glide.xml.entity.whitelist need help with how to complete

Gemma4 · ‎03-13-2023

Hello,

We are in the process of enhancing the security of our instances and one of the proposed settings which instance security has pointed us to is “Disable Entity Expansion”.

Disable Entity Expansion will be compliant if following are configured :

glide.xml.entity.whitelist is not empty –

glide.xml.entity.whitelist.enabled is set to true –

glide.stax.whitelist_enabled is set to true –

glide.stax.allow_entity_resolution is set to false

The Prerequisite for glide.stax.whitelist_enabled, is glide.xml.entity.whitelist should not be empty

Currently out of the box it is set to “http://java.sun.com/j2ee/dtds/”

I am having trouble locating information on what information should be included in the whitelist and how can we test this/test case information on any potential impact? Should we add links to our instances?

Thanks in advance for any feedback you can provide!

Gemma

Soeren Maucher · ‎07-24-2024

Hello Gemma,

Even though this is an old question, I see many people trying to understand the function of those properties.

I hope the following documentation which I created helps to understand them better:

glide.stax.whitelist_enabled
The glide.stax.whitelist_enabled property in ServiceNow is used to enhance security by managing XML entity processing for XMLDocument2 parsing. When enabled, it ensures that only entities specified in the glide.xml.entity.whitelist are processed, preventing unauthorized or malicious entities from being resolved. This adds a layer of protection against security risks, such as attackers exploiting XML data to increase the attack surface. This configuration helps defend against attacks like XML Entity Expansion/Billion Laugh attacks, which can consume system resources rapidly.

glide.xml.entity.whitelist
The ServiceNow property `glide.xml.entity.whitelist` is used to control which system IDs are permissible for XML external validation. This property helps enhance security by specifying a whitelist of allowed system IDs that can be used during XML processing. By configuring this property, administrators can prevent unauthorized or potentially harmful XML entities from being processed, thereby mitigating risks associated with XML external entity (XXE) attacks. The property is particularly useful in environments where XML data is frequently exchanged and validated. For detailed configuration and usage, refer to the official ServiceNow documentation on XML external entity processing whitelists.

glide.stax.allow_entity_resolution
The ServiceNow property `glide.stax.allow_entity_resolution` controls whether entity resolution and expansion are permitted when using the XMLDocument2 parser. According to the provided documentation, setting this property to `false` will disable all entity resolution and expansion. This is a security measure to prevent XML External Entity (XXE) attacks, which can exploit XML parsers to access unauthorized data or cause denial of service. Disabling entity resolution ensures that the XML parser does not process any external entities, thereby mitigating potential security risks. This property is particularly important for maintaining the integrity and security of XML data processing within the ServiceNow platform.

Greetings
Sören

View solution in original post

Soeren Maucher · ‎07-24-2024

Hello Gemma,

Even though this is an old question, I see many people trying to understand the function of those properties.

I hope the following documentation which I created helps to understand them better:

glide.stax.whitelist_enabled
The glide.stax.whitelist_enabled property in ServiceNow is used to enhance security by managing XML entity processing for XMLDocument2 parsing. When enabled, it ensures that only entities specified in the glide.xml.entity.whitelist are processed, preventing unauthorized or malicious entities from being resolved. This adds a layer of protection against security risks, such as attackers exploiting XML data to increase the attack surface. This configuration helps defend against attacks like XML Entity Expansion/Billion Laugh attacks, which can consume system resources rapidly.

glide.xml.entity.whitelist
The ServiceNow property `glide.xml.entity.whitelist` is used to control which system IDs are permissible for XML external validation. This property helps enhance security by specifying a whitelist of allowed system IDs that can be used during XML processing. By configuring this property, administrators can prevent unauthorized or potentially harmful XML entities from being processed, thereby mitigating risks associated with XML external entity (XXE) attacks. The property is particularly useful in environments where XML data is frequently exchanged and validated. For detailed configuration and usage, refer to the official ServiceNow documentation on XML external entity processing whitelists.

glide.stax.allow_entity_resolution
The ServiceNow property `glide.stax.allow_entity_resolution` controls whether entity resolution and expansion are permitted when using the XMLDocument2 parser. According to the provided documentation, setting this property to `false` will disable all entity resolution and expansion. This is a security measure to prevent XML External Entity (XXE) attacks, which can exploit XML parsers to access unauthorized data or cause denial of service. Disabling entity resolution ensures that the XML parser does not process any external entities, thereby mitigating potential security risks. This property is particularly important for maintaining the integrity and security of XML data processing within the ServiceNow platform.

Greetings
Sören

Abira · ‎09-02-2024

@Soeren Maucher , if the property "glide.xml.entity.whitelist.enabled" is set to True and we do not specify any value in the property "glide.xml.entity.whitelist" (remove the OOTB value), does that mean no XML external entities can be accessed? Is it fine to remove the OOTB value?