problem.
The only hint I see in your message is this: "Code profiler is showing this dynamic RFC call as a high security risk..." It is time to ask a question to your audit/security: "Do you consider any RFC call as a high risk?". If the answer is Yes, pass it to your basis team.
Hi Experts and SAP mentors,
Could you please help here and throw some lights ?
Regards
Prabaharan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
98 | |
11 | |
11 | |
10 | |
10 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.