- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-24-2021 04:13 AM
Need more details of this property - glide.xml.entity.whitelist
How it works, and what should be the values.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-07-2021 04:14 PM
Hi,
Here is the info I put together when running a security hardening exercise…a combination of HI case, docs, and advice from developers. Hope it helps.
glide.xml.entity.whitelist is related to a number of other system properties handling XML entity resolution and expansion – some are mentioned in the old Instance Security Dashboard, some are mentioned in the new Instance Security Center.
In case of SOAP web services, XMLs are used to exchange data. To process this XML data ServiceNow scripting classes are used like XMLDocument or XMLUtils. These classes could be used anywhere else as well, not just SOAP web services. The XMLs may contain some corrupt FQDNs. By sending requests to these FQDNs it may open more options for the attacker to attack - may increase surface area of the attack vector.
Entity expansion is introduced to the platform predominantly through customer customizations, so If the custom code is using XMLDocument or XMLDocument2 parser as shown in the example below it will be using entity expansion and the platform may block further processing.
var xmldoc = new XMLDocument(payload); OR var xmldoc = new XMLDocument2(payload);
glide.xml.entity.whitelist.enabled and glide.stax.whitelist_enabled both work off the glide.xml.entity.whitelist – this will be checked when performing XML Entity processing.
glide.xml.entity.whitelist.enabled is related to XMLDocument and XMLUtil parsing.
glide.stax.whitelist_enabled is related to XMLDocument2 parsing.
[glide.stax.allow_entity_resolution] is used to block entity expansion.
[glide.xmlutil.max_entity_expansion] is used to set a threshold to limit the amount of expansion allowed by the platform before blocking further processing. Recommended to be set to 3000..any expansion above this will be blocked.
Setting glide.stax.allow_entity_resolution to false and glide.xmlutil.max_entity_expansion to 3000 - all entity resolution and expansion is blocked. No harm in enabling the other 2 whitelists (glide.xml.entity.whitelist.enabled and glide.xml.entity.whitelist.enabled) as this will offer some protection in the event the use case changes and glide.stax.allow_entity_resolution is activated.
For my use case (as we did not have much in the way of custom code) we were able to set glide.stax.allow_entity_resolution to false to block all entity resolution and expansion.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-24-2021 04:19 AM
Hi there,
Here's documentation from Instance Hardening:
Kind regards,
Mark
2020, 2021 ServiceNow Community MVP
2020, 2021 ServiceNow Developer MVP
---
LinkedIn
Community article, blog, article list
Kind regards,
Mark Roethof
Independent ServiceNow Consultant
10x ServiceNow MVP
---
~444 Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-24-2021 11:57 AM
Hi
but I need more details on the usage of this property, like how it works.
It also mentions to create this property and add the values comma-delimited FQDN XML external entity processing - whitelist (servicenow.com)
I just need to know the overall functionality of above properties.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-17-2023 10:57 AM
The information above is very helpful and informative. thanks. Can you suggest what the value should be at glide.security.url.whitelist
This was previously entered and I'm seeking to understand why
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-07-2021 04:14 PM
Hi,
Here is the info I put together when running a security hardening exercise…a combination of HI case, docs, and advice from developers. Hope it helps.
glide.xml.entity.whitelist is related to a number of other system properties handling XML entity resolution and expansion – some are mentioned in the old Instance Security Dashboard, some are mentioned in the new Instance Security Center.
In case of SOAP web services, XMLs are used to exchange data. To process this XML data ServiceNow scripting classes are used like XMLDocument or XMLUtils. These classes could be used anywhere else as well, not just SOAP web services. The XMLs may contain some corrupt FQDNs. By sending requests to these FQDNs it may open more options for the attacker to attack - may increase surface area of the attack vector.
Entity expansion is introduced to the platform predominantly through customer customizations, so If the custom code is using XMLDocument or XMLDocument2 parser as shown in the example below it will be using entity expansion and the platform may block further processing.
var xmldoc = new XMLDocument(payload); OR var xmldoc = new XMLDocument2(payload);
glide.xml.entity.whitelist.enabled and glide.stax.whitelist_enabled both work off the glide.xml.entity.whitelist – this will be checked when performing XML Entity processing.
glide.xml.entity.whitelist.enabled is related to XMLDocument and XMLUtil parsing.
glide.stax.whitelist_enabled is related to XMLDocument2 parsing.
[glide.stax.allow_entity_resolution] is used to block entity expansion.
[glide.xmlutil.max_entity_expansion] is used to set a threshold to limit the amount of expansion allowed by the platform before blocking further processing. Recommended to be set to 3000..any expansion above this will be blocked.
Setting glide.stax.allow_entity_resolution to false and glide.xmlutil.max_entity_expansion to 3000 - all entity resolution and expansion is blocked. No harm in enabling the other 2 whitelists (glide.xml.entity.whitelist.enabled and glide.xml.entity.whitelist.enabled) as this will offer some protection in the event the use case changes and glide.stax.allow_entity_resolution is activated.
For my use case (as we did not have much in the way of custom code) we were able to set glide.stax.allow_entity_resolution to false to block all entity resolution and expansion.
