cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Dynamic RFC calls in DPC & DPC_EXT causing "Very high security risk" when running code profiler

Go to solution
Former Member

on ‎02-09-2016 6:39 PM

0 Kudos

Hi Everyone,

All the OData services are created using RFC generators. Now we are in process of migrating objects to Quality environment from DEV.Before that want to ensure all the objects are clean without any errors/security risks or vulnerabilities.  When running code profiler we encountered errors stating dynamic RFC impose a high security risk. This is due to generated SAP standard code in both DPC & DPC_EXT.

Our security team see this is as a security threat and not able to proceed further.

Kindly help in getting through this issue. Appreciate your help.

Regards

Prabaharan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Andre_Fischer
Product and Topic Expert
Product and Topic Expert
‎02-11-2016 12:34 PM
0 Kudos

Hi Prabaharan,

generated coding is nothing new at SAP.

But this is not SAP standard code but you as a developer have generated this code.

So what is the security risk here?

Best Regards,

Andre

I assume the code we are talking about looks like the following:

lv_rfc_name = 'BAPI_EPM_SO_GET_DETAIL'.

IF lv_destination IS INITIAL OR lv_destination EQ 'NONE'.

  TRY.

      CALL FUNCTION lv_rfc_name

        EXPORTING

          so_id          = so_id

        TABLES

          return        = return

          itemdata      = itemdata

        EXCEPTIONS

          system_failure = 1000 message lv_exc_msg

          OTHERS        = 1002.

      lv_subrc = sy-subrc.

*in case of co-deployment the exception is raised and needs to be caught

    CATCH cx_root INTO lx_root.

      lv_subrc = 1001.

      lv_exc_msg = lx_root->if_message~get_text( ).

  ENDTRY.

ELSE.

  CALL FUNCTION lv_rfc_name DESTINATION lv_destination

    EXPORTING

      so_id                = so_id

    TABLES

      return                = return

      itemdata              = itemdata

    EXCEPTIONS

      system_failure        = 1000 MESSAGE lv_exc_msg

      communication_failure = 1001 MESSAGE lv_exc_msg

      OTHERS                = 1002.

  lv_subrc = sy-subrc.

ENDIF.

Show replies
Show replies
Former Member
‎02-14-2016 6:21 PM
0 Kudos

Hi Andre,

Thanks for your turnaround .

I admit it is not the SAP Standard code. But still it is the Gateway framework which is generating the base classes and extension classes(DPC,DPC_EXT,MPC,MPC_EXT) with dynamic RFC calls when generate runtime artifacts.

So what is the security risk here?

Code profiler is showing this dynamic RFC call as a high security risk and our audit/security are advising to fix the errors before taking over to Quality environment. If we change the code manually in DPC the changes are lost everytime the project is generated.

Kindly provide your suggestion on this. I am also going to raise a OSS note on this regard to SAP.

Regards

Prabaharan Asokan

Former Member
‎02-15-2016 11:45 AM
0 Kudos

The code above is not a workaround. You may find a similar code in corresponding *GET_ENTITY or, even commonly, in *GET_ENTITYSET method of DPC class. And you should know, that the only way to bypass it is to redefine the very same method of DPC_EXT class, not DPC one, as you mentioned. DPC_EXT class is not influenced by the project regeneration. It is well-explained in some manuals prepared by Andre and other colleagues of this community. So try to use non-dynamic RFC call there and it may solve your problem.

The only hint I see in your message is this: "Code profiler is showing this dynamic RFC call as a high security risk..."  It is time to ask a question to your audit/security: "Do you consider any RFC call as a high risk?". If the answer is Yes, pass it to your basis team.

Answers (1)

Answers (1)

Former Member
‎02-10-2016 8:06 AM
0 Kudos

Hi Experts and SAP mentors,

Could you please help here and throw some lights ?

Regards

Prabaharan

Show replies
Show replies
Ask a Question