For years ABAP had one special
feature which not many people were aware of. Actually it was possible to hide
ABAP source code of ABAP objects which were present in the systems and which
were runnable in the system. Now you may wonder. Hold on what’s that? Well, we
all know that ABAP code is a kind of open source for SAP customers as everybody
who has an access and appropriate access rights in the SAP system can see the
code. That’s correct. However there was a possibility to hide a code.
The trick is that by putting
some special characters (in form of comment like: *@# ) into 1st
line of ABAP program in t-code like SE38 the whole code would disappear. Technically
not whole code would disappear just its source code. The generated version
stays in there and is still executable. Just for ABAP editors like t-code
(SE38/SE80) it is invisible. While you would attempt to display it you would get
following message instead of the code:
The source is protected. See explanation in long text
Message no. ED800
Diagnosis
The desired source text
is protected by SAP because changing it could cause system errors.
Now why I keep writing
this blog post using past time? Yep, this feature is gone now. As of SAP Kernel
version 7.21 there is a fix delivered via SAP Note 2198580 which removed
this feature. In fact the Note is disabling comment *@# completely.
More information:
2198580 - Code
injection vulnerability in ABAP
Hi Martin,
ReplyDeletebut is there any other way to protect code. I think, sap has its own code which must be protected. How SAP will do this protection?
Thanks in advance
Shahin
Hi Shahin,
ReplyDeletethanks for your thought! Actually what you are implying to is protection of code in SAP standard name space. Means objects not starting with Z* or Y* (or any other customer/partner namespace).
If someone would like to change it then it is called as "modification of SAP standard". In this case so called "access keys" are required to be entered while there is an attempt to change such a objects. This means that one who does that must register this change via SMP (https://support.sap.com/keys-systems-installations/keys/sscr.html). This is mandatory as SAP must keep track of changes done by customer in their systems. SAP calls this tracking process as SAP Software Change Registration. It is important to know also for customers in case of upgrades what objects were modified by customer as they can be overwritten while upgrade takes place.
PS: also I would like to thank you; as you sparked some time ago an idea for this blog post :-)
cheers