Is the "Check Unsanitized HTML" feature mentioned in "Instance Security Hardening" still valid?

Go to solution
Leonard Ambos
Mega Sage

‎01-24-2022 08:04 AM

While running through the Instance Security Hardening guide (/isc?id=security_hardening), our instance was identified as being non-compliant for "Check Unsanitized HTML". The ISC guide says that this property is controlled by 'com.glide.security.check_unsanitized_html', which is a safe db property and can't be reverted once changed. The ISC guide indicates that the property is currently set to 'log_only' (recommendation is 'enforced'), but that property doesn't actually appear on the sys_properties table.

ServiceNow doesn't seem to have much information about this system property; the only page that mentioned the property directly is the "High Security Settings" doc page, which says the property "Enforces sanitization behavior of translated_html fields on a global level for field assignments."
https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/concept/c_HighSecuritySettings.html

Additionally, the Safe override doc page doesn't appear to list "Check Unsanitized Html" as a non-revertible property:
https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/safe-override.html

The ISC link for "Check Unsanitized Html" appears broken, but "HTML sanitizer" seems to be similar in purpose. However, this feature appears to use the 'glide.html.sanitize_all_fields' and 'glide.translated_html.sanitize_all_fields' properties, both of which we already have set.
https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/concept/c_HTMLSanitizer.html

1. Is "Check Unsanitized Html" still a supported feature?
2. Is "Check Unsanitized Html" actually non-revertible?
3. How is "Check Unsanitized Html" different from "HTML sanitizer"?
4. If "Check Unsanitized Html" is actually different from "HTML sanitizer", is there a way to see a what translated_html the "Check Unsanitized Html" feature is currently logging, but would alter if the feature were enforced?

Labels:
  • 4,327 Views
1 ACCEPTED SOLUTION

Go to solution
Leonard Ambos
Mega Sage
In response to Janel

‎04-07-2022 11:42 AM

It looks like the ISC link for "Check Unsanitized Html" has been fixed since I originally posted this, and goes to the link you'd provided. I was still confused, as that doc page doesn't have much info, and contains a link to HTML Sanitizer which already mentions Translated HTML.

I ran a few tests to get a better understanding of the difference between "Check Unsanitized Html" and "HTML sanitizer", which I'll attempt to summarize here.

glide.html.sanitize_all_fields (HTML sanitizer) ONLY affects HTML fields, not translated HTML; the html_sanitize=true attribute can override this on a per-variable basis
com.glide.security.check_unsanitized_html (Check Unsanitized Html) ONLY affects Translated HTML fields; the html_sanitize=true attribute can NOT be used to override Translated HTML fields on a per-variable basis
glide.html_sanitize.discarded_log.enable logs ANY HTML/Translated HTML fields that would be sanitized based on the HTMLSanitizerConfig script, even if the field is not set to sanitize

The config in the HTMLSanitizerConfig script include affects BOTH HTML and Translated HTML sanitization. As noted in the HTML sanitizer doc page, this config file is not exhaustive; there's a BUILTIN_HTML_WHITELIST included on the doc page which isn't accessible by users on the instance. The config file indicates that any items added to the black list override the white list, but the config file doesn't mention the builtin whitelist it's not clear if those can be overridden.

There's a second level of sanitization that appears to only happen on Translated HTML fields, even when com.glide.security.check_unsanitized_html is not set to enforce. I'm not sure what tags are affected, but any <script> and </script> tags in Translated HTML fields are escaped and replaced with lt;script&gt and &lt;/script&gt;.

Despite the Check Unsanitized Html doc page which lists the recommended value of "true", the only valid value for the com.glide.security.check_unsanitized_html property is "enforce"; trying to set any other value (true, false, log_only, etc) results in the error message "Not allowing set of unsafe property value: com.glide.security.check_unsanitized_html=log_only". It IS still possible to delete the sys_property record, which prevents sanitization of Translated HTML fields.

Sanitization is applied on field write, so any sanitized tags/attributes that were set before enabling HTML/Translated HTML are NOT altered when displaying the record.


In case anyone wants to try to reproduce these results, I ran all these tests against kb_knowledge.text (Translated HTML) and kb_template_faq.kb_question (HTML). The WYSIWYG editor already limits what HTML you can add and the list view doesn't let you edit those fields, so all field updates were done through GlideRecord updates in a background script.

 

So to answer my original questions:

  1. "Check Unsanitized Html" is a supported feature
  2. The com.glide.security.check_unsanitized_html property can be reverted by deleting the system property, but not by changing the value of the property
  3. "Check Unsanitized Html" is a subset of HTML Sanitizer, but the com.glide.security.check_unsanitized_html property is entirely separate from the glide.html.sanitize_all_fields property, as one only handles Translated HTML and the other only handles HTML
  4. There's no great way to see what fields would be impacted by "Check Unsanitized Html", since the glide.html_sanitize.discarded_log.enable property enables logging for both HTML and Translated HTML fields. The logs indicate the table and column name, but not whether the column is HTML or Translated HTML. You can probably write a script to look up that information, but it isn't readily available.

