Feature Request: Add a new group for security rewritings and a rewriting for CALL TRANSACTION first #158
Comments
|
I am a bit scared of this code formatter doing such functional (?) changes and them going unnoticed. If I understand the docs correctly adding
|
|
That's a good point and you're of course right! This requires retesting and perhaps adjustment of authorizations. I think it's down to the nature of security fixes to change processing. Otherwise it would be pointless. Personally I'm more scared of unintended authorizations rather than on a code cleaner fixing this and I think resulting code is still developers responsibility. I never percieved such tools as fire and forget. Maybe this can be migtigated by defining options that must be considered to get it to work and hence draw the developers attention on this points? Thanks and Regards, |
|
I feel like the ABAP Cleaner shouldn't cause functional changes. In my opinion, adding |
Personally this specific tool is fire and forget to me as it's basically advertised as a pretty printer on steroids or at least it acts like one being so fast and my muscle memory already presses ctrl + 4 in the basic rotation instead of shift + F1 by now. I would be scared of being woken up in the middle of the night because some automated warehouses stopped working as they can no longer create deliveries from sales orders as the call transaction in the batch input processing suddenly stopped working. And all because of a transport labelled "Minor formatting changes". :P Sure, you can make the rule optional and not part of any delivered profile but this being a security topic I would much rather want to block the transport with a centralized protected configuration based on the finding for changes (baseline) instead of relying on every developer having the correct config and no bad actors changing anything. Quickfixes can offer assisted fixes requiring the manual intervention you mention. Exemptions may also help in some use cases. Also the ATC check already exists. |
|
Hi franzreitmayer, first of all, I'm impressed that you simply tried it out and apparently, successfully added a cleanup rule (or two of them)! However, I really think from the way how ABAP cleaner is used (sometimes doing Ctrl+A, Ctrl+4 on veeery large code documents), it should be restricted to "fire and forget" changes, so after some initial configuration you can be sure even without looking that your code gets improved, while functionality is completely unchanged. At maximum, ABAP cleaner could add a TODO comment, as done by the rule "Delete unused variables" for variables that are assigned but never used – but especially for security relevant issues, an ATC check should be better for this. So, I think I should find a suitable place in documentation on this repo to clarify this. Nevertheless, thanks for the discussion and hope you don't regret trying it out! And also thanks @fabianlupa for investigating the functional difference. Kind regards, |
|
Hi Jörg, Thanks for making this clear. I can understand this point and hence the feature request. One more question: Can you help me on track with ATC? I know how to implement own ATC checks, but I don't know how to write custom quickfixes, is that possible? Thanks! |
|
Hi Franz, I haven't implemented custom quickfixes yet, either, but did you come across ABAP Quick Fix? This project indeed has some functional overlap with ABAP cleaner, but the approach is different, because it uses quick fixes – so it's not doing "everything everywhere" in the "fire and forget" way, but allows you to do things in a more targeted, handpicked way (at the obvious cost of more user interaction). With this, ABAP Quick Fix can have functions like "Remove all comments", which you could never have in ABAP cleaner. Anyway, I guess there you can get guidance and code samples of how quick fixes are implemented! (And if you do, please say hello to Łukasz Pęgiel :-) Kind regards, |
|
Hi Franz, Fabian and ConjuringCoffee, thanks again for the fruitful discussion, this point was definitely worth clarifying! So, I'd add the following lines to the Limitations section of the README:
Kind regards, |
|
Hi Franz, thanks again – the documentation was now enhanced with version 1.8.0! Kind regards, |
Add a new group "SECURITY" for security code rewritings, start with rewriting CALL TRANSACTION.
As of ABAP 7.4 CALL TRANSACTION which isn't followed by WITH AUTHORITY-CHECK or WITHOUT AUTHORITY-CHECK is obsolete and should not be used, but is still used in legacy code.
The rule should rewrite:
CALL TRANSACTION 'XD03'. CALL TRANSACTION 'XD03' using lt_param.to
CALL TRANSACTION 'XD03' WITH AUTHORITY-CHECK. CALL TRANSACTION 'XD03' WITH AUTHORITY-CHECK USING lt_param.Please see first poc implementation at https://github.com/franzreitmayer/abap-cleaner/blob/dev/com.sap.adt.abapcleaner/src/com/sap/adt/abapcleaner/rules/security/SecurityCallTransactionWithAuth.java
main...franzreitmayer:abap-cleaner:dev
I'm interested in implementing this feature and send an according pull request.
...to be continued with further security rewritings... ;)
Thanks,
Franz
The text was updated successfully, but these errors were encountered: