Configuring Script sandbox property

  • Release version: Washingtondc
  • Updated January 29, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuring Script Sandbox Property

    The script sandbox property (glide.script.use.sandbox) allows ServiceNow customers to run client-generated scripts in a restricted environment, enhancing security by limiting their access to system resources. This property is crucial for scenarios where scripts are sent to the server for evaluation, such as through filters or the AJAXEvaluate API call.

    Show full answer Show less

    Key Features

    • Enables scripts to run with restricted rights, enhancing system security.
    • Only business rules and script includes marked as client callable are accessible within the sandbox.
    • Certain backend API calls, particularly those for direct database access, are prohibited.
    • Data manipulation operations (insertion, updates, deletions) are not permitted within the sandbox environment.
    • By default, this property is enabled when High Security Settings are activated.

    Key Outcomes

    By enabling the script sandbox property, customers can ensure that client-generated scripts operate under strict controls, preventing unauthorized data access or modification. This setup is particularly important for maintaining the integrity and security of the ServiceNow instance.

    Be aware that specific methods are restricted when sandboxing is enabled, ensuring that only safe operations can occur. For instance, methods related to data manipulation in GlideRecord and GlideSystem are not allowed, with certain logging methods available if configured accordingly.

    Enable the script sandbox property (glide.script.use.sandbox) to run client-generated scripts inside a sandbox that has restricted rights.

    There are two cases within the system that allow the client to send scripts to the server for evaluation.
    • Filters and/or queries: It is legal to send a filter to the server such as: assigned_to=javascript:getMyGroups().
    • System API: The API call AJAXEvaluate allows the client to run arbitrary scripts on the server and receive a response.
    If you enable the script sandbox property (glide.script.use.sandbox), the script being evaluated via either of these two entry points runs within a reduced rights sandbox with the following characteristics:
    • Only those business rules marked client callable are available within the sandbox.
    • Only script includes marked client callable are available within the sandbox.
    • Certain API calls (largely but not entirely limited to those dealing with direct DB access) are not allowed.
    • Data cannot be inserted, updated, or deleted from within the sandbox. Any calls to current.update(), for example, are ignored.
    Note:
    To learn more about this property, see Client generated scripts sandbox in Instance Security Hardening Settings.
    These methods are not allowed in client-generated scripts when script sandboxing is enabled.
    Table 1. Restricted methods
    Class Method
    GlideRecord
    • deleteMultiple()
    • deleteRecord()
    • getRowCount()
    • insert()
    • update()
    • updateMultiple()
    GlideSystem (gs)
    • addErrorMessage()
    • addInfoMessage()
    • addMessage()
    • eventQueue()
    • flushMessages()
    • getEscapedProperty()
    • getProperty()
    • log()
    • logError()
    • logWarning()
    • setProperty()
    • setRedirect()
    • setReturn()
    • workflowFlush()
    ScopedGlideRecord
    • deleteMultiple()
    • deleteRecord()
    • insert()
    • update()
    • updateMultiple()
    ScopedGlideSystem (gs)
    • addErrorMessage()
    • addInfoMessage()
    • debug()
    • eventQueue()
    • executeNow()
    • getProperty()
    • getSessionToken()
    • info()
    • setRedirect()
    GlideDate

    GlideDateTime

    GlideTime
    • add()
    • addDays()
    • addDaysLocalTime()
    • addDaysUTC()
    • addMonthsLocalTime()
    • addMonths()
    • addSeconds()
    • addWeeks()
    • addYears()
    • compareTo()
    • getByFormat()
    • getDate()
    • getDayOfWeek()
    • getDayOfWeekUTC
    • getDayOfWeekLocalTime()
    • getDayOfMonth()
    • getDayOfMonthLocalTime()
    • getDayOfMonthNoTZ()
    • getDayOfWeek()
    • getDayOfWeekLocalTime()
    • getDayOfWeekUTC()
    • getHourOfDayLocalTime()
    • getHourOfDayUTC()
    • getDaysInMonth()
    • getDaysInMonthUTC()
    • getDaysInMonthLocalTime()
    • getDisplayValueInternal()
    • getDisplayValue()
    • getHourLocalTime()
    • getLocalDate()
    • getLocalTime()
    • getMinutesLocalTime()
    • getMinutesUTC()
    • getMonthLocalTime()
    • getMonthNoTZ()
    • getMonthUTC()
    • getNumericValue()
    • getSeconds()
    • getTime()
    • getTZOffset()
    • getValue()
    • getYear()
    • getUserTimeZone()
    • getWeekOfYearLocalTime()
    • getWeekOfYearUTC()
    • getYearUTC()
    • getYearLocalTime()
    • isDST()
    • onOrAfter()
    • onOrBefore()
    • setDayOfMonthUTC()
    • setDisplayValue()
    • setMonth()
    • setNumericValue()
    • setTZ()
    • setValue()
    • setValueUTC()
    • subtract()
    • toString()
    GlideSchedule
    • add()
    • isInSchedule()
    • Load()
    • whenNext()
    Note:
    The GlideSystem (gs) methods log(), logError(), and logWarning() can be enabled with script sandboxing by setting the glide.security.sandbox_no_logging system property to false.

    If you run the system without script sandboxing enabled, then none of these restrictions apply.

    Note:
    This property is activated by default when you activate the High Security Settings plugin. Do not activate this property outside of the plugin.
    Table 2.
    Property Default
    Run client generated scripts (AJAXEvaluate and query conditions) inside a reduced rights "sandbox."

    If enabled, only those business rules and script includes with the Client callable check box set to true are available and certain back-end API calls are disallowed.

    		 Enabled (sandbox in use).