View solution in original post

13 REPLIES 13

Go to solution
Brian Lancaster
Tera Sage
In response to Leonard Ambos

‎03-18-2022 10:10 AM

Sometimes if the property does not exist they default the system to in this case log_only. I'm not sure where it logs it to however. Possibly in the Node Log File Browser.

0 Helpfuls

Go to solution
Janel
Kilo Sage

‎03-28-2022 07:49 AM

There is a Docs page for this:

https://docs.servicenow.com/bundle/sandiego-platform-administration/page/administer/security/reference/check-unsanitized-html.html

The security hardening one does explicitly mention fields with the type of Translated HTML.  It sounds like that one is a secondary property to the regular HTML sanitizer.

This affected:

https://{{your_instnace}}.service-now.com/sys_dictionary_list.do?sysparm_query=internal_type%3Dtranslated_html&sysparm_view=

Regular Docs page:

https://docs.servicenow.com/bundle/sandiego-platform-administration/page/administer/security/concept/c_HTMLSanitizer.html

 

We're actually going through this right now.  I'll add another post here if I learn anything interesting about enabling the property.

Go to solution
Leonard Ambos
Mega Sage
In response to Janel

‎04-07-2022 11:42 AM

It looks like the ISC link for "Check Unsanitized Html" has been fixed since I originally posted this, and goes to the link you'd provided. I was still confused, as that doc page doesn't have much info, and contains a link to HTML Sanitizer which already mentions Translated HTML.

I ran a few tests to get a better understanding of the difference between "Check Unsanitized Html" and "HTML sanitizer", which I'll attempt to summarize here.

glide.html.sanitize_all_fields (HTML sanitizer) ONLY affects HTML fields, not translated HTML; the html_sanitize=true attribute can override this on a per-variable basis
com.glide.security.check_unsanitized_html (Check Unsanitized Html) ONLY affects Translated HTML fields; the html_sanitize=true attribute can NOT be used to override Translated HTML fields on a per-variable basis
glide.html_sanitize.discarded_log.enable logs ANY HTML/Translated HTML fields that would be sanitized based on the HTMLSanitizerConfig script, even if the field is not set to sanitize

The config in the HTMLSanitizerConfig script include affects BOTH HTML and Translated HTML sanitization. As noted in the HTML sanitizer doc page, this config file is not exhaustive; there's a BUILTIN_HTML_WHITELIST included on the doc page which isn't accessible by users on the instance. The config file indicates that any items added to the black list override the white list, but the config file doesn't mention the builtin whitelist it's not clear if those can be overridden.

There's a second level of sanitization that appears to only happen on Translated HTML fields, even when com.glide.security.check_unsanitized_html is not set to enforce. I'm not sure what tags are affected, but any <script> and </script> tags in Translated HTML fields are escaped and replaced with lt;script&gt and &lt;/script&gt;.

Despite the Check Unsanitized Html doc page which lists the recommended value of "true", the only valid value for the com.glide.security.check_unsanitized_html property is "enforce"; trying to set any other value (true, false, log_only, etc) results in the error message "Not allowing set of unsafe property value: com.glide.security.check_unsanitized_html=log_only". It IS still possible to delete the sys_property record, which prevents sanitization of Translated HTML fields.

Sanitization is applied on field write, so any sanitized tags/attributes that were set before enabling HTML/Translated HTML are NOT altered when displaying the record.


In case anyone wants to try to reproduce these results, I ran all these tests against kb_knowledge.text (Translated HTML) and kb_template_faq.kb_question (HTML). The WYSIWYG editor already limits what HTML you can add and the list view doesn't let you edit those fields, so all field updates were done through GlideRecord updates in a background script.

 

So to answer my original questions:

  1. "Check Unsanitized Html" is a supported feature
  2. The com.glide.security.check_unsanitized_html property can be reverted by deleting the system property, but not by changing the value of the property
  3. "Check Unsanitized Html" is a subset of HTML Sanitizer, but the com.glide.security.check_unsanitized_html property is entirely separate from the glide.html.sanitize_all_fields property, as one only handles Translated HTML and the other only handles HTML
  4. There's no great way to see what fields would be impacted by "Check Unsanitized Html", since the glide.html_sanitize.discarded_log.enable property enables logging for both HTML and Translated HTML fields. The logs indicate the table and column name, but not whether the column is HTML or Translated HTML. You can probably write a script to look up that information, but it isn't readily available.

Go to solution
Leonard Ambos
Mega Sage
In response to Leonard Ambos

‎04-07-2022 12:19 PM

Oh, and I forgot to mention the glide.translated_html.sanitize_all_fields property mentioned in Enable HTML sanitizer ... based on all my testing, it doesn't do anything. Doesn't matter if it's set to true or false, it looks like only com.glide.security.check_unsanitized_html determines if HTML Sanitization is applied to Translated HTML.

0 Helpfuls

Go to solution
ServiceNow Tec2
Mega Sage

‎03-30-2022 09:59 AM

This has been resolved by ServiceNow Technical Support. Please refer to KB0750113 for more information.
0 Helpfuls