Client generated scripts sandbox (instance security hardening)

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Use the glide.script.use.sandbox property to enable script sandboxing.

    There are two cases in the ServiceNow AI Platform that enable the client to send scripts to the server for evaluation:
    Filters or queries
    It is legal to send a filter to the server such as assigned_to=JavaScript:getMyGroups().
    System API
    API call enables the client to run arbitrary scripts on the server and receive a response.
    If you enable script sandboxing, the script being evaluated at either of these two entry points runs in a sandbox with reduced rights, with the following characteristics:
    • Only those business rules marked client callable are available within the sandbox.
    • Only script includes marked client callable are available within the sandbox.
    • Certain API calls (largely, but not entirely, limited to ones dealing with direct DB access are not allowed.
    • You can't insert, update, or delete data from within the sandbox. For example, any calls to current.update(), are ignored. If you run the ServiceNow AI Platform without enabling script sandboxing, none of these restrictions apply.

    More information

    Attribute Description
    Property name glide.script.use.sandbox
    Configuration type System Properties (/sys_properties_list.do)
    Configure in Instance Security Center Yes
    Purpose Enforces validation for the client-side JavaScript queries that are launched against the platform
    Recommended value true
    Functional ImpactThis remediation enforces validation for the client-side JavaScript queries that are launched against the ServiceNow AI Platform. There is a potential impact if customer has customizations that include hard-coded JavaScript queries to perform CRUD operations.
    Security risk (High) The ServiceNow AI Platform provides wide variety of features and functionality through JavaScript queries. However, without appropriate authorization and validation, there is a potential for an attacker to perform unauthorized operations against the platform.
    References Configuring Script sandbox property
    glide.script.use.sandbox belongs to the same family of properties that secure and restrict execution of scripts originating from the client:

    To learn more about adding or creating a system property, see Add a system property.