Wednesday, December 16, 2015

Hiding ABAP code

For years ABAP had one special feature which not many people were aware of. Actually it was possible to hide ABAP source code of ABAP objects which were present in the systems and which were runnable in the system. Now you may wonder. Hold on what’s that? Well, we all know that ABAP code is a kind of open source for SAP customers as everybody who has an access and appropriate access rights in the SAP system can see the code. That’s correct. However there was a possibility to hide a code.

The trick is that by putting some special characters (in form of comment like: *@# ) into 1st line of ABAP program in t-code like SE38 the whole code would disappear. Technically not whole code would disappear just its source code. The generated version stays in there and is still executable. Just for ABAP editors like t-code (SE38/SE80) it is invisible. While you would attempt to display it you would get following message instead of the code:

The source is protected. See explanation in long text
Message no. ED800

Diagnosis

The desired source text is protected by SAP because changing it could cause system errors.



Now why I keep writing this blog post using past time? Yep, this feature is gone now. As of SAP Kernel version 7.21 there is a fix delivered via SAP Note 2198580 which removed this feature. In fact the Note is disabling comment *@# completely.


More information:
2198580 - Code injection vulnerability in ABAP

2 comments:

Shahin said...

Hi Martin,
but is there any other way to protect code. I think, sap has its own code which must be protected. How SAP will do this protection?
Thanks in advance

Shahin

Martin Maruskin said...

Hi Shahin,

thanks for your thought! Actually what you are implying to is protection of code in SAP standard name space. Means objects not starting with Z* or Y* (or any other customer/partner namespace).
If someone would like to change it then it is called as "modification of SAP standard". In this case so called "access keys" are required to be entered while there is an attempt to change such a objects. This means that one who does that must register this change via SMP (https://support.sap.com/keys-systems-installations/keys/sscr.html). This is mandatory as SAP must keep track of changes done by customer in their systems. SAP calls this tracking process as SAP Software Change Registration. It is important to know also for customers in case of upgrades what objects were modified by customer as they can be overwritten while upgrade takes place.

PS: also I would like to thank you; as you sparked some time ago an idea for this blog post :-)

cheers