XMLdoc/XMLUtil entity validation with allow list (instance security hardening)
Use the glide.xml.entity.whitelist.enabled property to enable the validation of external entity, and only allows processing of inclusion listed ones.
- If you set this property to true, it allows processing of only inclusion listed entities (recommended setting).
- If you set this property to false, it allows processing of all external entities.
Prerequisites
Before setting this property, define a listing of comma-delimited FQDN in the glide.xml.entity.whitelist property, which are the only URLs that can be reached using XML Entity processing. property. To learn more, see XML external entity processing - allow list.
More information
| Attribute | Description |
|---|---|
| Property name | glide.xml.entity.whitelist.enabled |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Purpose | This remediation control must be enabled to defend against XXE attacks. |
| Recommended value | true |
| Functional Impact | If the customization is using external entity, not inclusion listed in the glide.xml.entity.whitelist property, the ServiceNow AI Platform might block further processing. To learn more, see XML external entity processing - allow list. |
| Security risk | (High) An attacker can use the DTD to include arbitrary HTTP requests that the server might execute. This could lead to other attacks using the server's trust relationship with other entities. |
| Workaround | If you are not using external entity expansion, disable it. To learn more, see Disable entity expansion. |
To learn more about adding or creating a system property, see Add a system property.