Guarded Scripts KB2944435 Server-Side Sandbox Runtime Replacement

Go to solution
AnthonyMull
Tera Contributor

3 weeks ago

Hi all

 

Does anyone have a high level understanding of the new Guarded Scripts Sandbox runtime and the impact?

 

Will this stop scripts working or will it simply alert admins of the issue?

 

Thanks in advance.

0 Helpfuls
  • 2,657 Views
1 ACCEPTED SOLUTION

Go to solution
JC Moller
Giga Sage
In response to AnthonyMull

2 weeks ago - last edited 2 weeks ago

The informed dates and schedules are above. The about 30 days long cycle will include these phases:

 

Phase 1 - Detection (2 weeks): The system silently analyzes scripts for compatibility issues, recording any violations in a list without blocking execution.

 

Phase 2 - Syntax Enforcement (2 weeks): Guarded syntax rules are enforced, and API violations are recorded, but scripts still continue to execute.

 

Phase 3 - Full Enforcement (Permanent): Full restriction is applied, where scripts violating safety rules are blocked unless an exemption has been created

 

I have monitored several instances and my Australia patch 2 PDI, but have not yet observed any activity on the servers that would match the code examples (eg. system properties). Good to be on "alert" with this upgrade and security change. Risks could be higher than normal for anything to go wrong. 

 

- Christian

View solution in original post

5 REPLIES 5

Go to solution
Tom Brown
Giga Guru

2 weeks ago - last edited Friday

I found the articles to be too vague.  It doesn't affect client scripts...ok.  But would it affect business rules?  scripts in flows?  what about scheduled jobs?  Transforms, like OnBefore scripts?  What about JS calls that return an encoded filter value?  And if an exception is made, it sends it to the sandbox where a list of functions are not allowed, like insert(), delete(), and I guess every time/date function that we have.

 

I installed Zurich P9 in one of our sandboxes and was unable to generate any in those categories, but overnight some scheduled exports in PA threw some errors in the Incompatible Guarded Scripts table where we had added some script to check the day of the week.  Also, one that seems to be a SN construct where it was doing something about the discovery workspace.  Note that there is no indication of where this script lives.  It would be nice to have a link or at least a table name.

TomBrown_0-1778250519440.png

edit:  For what it's worth, I opened a case with SN about it on 5/12/26.  They have agreed that it's a good point, but so far have not been able to give me any specifics about the types of scripts about which I need to be concerned.  I assume that they are reaching out to the developers to find out.