Enforce client generated scripts sandbox [Updated in Securty Center 1.3]

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read

    • Use the glide.script.use.sandbox property to enable script sandboxing.

    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.
    There are two cases in the ServiceNow AI Platform that enable the client to send scripts to the server for evaluation:
    Filters or queries
    It is legal to send a filter to the server such as assigned_to=JavaScript:getMyGroups().
    System API
    API call enables the client to run arbitrary scripts on the server and receive a response.
    If you enable the script sandbox, the script being evaluated at either of these two entry points runs in a sandbox with reduced rights, with the following characteristics:
    • Only those business rules marked Client callable are available within the sandbox.
    • Only script includes marked Sandbox enabled are available within the sandbox.
    • Certain API calls (largely, but not entirely, limited to ones dealing with direct DB access are not allowed.)
    • You can't insert, update, or delete data from within the sandbox. For example, any calls to current.update(), are ignored. If you run the ServiceNow AI Platform without enabling script sandboxing, none of these restrictions apply.
    Note:
    Beginning with the Xanadu release, script includes marked as Glide AJAX enabled (previously named Client callable) aren’t accessible within the sandbox. Only those marked Sandbox enabled are available within the sandbox. When upgrading to the Xanadu release from the Washington DC release or earlier, any script includes marked as Client callable are also marked as Sandbox enabled.

    More information

    Attribute Description
    Property name glide.script.use.sandbox
    Configuration type System Properties (/sys_properties_list.do)
    Category Validation, sanitization, and encoding
    Purpose Enforces validation for the client-side JavaScript queries that are launched against the platform
    Recommended value true
    Default value true
    Security risk rating 9.8
    Functional impact This remediation enforces validation for the client-side JavaScript queries that are launched against the ServiceNow AI Platform. There is a potential impact if customer has customizations that include hard-coded JavaScript queries to perform CRUD operations.
    Security risk (Critical) The ServiceNow AI Platform provides wide variety of features and functionality through JavaScript queries. However, without appropriate authorization and validation, there is a potential for an attacker to perform unauthorized operations against the platform.
    References Configuring Script sandbox property
    glide.script.use.sandbox belongs to the same family of properties that secure and restrict execution of scripts originating from the client:
    • glide.script.allow.ajaxevaluate: See Enable AJAXEvaluate.
    • glide.script.secure.ajaxgliderecord: See .

    To learn more about adding or creating a system property, see Add a system property.