Why Declaration of Variables is Essential in ServiceNow

Soeren Maucher
Mega Sage

‎11-10-2022 05:41 AM

Two questions to ask yourself:

  1. Do you know the difference between variable assignment and declaration?
  2. Do you know the difference between global and local variables in JavaScript?

In the following, I will show you an example of what can go wrong with variables in JavaScript and provide a list of 31 affected Out of the Box (OOB) Scripts.  

 

Variable assignment vs. declaration

During the declaration of a variable the name and scope are defined, while during the assignment the value of the variable is set. Variable declaration must always happen before assignment or otherwise the code execution will lead to an undefined error. Typically, both declaration and assignment are done in one statement.

var i; //variable declaration

i = 0; //variable assignment

var i = 0; // variable declaration and assignment in one statement

 

Global vs. local variables
All variables defined in the outermost scope are global variables, while variables declared inside a block, such as a function, are local variables.

var i = 0; //global variable
myFunction();
function myFunction() {
    var i = 0; //local variable
}

 

If a function does not declare a variable and there is already a local variable with the same name, it will automatically assign the global variable instead. In the following example there is no local variable declared and therefore the function assigns the value to the global variable instead.

var i = 0; //global variable
myFunction();
function myFunction() {
    i = 0; //assigning value of 0 to the global variable
}

 

What does that have to do with ServiceNow?

Calling a Script Include in ServiceNow has the same implications as calling a JavaScript function. Therefore, if Script Includes do not properly declare variables, global variables can be overwritten which will lead to unexpected behavior. In the following, a simple example is provided:

 

1. Unexpected behavior: Variable is not declared in Script Include  

Fix Script (calling Script Include):

SoerenMaucher_0-1668087388217.png

Script Include (called by the Fix Script):

SoerenMaucher_1-1668087406294.png

Sys Log (created by the Fix Script):

SoerenMaucher_2-1668087427218.png

In this example, the Script Include does not properly declare the variable i in the for loop. Instead, it assigns and overwrites the value to the global variable i defined in the Fix Script. Therefore, each iteration of the Fix Script will log the value 20. Because the iterator i is not properly incremented, we are looping over all incidents instead of the iterator i. Otherwise, in this example we could end up in an infinite loop.


2. Correct behavior: Variable is properly declared in Script Include:

Fix Script (calling Script Include):

SoerenMaucher_3-1668087466447.png

Script Include (called by the Fix Script):

SoerenMaucher_4-1668087475812.png

Sys Log (created by the Fix Script):

SoerenMaucher_5-1668087485315.png

In this example, the Script Include properly declares the variable i in the for loop. Therefore, it will not overwrite the global variable i from the Fix Script. This approach would be considered best practice.

 

Is your ServiceNow instance affected?

Unfortunately, many OOB Script Includes do not properly declare variables with common names such as i. As shown above, this can lead to unexpected behavior and is not considered best practice. I have recently discovered this issue when generating multiple random passwords via the Script include: PwdDefaultAutoGenPassword. With a code search I was able to find at least (32) other OOB Script Includes in the current Tokyo release where a variable i is not properly declared in the for loop and could thus lead to similar issues (see the following table). Most likely there more OOB scripts affected with other variable names. The Script Includes mentioned here, are just the ones with the variable name i and a missing declaration in the for loop.

 

PwdDefaultAutoGenPassword

PasswordResetScopedUtil

CostPlan

PlanningConsoleProcessor

FormHeaderRibbonUtil

FileDataDecorator

PwdVerifyStageBL

AutoResolutionLanguageChoiceListBuilder

PwdIdentifyStageBL

FlowDiagramBuilderApi

FavoriteContentConfigAPISNC

TaxonomyUtilSNC

SowCollabUtils

PipelineRunnerUtils

SNHelpUtil

BenefitPlan

todoPageUtils

UXPagePropertyUtil

RMDailyAggregate

CMDBDynamicIREProcessor

AisConfigurationAjax

RMCapacityAPI

FlowDesignerArtifactsCollector

TourBuilderRecorder

RMParisUpgradeHelper

RteEntityOperationSourceFieldRefQualifier

PALicensingUtils

UserCriteriaDiagnosticsUtil

AJAXClientTiming

SOAPMessageGenerator

WebServiceActivityHandler

PushMessageQualifier

 

Next Steps:

I hope ServiceNow is addressing this issue in the Out of the Box provided Script includes (I have already created a ticket in the HI Portal).
Until then, I would suggest checking if you are using any of the affected scripts. Furthermore, when writing Script Includes yourself, stick to the best practice of declaring variables and using custom names instead of common names such as i.

  • 1,591 Views
0 REPLIES 0