Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

ABAP static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your ABAP code

"SY-SUBRC" should be checked after an "AUTHORITY-CHECK" statement

intentionality - complete

security

Vulnerability

Why is this an issue?

Every AUTHORITY-CHECK statement sets the fields SY-SUBRC (also accessible as SYST-SUBRC) to the authorization check result. Thus SY-SUBRC value should be checked just after every AUTHORITY-CHECK statement.

Noncompliant code example

AUTHORITY-CHECK OBJECT 'S_MYOBJ' "Noncompliant
    ID 'ID1' FIELD myvalue.

Compliant solution

AUTHORITY-CHECK OBJECT 'S_MYOBJ'  "Compliant
    ID 'ID1' FIELD myvalue.

  IF sy-subrc <> 0.
    MESSAGE 'NOT AUTHORIZED' TYPE 'E'.
  ENDIF.

Exceptions

No issue will be raised in the following cases:

One or more WRITE operation are performed between the AUTHORITY-CHECK statement and SY-SUBRC check. An exception will be however raised if the WRITE operation is a WRITE ... TO statement, as this will set again SY-SUBRC.
SY-SUBRC's value is assigned to a variable. We then assume that it will be checked later.

AUTHORITY-CHECK OBJECT 'S_MYOBJ'  "Compliant
    ID 'ID1' FIELD myvalue.
WRITE 'Test' " WRITE is accepted before checking SY-SUBRC
IF SY-SUBRC <> 0.
    EXIT.
ENDIF.

AUTHORITY-CHECK OBJECT 'S_MYOBJ'  "Compliant
    ID 'ID1' FIELD myvalue.
Tmp = SY-SUBRC " Assigning SY-SUBRC value to a variable. We assume that it will be checked later.
IF Tmp <> 0.
    EXIT.
ENDIF.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.1

In-IDE

SaaS

Self-Hosted