Context
The HTTP handler (zasis_cl_http_handler / zasis_lcl_http_requ_validator) accepts user-controlled input from the URL path and POST body without applying explicit size or format guards.
Issues Found
1. No request body size cap
get_cdata() is passed directly to /ui2/cl_json=>deserialize with no prior size check. A large payload causes unnecessary resource consumption (memory, CPU).
2. string_to_be_interpreted unbounded
After deserialization, no max-length check is applied before the value is handed to zasis_cl_interpreter=>execute. Regex evaluation on an extremely large string is expensive.
3. ruleset_id silent truncation
zasis_ruleset_id is CHAR(12). If the URL segment is longer than 12 characters, ABAP silently truncates on assignment. A malformed URL like /ruleSet/ABCDEFGHIJKLMNO resolves to ABCDEFGHIJKL without raising an error.
4. context table entry count uncapped
The deserialized context table has no max entry limit, allowing unbounded memory allocation via a crafted POST body.
Proposed Fix
- Add a body size guard in
zasis_lcl_http_handler=>constructor before deserialization (e.g. max 1 MB)
- Validate
strlen(last_path_element) <= 12 in extract_ruleset_id_from_requ before assignment
- Check
strlen(request_body-string_to_be_interpreted) after deserialization (e.g. max 10,000 chars)
- Check
lines(request_body-context) after deserialization (e.g. max 100 entries)
- Define max-size constants in
zasis_constants
- Add new exception textids in
zasis_cx_exc / ZASIS_MSGS for new error cases
- Add ICF shim integration tests for all new 400 responses
Context
The HTTP handler (
zasis_cl_http_handler/zasis_lcl_http_requ_validator) accepts user-controlled input from the URL path and POST body without applying explicit size or format guards.Issues Found
1. No request body size cap
get_cdata()is passed directly to/ui2/cl_json=>deserializewith no prior size check. A large payload causes unnecessary resource consumption (memory, CPU).2.
string_to_be_interpretedunboundedAfter deserialization, no max-length check is applied before the value is handed to
zasis_cl_interpreter=>execute. Regex evaluation on an extremely large string is expensive.3.
ruleset_idsilent truncationzasis_ruleset_idis CHAR(12). If the URL segment is longer than 12 characters, ABAP silently truncates on assignment. A malformed URL like/ruleSet/ABCDEFGHIJKLMNOresolves toABCDEFGHIJKLwithout raising an error.4.
contexttable entry count uncappedThe deserialized context table has no max entry limit, allowing unbounded memory allocation via a crafted POST body.
Proposed Fix
zasis_lcl_http_handler=>constructorbefore deserialization (e.g. max 1 MB)strlen(last_path_element) <= 12inextract_ruleset_id_from_requbefore assignmentstrlen(request_body-string_to_be_interpreted)after deserialization (e.g. max 10,000 chars)lines(request_body-context)after deserialization (e.g. max 100 entries)zasis_constantszasis_cx_exc/ZASIS_MSGSfor new error cases